Repository: incubator-ranger Updated Branches: refs/heads/master cf05516bf -> 4bf8a3fae
RANGER-322: renamed RangerResource class and added utility methods Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/4bf8a3fa Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/4bf8a3fa Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/4bf8a3fa Branch: refs/heads/master Commit: 4bf8a3fae805e1175ba62588ea578abb4a9d9880 Parents: cf05516 Author: Madhan Neethiraj <[email protected]> Authored: Thu Mar 19 23:35:11 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Mar 20 00:25:14 2015 -0700 ---------------------------------------------------------------------- .../plugin/audit/RangerDefaultAuditHandler.java | 60 +---- .../ranger/plugin/policyengine/CacheMap.java | 2 + .../plugin/policyengine/RangerAccessData.java | 39 ---- .../policyengine/RangerAccessRequest.java | 2 +- .../policyengine/RangerAccessRequestImpl.java | 28 +-- .../policyengine/RangerAccessResource.java | 44 ++++ .../policyengine/RangerAccessResourceImpl.java | 222 +++++++++++++++++++ .../policyengine/RangerMutableResource.java | 2 +- .../policyengine/RangerPolicyEngineImpl.java | 8 +- .../RangerPolicyEvaluatorFacade.java | 24 +- .../policyengine/RangerPolicyRepository.java | 43 ++-- .../plugin/policyengine/RangerResource.java | 33 --- .../plugin/policyengine/RangerResourceImpl.java | 126 ----------- .../RangerDefaultPolicyEvaluator.java | 8 +- .../policyevaluator/RangerPolicyEvaluator.java | 6 +- .../ranger/plugin/service/RangerBasePlugin.java | 4 +- .../plugin/policyengine/TestPolicyEngine.java | 8 +- .../hbase/AuthorizationSession.java | 4 +- .../authorization/hbase/TestPolicyEngine.java | 12 +- .../namenode/RangerFSPermissionChecker.java | 41 +--- .../hive/authorizer/RangerHiveAuditHandler.java | 9 +- .../hive/authorizer/RangerHiveAuthorizer.java | 6 +- .../hive/authorizer/RangerHiveResource.java | 125 ++--------- .../authorization/knox/KnoxRangerPlugin.java | 4 +- .../yarn/authorizer/RangerYarnAuthorizer.java | 46 +--- .../apache/ranger/common/RangerSearchUtil.java | 23 +- .../org/apache/ranger/rest/ServiceREST.java | 24 +- .../authorization/storm/StormRangerPlugin.java | 4 +- 28 files changed, 420 insertions(+), 537 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java index feb6e98..28796dd 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -28,17 +28,14 @@ import org.apache.commons.logging.LogFactory; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.audit.provider.AuditProviderFactory; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; public class RangerDefaultAuditHandler implements RangerAuditHandler { private static final Log LOG = LogFactory.getLog(RangerDefaultAuditHandler.class); - private static final String RESOURCE_SEP = "/"; - public RangerDefaultAuditHandler() { } @@ -84,9 +81,10 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { RangerAccessRequest request = result != null ? result.getAccessRequest() : null; if(request != null && result != null && result.getIsAudited()) { - RangerServiceDef serviceDef = result.getServiceDef(); - String resourceType = getResourceName(request.getResource(), serviceDef); - String resourcePath = getResourceValueAsString(request.getResource(), serviceDef); + RangerServiceDef serviceDef = result.getServiceDef(); + RangerAccessResource resource = request.getResource(); + String resourceType = resource == null ? null : resource.getLeafName(serviceDef); + String resourcePath = resource == null ? null : resource.getAsString(serviceDef); ret = createAuthzAuditEvent(); @@ -180,52 +178,4 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { public AuthzAuditEvent createAuthzAuditEvent() { return new AuthzAuditEvent(); } - - public String getResourceName(RangerResource resource, RangerServiceDef serviceDef) { - String ret = null; - - if(resource != null && serviceDef != null && serviceDef.getResources() != null) { - List<RangerResourceDef> resourceDefs = serviceDef.getResources(); - - for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) { - RangerResourceDef resourceDef = resourceDefs.get(idx); - - if(resourceDef == null || !resource.exists(resourceDef.getName())) { - continue; - } - - ret = resourceDef.getName(); - - break; - } - } - - return ret; - } - - public String getResourceValueAsString(RangerResource resource, RangerServiceDef serviceDef) { - String ret = null; - - if(resource != null && serviceDef != null && serviceDef.getResources() != null) { - StringBuilder sb = new StringBuilder(); - - for(RangerResourceDef resourceDef : serviceDef.getResources()) { - if(resourceDef == null || !resource.exists(resourceDef.getName())) { - continue; - } - - if(sb.length() > 0) { - sb.append(RESOURCE_SEP); - } - - sb.append(resource.getValue(resourceDef.getName())); - } - - if(sb.length() > 0) { - ret = sb.toString(); - } - } - - return ret; - } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/CacheMap.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/CacheMap.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/CacheMap.java index 382577e..c5f2fc0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/CacheMap.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/CacheMap.java @@ -22,6 +22,8 @@ import java.util.LinkedHashMap; import java.util.Map; public class CacheMap<K, V> extends LinkedHashMap<K, V> { + private static final long serialVersionUID = 1L; + private static final float RANGER_CACHE_DEFAULT_LOAD_FACTOR = 0.75f; protected int maxCapacity; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessData.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessData.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessData.java deleted file mode 100644 index 34f7428..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessData.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.policyengine; - - -public class RangerAccessData<T> { - private String accessFDN = null; - private T accessDetails = null; - - public RangerAccessData(String accessFDN) { - this.accessFDN = accessFDN; - } - public String getAccessFDN() { - return accessFDN; - } - public T getAccessDetails() { - return accessDetails; - } - public void setAccessDetails(T accessDetails) { - this.accessDetails = accessDetails; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java index 56a55ae..511896e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java @@ -24,7 +24,7 @@ import java.util.Map; import java.util.Set; public interface RangerAccessRequest { - RangerResource getResource(); + RangerAccessResource getResource(); String getAccessType(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index bc23763..48e5cf8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -27,23 +27,23 @@ import java.util.Set; public class RangerAccessRequestImpl implements RangerAccessRequest { - private RangerResource resource = null; - private String accessType = null; - private String user = null; - private Set<String> userGroups = null; - private Date accessTime = null; - private String clientIPAddress = null; - private String clientType = null; - private String action = null; - private String requestData = null; - private String sessionId = null; - private Map<String, Object> context = null; + private RangerAccessResource resource = null; + private String accessType = null; + private String user = null; + private Set<String> userGroups = null; + private Date accessTime = null; + private String clientIPAddress = null; + private String clientType = null; + private String action = null; + private String requestData = null; + private String sessionId = null; + private Map<String, Object> context = null; public RangerAccessRequestImpl() { this(null, null, null, null); } - public RangerAccessRequestImpl(RangerResource resource, String accessType, String user, Set<String> userGroups) { + public RangerAccessRequestImpl(RangerAccessResource resource, String accessType, String user, Set<String> userGroups) { setResource(resource); setAccessType(accessType); setUser(user); @@ -60,7 +60,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { } @Override - public RangerResource getResource() { + public RangerAccessResource getResource() { return resource; } @@ -114,7 +114,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { return context; } - public void setResource(RangerResource resource) { + public void setResource(RangerAccessResource resource) { this.resource = resource; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java new file mode 100644 index 0000000..82c0248 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java @@ -0,0 +1,44 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import java.util.Map; +import java.util.Set; + +import org.apache.ranger.plugin.model.RangerServiceDef; + + +public interface RangerAccessResource { + public static final String RESOURCE_SEP = "/"; + + public abstract String getOwnerUser(); + + public abstract boolean exists(String name); + + public abstract String getValue(String name); + + public Set<String> getKeys(); + + public String getLeafName(RangerServiceDef serviceDef); + + public String getAsString(RangerServiceDef serviceDef); + + public Map<String, String> getAsMap(); +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java new file mode 100644 index 0000000..7c26f90 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java @@ -0,0 +1,222 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.commons.lang.ObjectUtils; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; + + +public class RangerAccessResourceImpl implements RangerMutableResource { + private String ownerUser = null; + private Map<String, String> elements = null; + private String stringifiedValue = null; + private String leafName = null; + + + public RangerAccessResourceImpl() { + this(null, null); + } + + public RangerAccessResourceImpl(Map<String, String> elements) { + this(elements, null); + } + + public RangerAccessResourceImpl(Map<String, String> elements, String ownerUser) { + this.elements = elements; + this.ownerUser = ownerUser; + } + + @Override + public String getOwnerUser() { + return ownerUser; + } + + @Override + public boolean exists(String name) { + return elements != null && elements.containsKey(name); + } + + @Override + public String getValue(String name) { + String ret = null; + + if(elements != null && elements.containsKey(name)) { + ret = elements.get(name); + } + + return ret; + } + + @Override + public Set<String> getKeys() { + Set<String> ret = null; + + if(elements != null) { + ret = elements.keySet(); + } + + return ret; + } + + @Override + public void setOwnerUser(String ownerUser) { + this.ownerUser = ownerUser; + } + + @Override + public void setValue(String name, String value) { + if(value == null) { + if(elements != null) { + elements.remove(name); + + if(elements.isEmpty()) { + elements = null; + } + } + } else { + if(elements == null) { + elements = new HashMap<String, String>(); + } + elements.put(name, value); + } + + // reset, so that these will be computed again with updated elements + stringifiedValue = leafName = null; + } + + @Override + public String getLeafName(RangerServiceDef serviceDef) { + String ret = leafName; + + if(ret == null) { + if(serviceDef != null && serviceDef.getResources() != null) { + List<RangerResourceDef> resourceDefs = serviceDef.getResources(); + + for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) { + RangerResourceDef resourceDef = resourceDefs.get(idx); + + if(resourceDef == null || !exists(resourceDef.getName())) { + continue; + } + + ret = leafName = resourceDef.getName(); + + break; + } + } + } + + return ret; + } + + @Override + public String getAsString(RangerServiceDef serviceDef) { + String ret = stringifiedValue; + + if(ret == null) { + if(serviceDef != null && serviceDef.getResources() != null) { + StringBuilder sb = new StringBuilder(); + + for(RangerResourceDef resourceDef : serviceDef.getResources()) { + if(resourceDef == null || !exists(resourceDef.getName())) { + continue; + } + + if(sb.length() > 0) { + sb.append(RESOURCE_SEP); + } + + sb.append(getValue(resourceDef.getName())); + } + + if(sb.length() > 0) { + ret = stringifiedValue = sb.toString(); + } + } + } + + return ret; + } + + @Override + public Map<String, String> getAsMap() { + return Collections.unmodifiableMap(elements); + } + + @Override + public boolean equals(Object obj) { + if(obj == null || !(obj instanceof RangerAccessResourceImpl)) { + return false; + } + + if(this == obj) { + return true; + } + + RangerAccessResourceImpl other = (RangerAccessResourceImpl) obj; + + return ObjectUtils.equals(ownerUser, other.ownerUser) && + ObjectUtils.equals(elements, other.elements); + } + + @Override + public int hashCode() { + int ret = 7; + + ret = 31 * ret + ObjectUtils.hashCode(ownerUser); + ret = 31 * ret + ObjectUtils.hashCode(elements); + + return ret; + } + + @Override + public String toString( ) { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public StringBuilder toString(StringBuilder sb) { + sb.append("RangerResourceImpl={"); + + sb.append("ownerUser={").append(ownerUser).append("} "); + + sb.append("elements={"); + if(elements != null) { + for(Map.Entry<String, String> e : elements.entrySet()) { + sb.append(e.getKey()).append("=").append(e.getValue()).append("; "); + } + } + sb.append("} "); + + sb.append("}"); + + return sb; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java index f49bf8c..16ab725 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java @@ -20,7 +20,7 @@ package org.apache.ranger.plugin.policyengine; -public interface RangerMutableResource extends RangerResource { +public interface RangerMutableResource extends RangerAccessResource { void setOwnerUser(String ownerUser); void setValue(String type, String value); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index d590548..7227e9e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -166,7 +166,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { List<RangerPolicyEvaluatorFacade> evaluators = policyRepository.getPolicyEvaluators(); if(evaluators != null) { - policyRepository.retrieveAuditEnabled(request, ret); + boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret); + for(RangerPolicyEvaluator evaluator : evaluators) { evaluator.evaluate(request, ret); @@ -175,7 +176,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { break; } } - policyRepository.storeAuditEnabled(request, ret); + + if(! foundInCache) { + policyRepository.storeAuditEnabledInCache(request, ret); + } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java index b95b053..92dedba 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java @@ -35,11 +35,10 @@ public class RangerPolicyEvaluatorFacade implements RangerPolicyEvaluator, Compa RangerDefaultPolicyEvaluator delegate = null; int computedPolicyEvalOrder = 0; - boolean useCachePolicyEngine = false; RangerPolicyEvaluatorFacade(boolean useCachePolicyEngine) { super(); - this.useCachePolicyEngine = useCachePolicyEngine; + delegate = new RangerOptimizedPolicyEvaluator(); } @@ -50,12 +49,15 @@ public class RangerPolicyEvaluatorFacade implements RangerPolicyEvaluator, Compa @Override public void init(RangerPolicy policy, RangerServiceDef serviceDef) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEvaluatorFacade.init(), useCachePolicyEngine:" + useCachePolicyEngine); + LOG.debug("==> RangerPolicyEvaluatorFacade.init()"); } + delegate.init(policy, serviceDef); + computedPolicyEvalOrder = computePolicyEvalOrder(); + if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEvaluatorFacade.init(), useCachePolicyEngine:" + useCachePolicyEngine); + LOG.debug("<== RangerPolicyEvaluatorFacade.init()"); } } @@ -75,12 +77,12 @@ public class RangerPolicyEvaluatorFacade implements RangerPolicyEvaluator, Compa } @Override - public boolean isMatch(RangerResource resource) { + public boolean isMatch(RangerAccessResource resource) { return false; } @Override - public boolean isSingleAndExactMatch(RangerResource resource) { + public boolean isSingleAndExactMatch(RangerAccessResource resource) { return false; } @@ -89,21 +91,21 @@ public class RangerPolicyEvaluatorFacade implements RangerPolicyEvaluator, Compa if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEvaluatorFacade.compareTo()"); } + int result; if (this.getComputedPolicyEvalOrder() == other.getComputedPolicyEvalOrder()) { - Map<String, RangerConditionEvaluator> myConditionEvaluators = this.delegate.getConditionEvaluators(); + Map<String, RangerConditionEvaluator> myConditionEvaluators = this.delegate.getConditionEvaluators(); Map<String, RangerConditionEvaluator> otherConditionEvaluators = other.delegate.getConditionEvaluators(); - int myConditionEvaluatorCount = myConditionEvaluators == null ? 0 : myConditionEvaluators.size(); + int myConditionEvaluatorCount = myConditionEvaluators == null ? 0 : myConditionEvaluators.size(); int otherConditionEvaluatorCount = otherConditionEvaluators == null ? 0 : otherConditionEvaluators.size(); result = Integer.compare(myConditionEvaluatorCount, otherConditionEvaluatorCount); } else { - int myComputedPriority = this.getComputedPolicyEvalOrder(); - int otherComputedPriority = other.getComputedPolicyEvalOrder(); - result = Integer.compare(myComputedPriority, otherComputedPriority); + result = Integer.compare(computedPolicyEvalOrder, other.computedPolicyEvalOrder); } + if(LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEvaluatorFacade.compareTo(), result:" + result); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index ff55990..4ed11c1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -43,7 +43,7 @@ public class RangerPolicyRepository { private RangerServiceDef serviceDef = null; // Not used at this time private boolean useCachePolicyEngine = false; - private Map<String, RangerAccessData<Boolean>> accessAuditCache = null; + private Map<String, Boolean> accessAuditCache = null; private static int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024; @@ -65,7 +65,6 @@ public class RangerPolicyRepository { } void init(RangerServiceDef serviceDef, List<RangerPolicy> policies) { - if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyRepository.init(" + serviceDef + ", policies.count=" + (policies == null ? 0 : policies.size()) + ")"); } @@ -105,7 +104,7 @@ public class RangerPolicyRepository { int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE); - accessAuditCache = new CacheMap<String, RangerAccessData<Boolean>>(auditResultCacheSize); + accessAuditCache = new CacheMap<String, Boolean>(auditResultCacheSize); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyRepository.init(" + serviceDef + ", policies.count=" + (policies == null ? 0 : policies.size()) + ")"); @@ -159,33 +158,45 @@ public class RangerPolicyRepository { return ret; } - synchronized void retrieveAuditEnabled(RangerAccessRequest request, RangerAccessResult ret) { + boolean setAuditEnabledFromCache(RangerAccessRequest request, RangerAccessResult result) { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyRepository.retrieveAuditEnabled()"); + LOG.debug("==> RangerPolicyRepository.setAuditEnabledFromCache()"); } - RangerAccessData<Boolean> value = accessAuditCache.get(request.getResource().toString()); + + Boolean value = null; + + synchronized (accessAuditCache) { + value = accessAuditCache.get(request.getResource().getAsString(getServiceDef())); + } + if ((value != null)) { - ret.setIsAudited(value.getAccessDetails()); + result.setIsAudited(value); } if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyRepository.retrieveAuditEnabled()"); + LOG.debug("<== RangerPolicyRepository.setAuditEnabledFromCache()"); } + + return value != null; } - synchronized void storeAuditEnabled(RangerAccessRequest request, RangerAccessResult ret) { + void storeAuditEnabledInCache(RangerAccessRequest request, RangerAccessResult ret) { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyRepository.storeAuditEnabled()"); + LOG.debug("==> RangerPolicyRepository.storeAuditEnabledInCache()"); } - RangerAccessData<Boolean> lookup = accessAuditCache.get(request.getResource().toString()); - if ((lookup == null && ret.getIsAuditedDetermined() == true)) { - RangerAccessData<Boolean> value = new RangerAccessData<Boolean>(request.toString()); - value.setAccessDetails(ret.getIsAudited()); - accessAuditCache.put(request.getResource().toString(), value); + + if ((ret.getIsAuditedDetermined() == true)) { + String strResource = request.getResource().getAsString(getServiceDef()); + + Boolean value = ret.getIsAudited() ? Boolean.TRUE : Boolean.FALSE; + + synchronized(accessAuditCache) { + accessAuditCache.put(strResource, value); + } } if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyRepository.storeAuditEnabled()"); + LOG.debug("<== RangerPolicyRepository.storeAuditEnabledInCache()"); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java deleted file mode 100644 index 6941bc3..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.policyengine; - -import java.util.Set; - - -public interface RangerResource { - public abstract String getOwnerUser(); - - public abstract boolean exists(String name); - - public abstract String getValue(String name); - - public Set<String> getKeys(); -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java deleted file mode 100644 index da82cc3..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.policyengine; - -import java.util.HashMap; -import java.util.Map; -import java.util.Set; - - -public class RangerResourceImpl implements RangerMutableResource { - private String ownerUser = null; - private Map<String, String> elements = null; - - - public RangerResourceImpl() { - this(null, null); - } - - public RangerResourceImpl(Map<String, String> elements) { - this(elements, null); - } - - public RangerResourceImpl(Map<String, String> elements, String ownerUser) { - this.elements = elements; - this.ownerUser = ownerUser; - } - - @Override - public String getOwnerUser() { - return ownerUser; - } - - @Override - public boolean exists(String name) { - return elements != null && elements.containsKey(name); - } - - @Override - public String getValue(String name) { - String ret = null; - - if(elements != null && elements.containsKey(name)) { - ret = elements.get(name); - } - - return ret; - } - - @Override - public Set<String> getKeys() { - Set<String> ret = null; - - if(elements != null) { - ret = elements.keySet(); - } - - return ret; - } - - @Override - public void setOwnerUser(String ownerUser) { - this.ownerUser = ownerUser; - } - - @Override - public void setValue(String name, String value) { - if(value == null) { - if(elements != null) { - elements.remove(name); - - if(elements.isEmpty()) { - elements = null; - } - } - } else { - if(elements == null) { - elements = new HashMap<String, String>(); - } - elements.put(name, value); - } - } - - @Override - public String toString( ) { - StringBuilder sb = new StringBuilder(); - - toString(sb); - - return sb.toString(); - } - - public StringBuilder toString(StringBuilder sb) { - sb.append("RangerResourceImpl={"); - - sb.append("ownerUser={").append(ownerUser).append("} "); - - sb.append("elements={"); - if(elements != null) { - for(Map.Entry<String, String> e : elements.entrySet()) { - sb.append(e.getKey()).append("=").append(e.getValue()).append("; "); - } - } - sb.append("} "); - - sb.append("}"); - - return sb; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index b264664..d5332b2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -37,7 +37,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; -import org.apache.ranger.plugin.policyengine.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher; import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; @@ -324,7 +324,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } @Override - public boolean isMatch(RangerResource resource) { + public boolean isMatch(RangerAccessResource resource) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + resource + ")"); } @@ -370,7 +370,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } - public boolean isSingleAndExactMatch(RangerResource resource) { + public boolean isSingleAndExactMatch(RangerAccessResource resource) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.isSingleAndExactMatch(" + resource + ")"); } @@ -415,7 +415,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } - protected boolean matchResourceHead(RangerResource resource) { + protected boolean matchResourceHead(RangerAccessResource resource) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.matchResourceHead(" + resource + ")"); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index cfe53a8..35164b2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -24,7 +24,7 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; public interface RangerPolicyEvaluator { void init(RangerPolicy policy, RangerServiceDef serviceDef); @@ -35,7 +35,7 @@ public interface RangerPolicyEvaluator { void evaluate(RangerAccessRequest request, RangerAccessResult result); - boolean isMatch(RangerResource resource); + boolean isMatch(RangerAccessResource resource); - boolean isSingleAndExactMatch(RangerResource resource); + boolean isSingleAndExactMatch(RangerAccessResource resource); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 33060e4..b1a1b16 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -37,7 +37,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; -import org.apache.ranger.plugin.policyengine.RangerResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.PolicyRefresher; @@ -328,7 +328,7 @@ public class RangerBasePlugin { if(request != null && auditHandler != null && policyEngine != null) { RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl(); - accessRequest.setResource(new RangerResourceImpl(request.getResource())); + accessRequest.setResource(new RangerAccessResourceImpl(request.getResource())); accessRequest.setUser(request.getGrantor()); accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); accessRequest.setAction(action); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index f940c30..b4175e2 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -52,7 +52,7 @@ public class TestPolicyEngine { gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") .setPrettyPrinting() .registerTypeAdapter(RangerAccessRequest.class, new RangerAccessRequestDeserializer()) - .registerTypeAdapter(RangerResource.class, new RangerResourceDeserializer()) + .registerTypeAdapter(RangerAccessResource.class, new RangerResourceDeserializer()) .create(); } @@ -134,11 +134,11 @@ public class TestPolicyEngine { } } - static class RangerResourceDeserializer implements JsonDeserializer<RangerResource> { + static class RangerResourceDeserializer implements JsonDeserializer<RangerAccessResource> { @Override - public RangerResource deserialize(JsonElement jsonObj, Type type, + public RangerAccessResource deserialize(JsonElement jsonObj, Type type, JsonDeserializationContext context) throws JsonParseException { - return gsonBuilder.fromJson(jsonObj, RangerResourceImpl.class); + return gsonBuilder.fromJson(jsonObj, RangerAccessResourceImpl.class); } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java index bf3048e..3513bcb 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java @@ -30,7 +30,7 @@ import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.service.RangerBasePlugin; import com.google.common.base.Objects; @@ -156,7 +156,7 @@ public class AuthorizationSession { // session can be reused so reset its state zapAuthorizationState(); // TODO get this via a factory instead - RangerResourceImpl resource = new RangerResourceImpl(); + RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); // policy engine should deal sensibly with null/empty values, if any resource.setValue("table", _table); resource.setValue("column-family", _columnFamily); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java index 9ed627d..59e79d0 100644 --- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java +++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java @@ -36,8 +36,8 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerResource; -import org.apache.ranger.plugin.policyengine.RangerResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.service.RangerBasePlugin; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -62,7 +62,7 @@ public class TestPolicyEngine { gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") .setPrettyPrinting() .registerTypeAdapter(RangerAccessRequest.class, new RangerAccessRequestDeserializer()) - .registerTypeAdapter(RangerResource.class, new RangerResourceDeserializer()) + .registerTypeAdapter(RangerAccessResource.class, new RangerResourceDeserializer()) .create(); } @@ -165,11 +165,11 @@ public class TestPolicyEngine { } } - static class RangerResourceDeserializer implements JsonDeserializer<RangerResource> { + static class RangerResourceDeserializer implements JsonDeserializer<RangerAccessResource> { @Override - public RangerResource deserialize(JsonElement jsonObj, Type type, + public RangerAccessResource deserialize(JsonElement jsonObj, Type type, JsonDeserializationContext context) throws JsonParseException { - return gsonBuilder.fromJson(jsonObj, RangerResourceImpl.class); + return gsonBuilder.fromJson(jsonObj, RangerAccessResourceImpl.class); } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java index adf2680..592e77f 100644 --- a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java +++ b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java @@ -42,7 +42,8 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.service.RangerBasePlugin; import com.google.common.collect.Sets; @@ -216,40 +217,13 @@ class RangerHdfsPlugin extends RangerBasePlugin { } } -class RangerHdfsResource implements RangerResource { +class RangerHdfsResource extends RangerAccessResourceImpl { private static final String KEY_PATH = "path"; - private static final Set<String> KEYS_PATH = Sets.newHashSet(KEY_PATH); - - private String path = null; - private String owner = null; public RangerHdfsResource(String path, String owner) { - this.path = path; - this.owner = owner; - } - - @Override - public String getOwnerUser() { - return owner; - } - - @Override - public boolean exists(String name) { - return StringUtils.equalsIgnoreCase(name, KEY_PATH); - } - - @Override - public String getValue(String name) { - if(StringUtils.equalsIgnoreCase(name, KEY_PATH)) { - return path; - } - - return null; - } - - public Set<String> getKeys() { - return KEYS_PATH; + super.setValue(KEY_PATH, path); + super.setOwnerUser(owner); } } @@ -313,8 +287,9 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler { RangerAccessRequest request = result.getAccessRequest(); RangerServiceDef serviceDef = result.getServiceDef(); - String resourceType = getResourceName(request.getResource(), serviceDef); - String resourcePath = getResourceValueAsString(request.getResource(), serviceDef); + RangerAccessResource resource = request.getResource(); + String resourceType = resource != null ? resource.getLeafName(serviceDef) : null; + String resourcePath = resource != null ? resource.getAsString(serviceDef) : null; auditEvent.setUser(request.getUser()); auditEvent.setResourcePath(pathToBeValidated); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index ac8113b..7110861 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -66,7 +66,7 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { auditEvent.setRepositoryType(result.getServiceType()); auditEvent.setRepositoryName(result.getServiceName()) ; auditEvent.setRequestData(request.getRequestData()); - auditEvent.setResourcePath(getResourceValueAsString(resource, result.getServiceDef())); + auditEvent.setResourcePath(resource != null ? resource.getAsString(result.getServiceDef()) : null); addAuthzAuditEvent(auditEvent); } @@ -106,15 +106,16 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { auditEvent.setRepositoryType(result.getServiceType()); auditEvent.setRepositoryName(result.getServiceName()) ; auditEvent.setRequestData(request.getRequestData()); - auditEvent.setResourcePath(getResourceValueAsString(resource, result.getServiceDef())); + + auditEvent.setResourcePath(resource != null ? resource.getAsString(result.getServiceDef()) : null); } else if(result.getIsAllowed()){ auditEvent.setResourcePath(auditEvent.getResourcePath() + "," + resource.getColumn()); } else { - auditEvent.setResourcePath(getResourceValueAsString(resource, result.getServiceDef())); + auditEvent.setResourcePath(resource != null ? resource.getAsString(result.getServiceDef()) : null); } if(!result.getIsAllowed()) { - auditEvent.setResourcePath(getResourceValueAsString(resource, result.getServiceDef())); + auditEvent.setResourcePath(resource != null ? resource.getAsString(result.getServiceDef()) : null); break; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index cc56bb9..72e6652 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -299,7 +299,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { continue; } - RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTableOrUdf(), column); + RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column); RangerHiveAccessRequest colRequest = request.copy(); colRequest.setResource(colResource); @@ -323,7 +323,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } if(result != null && !result.getIsAllowed()) { - String path = auditHandler.getResourceValueAsString(request.getResource(), result.getServiceDef()); + String path = resource != null ? resource.getAsString(result.getServiceDef()) : null; throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path)); @@ -710,7 +710,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { ret.setReplaceExistingPermissions(Boolean.FALSE); String database = StringUtils.isEmpty(resource.getDatabase()) ? "*" : resource.getDatabase(); - String table = StringUtils.isEmpty(resource.getTableOrUdf()) ? "*" : resource.getTableOrUdf(); + String table = StringUtils.isEmpty(resource.getTable()) ? "*" : resource.getTable(); String column = StringUtils.isEmpty(resource.getColumn()) ? "*" : resource.getColumn(); Map<String, String> mapResource = new HashMap<String, String>(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java index d49bd66..a29acea 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java @@ -19,32 +19,18 @@ package org.apache.ranger.authorization.hive.authorizer; -import java.util.Set; -import org.apache.commons.lang.ObjectUtils; -import org.apache.commons.lang.StringUtils; -import org.apache.ranger.plugin.policyengine.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; -import com.google.common.collect.Sets; -public class RangerHiveResource implements RangerResource { +public class RangerHiveResource extends RangerAccessResourceImpl { public static final String KEY_DATABASE = "database"; public static final String KEY_TABLE = "table"; public static final String KEY_UDF = "udf"; public static final String KEY_COLUMN = "column"; - public static final Set<String> KEYS_DATABASE = Sets.newHashSet(KEY_DATABASE); - public static final Set<String> KEYS_TABLE = Sets.newHashSet(KEY_DATABASE, KEY_TABLE); - public static final Set<String> KEYS_UDF = Sets.newHashSet(KEY_DATABASE, KEY_UDF); - public static final Set<String> KEYS_COLUMN = Sets.newHashSet(KEY_DATABASE, KEY_TABLE, KEY_COLUMN); - private HiveObjectType objectType = null; - private String database = null; - private String tableOrUdf = null; - private String column = null; - private Set<String> keys = null; - public RangerHiveResource(HiveObjectType objectType, String database) { this(objectType, database, null, null); @@ -56,130 +42,55 @@ public class RangerHiveResource implements RangerResource { public RangerHiveResource(HiveObjectType objectType, String database, String tableOrUdf, String column) { this.objectType = objectType; - this.database = database; - this.tableOrUdf = tableOrUdf; - this.column = column; switch(objectType) { case DATABASE: - keys = KEYS_DATABASE; + setValue(KEY_DATABASE, database); break; case FUNCTION: - keys = KEYS_UDF; + setValue(KEY_DATABASE, database); + setValue(KEY_UDF, tableOrUdf); break; case COLUMN: - keys = KEYS_COLUMN; + setValue(KEY_DATABASE, database); + setValue(KEY_TABLE, tableOrUdf); + setValue(KEY_COLUMN, column); break; case TABLE: case VIEW: case INDEX: case PARTITION: - keys = KEYS_TABLE; + setValue(KEY_DATABASE, database); + setValue(KEY_TABLE, tableOrUdf); break; case NONE: case URI: default: - keys = null; break; } } - @Override - public String getOwnerUser() { - return null; // no owner information available - } - - @Override - public boolean exists(String name) { - return !StringUtils.isEmpty(getValue(name)); - } - - @Override - public String getValue(String name) { - if(StringUtils.equalsIgnoreCase(name, KEY_DATABASE)) { - return database; - } else if(objectType == HiveObjectType.FUNCTION) { - if(StringUtils.equalsIgnoreCase(name, KEY_UDF)) { - return tableOrUdf; - } - } else if(StringUtils.equalsIgnoreCase(name, KEY_TABLE)) { - return tableOrUdf; - } else if(StringUtils.equalsIgnoreCase(name, KEY_COLUMN)) { - return column; - } - - return null; - } - - public Set<String> getKeys() { - return keys; - } - - @Override - public boolean equals(Object obj) { - if(obj == null || !(obj instanceof RangerHiveResource)) { - return false; - } - - if(this == obj) { - return true; - } - - RangerHiveResource other = (RangerHiveResource) obj; - - return ObjectUtils.equals(objectType, other.objectType) && - ObjectUtils.equals(database, other.database) && - ObjectUtils.equals(tableOrUdf, other.tableOrUdf) && - ObjectUtils.equals(column, other.column); - } - - @Override - public int hashCode() { - int ret = 7; - - ret = 31 * ret + ObjectUtils.hashCode(objectType); - ret = 31 * ret + ObjectUtils.hashCode(database); - ret = 31 * ret + ObjectUtils.hashCode(tableOrUdf); - ret = 31 * ret + ObjectUtils.hashCode(column); - - return ret; - } - - @Override - public String toString() { - StringBuilder sb = new StringBuilder(); - - toString(sb); - - return sb.toString(); - } - - public StringBuilder toString(StringBuilder sb) { - sb.append("objectType={").append(objectType).append("} "); - sb.append("database={").append(database).append("} "); - sb.append("tableOrUdf={").append(tableOrUdf).append("} "); - sb.append("column={").append(column).append("} "); - - return sb; - } - public HiveObjectType getObjectType() { return objectType; } public String getDatabase() { - return database; + return getValue(KEY_DATABASE); + } + + public String getTable() { + return getValue(KEY_TABLE); } - public String getTableOrUdf() { - return tableOrUdf; + public String getUdf() { + return getValue(KEY_UDF); } public String getColumn() { - return column; + return getValue(KEY_COLUMN); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java ---------------------------------------------------------------------- diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java index 354d2f0..643450c 100644 --- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java +++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java @@ -27,7 +27,7 @@ import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.Resou import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; -import org.apache.ranger.plugin.policyengine.RangerResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.service.RangerBasePlugin; public class KnoxRangerPlugin extends RangerBasePlugin { @@ -85,7 +85,7 @@ public class KnoxRangerPlugin extends RangerBasePlugin { RangerAccessRequest build() { // build resource - RangerResourceImpl resource = new RangerResourceImpl(); + RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); resource.setValue(ResourceName.Service, _service); resource.setValue(ResourceName.Topology, _topology); // build request http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java index cc82c81..ff20097 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java @@ -22,15 +22,12 @@ package org.apache.ranger.authorization.yarn.authorizer; import java.net.InetAddress; import java.util.Collection; -import java.util.Collections; -import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.collections.MapUtils; -import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; @@ -43,7 +40,7 @@ import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; -import org.apache.ranger.plugin.policyengine.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.service.RangerBasePlugin; import org.apache.ranger.plugin.util.GrantRevokeRequest; @@ -155,7 +152,7 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider { RangerYarnResource resource = new RangerYarnResource(entity); GrantRevokeRequest request = new GrantRevokeRequest(); - request.setResource(resource.getResourceAsMap()); + request.setResource(resource.getAsMap()); request.setGrantor(ugi.getShortUserName()); request.setDelegateAdmin(Boolean.FALSE); request.setEnableAudit(Boolean.TRUE); @@ -249,44 +246,11 @@ class RangerYarnPlugin extends RangerBasePlugin { } } -class RangerYarnResource implements RangerResource { - private static final String KEY_QUEUE = "queue"; - private static final Set<String> KEYS_QUEUE = Sets.newHashSet(KEY_QUEUE); - - private String queue = null; +class RangerYarnResource extends RangerAccessResourceImpl { + private static final String KEY_QUEUE = "queue"; public RangerYarnResource(PrivilegedEntity entity) { - this.queue = entity != null ? entity.getName() : null; - } - - @Override - public String getOwnerUser() { - return null; - } - - @Override - public boolean exists(String name) { - return !StringUtils.isEmpty(queue) && StringUtils.equals(name, KEY_QUEUE); - } - - @Override - public String getValue(String name) { - return StringUtils.equals(name, KEY_QUEUE) ? queue : null; - } - - @Override - public Set<String> getKeys() { - return StringUtils.isEmpty(queue) ? Collections.<String>emptySet() : KEYS_QUEUE; - } - - public Map<String, String> getResourceAsMap() { - Map<String, String> ret = new HashMap<String, String>(); - - if(!StringUtils.isEmpty(queue)) { - ret.put(KEY_QUEUE, queue); - } - - return ret; + setValue(KEY_QUEUE, entity != null ? entity.getName() : null); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java index e5ad26c..192734e 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java @@ -22,7 +22,6 @@ import java.util.ArrayList; import java.util.Date; import java.util.List; -import java.util.Map; import javax.persistence.EntityManager; import javax.persistence.Query; @@ -64,13 +63,11 @@ public class RangerSearchUtil extends SearchUtil { private StringBuilder buildWhereClause(SearchFilter searchCriteria, List<SearchField> searchFields) { return buildWhereClause(searchCriteria, searchFields, false, false); } - + private StringBuilder buildWhereClause(SearchFilter searchCriteria, List<SearchField> searchFields, boolean isNativeQuery, boolean excludeWhereKeyword) { - Map<String, String> paramList = searchCriteria.getParams(); - StringBuilder whereClause = new StringBuilder(excludeWhereKeyword ? "" : "WHERE 1 = 1 "); List<String> joinTableList = new ArrayList<String>(); @@ -83,7 +80,7 @@ public class RangerSearchUtil extends SearchUtil { } if (searchField.getDataType() == SearchField.DATA_TYPE.INTEGER) { - Integer paramVal = restErrorUtil.parseInt(paramList.get(searchField.getClientFieldName()), + Integer paramVal = restErrorUtil.parseInt(searchCriteria.getParam(searchField.getClientFieldName()), "Invalid value for " + searchField.getClientFieldName(), MessageEnums.INVALID_INPUT_DATA, null, searchField.getClientFieldName()); @@ -99,7 +96,7 @@ public class RangerSearchUtil extends SearchUtil { } } } else if (searchField.getDataType() == SearchField.DATA_TYPE.STRING) { - String strFieldValue = paramList.get(searchField.getClientFieldName()); + String strFieldValue = searchCriteria.getParam(searchField.getClientFieldName()); if (strFieldValue != null) { if (searchField.getCustomCondition() == null) { whereClause.append(" and ").append("LOWER(").append(searchField.getFieldName()).append(")"); @@ -113,7 +110,7 @@ public class RangerSearchUtil extends SearchUtil { } } } else if (searchField.getDataType() == SearchField.DATA_TYPE.BOOLEAN) { - Boolean boolFieldValue = restErrorUtil.parseBoolean(paramList.get(searchField.getClientFieldName()), + Boolean boolFieldValue = restErrorUtil.parseBoolean(searchCriteria.getParam(searchField.getClientFieldName()), "Invalid value for " + searchField.getClientFieldName(), MessageEnums.INVALID_INPUT_DATA, null, searchField.getClientFieldName()); @@ -128,7 +125,7 @@ public class RangerSearchUtil extends SearchUtil { } } } else if (searchField.getDataType() == SearchField.DATA_TYPE.DATE) { - Date fieldValue = restErrorUtil.parseDate(paramList.get(searchField.getClientFieldName()), + Date fieldValue = restErrorUtil.parseDate(searchCriteria.getParam(searchField.getClientFieldName()), "Invalid value for " + searchField.getClientFieldName(), MessageEnums.INVALID_INPUT_DATA, null, searchField.getClientFieldName(), null); if (fieldValue != null) { @@ -168,12 +165,10 @@ public class RangerSearchUtil extends SearchUtil { protected void resolveQueryParams(Query query, SearchFilter searchCriteria, List<SearchField> searchFields) { - Map<String, String> paramList = searchCriteria.getParams(); - for (SearchField searchField : searchFields) { if (searchField.getDataType() == SearchField.DATA_TYPE.INTEGER) { - Integer paramVal = restErrorUtil.parseInt(paramList.get(searchField.getClientFieldName()), + Integer paramVal = restErrorUtil.parseInt(searchCriteria.getParam(searchField.getClientFieldName()), "Invalid value for " + searchField.getClientFieldName(), MessageEnums.INVALID_INPUT_DATA, null, searchField.getClientFieldName()); @@ -182,7 +177,7 @@ public class RangerSearchUtil extends SearchUtil { query.setParameter(searchField.getClientFieldName(), intFieldValue); } } else if (searchField.getDataType() == SearchField.DATA_TYPE.STRING) { - String strFieldValue = paramList.get(searchField.getClientFieldName()); + String strFieldValue = searchCriteria.getParam(searchField.getClientFieldName()); if (strFieldValue != null) { if (searchField.getSearchType() == SearchField.SEARCH_TYPE.FULL) { query.setParameter(searchField.getClientFieldName(), strFieldValue.trim().toLowerCase()); @@ -191,7 +186,7 @@ public class RangerSearchUtil extends SearchUtil { } } } else if (searchField.getDataType() == SearchField.DATA_TYPE.BOOLEAN) { - Boolean boolFieldValue = restErrorUtil.parseBoolean(paramList.get(searchField.getClientFieldName()), + Boolean boolFieldValue = restErrorUtil.parseBoolean(searchCriteria.getParam(searchField.getClientFieldName()), "Invalid value for " + searchField.getClientFieldName(), MessageEnums.INVALID_INPUT_DATA, null, searchField.getClientFieldName()); @@ -199,7 +194,7 @@ public class RangerSearchUtil extends SearchUtil { query.setParameter(searchField.getClientFieldName(), boolFieldValue); } } else if (searchField.getDataType() == SearchField.DATA_TYPE.DATE) { - Date fieldValue = restErrorUtil.parseDate(paramList.get(searchField.getClientFieldName()), + Date fieldValue = restErrorUtil.parseDate(searchCriteria.getParam(searchField.getClientFieldName()), "Invalid value for " + searchField.getClientFieldName(), MessageEnums.INVALID_INPUT_DATA, null, searchField.getClientFieldName(), null); if (fieldValue != null) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 617a084..ec64e89 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -64,8 +64,8 @@ import org.apache.ranger.plugin.model.validation.RangerValidator.Action; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; -import org.apache.ranger.plugin.policyengine.RangerResource; -import org.apache.ranger.plugin.policyengine.RangerResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.service.ResourceLookupContext; @@ -533,9 +533,9 @@ public class ServiceREST { if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { try { - String userName = grantRequest.getGrantor(); - Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database - RangerResource resource = new RangerResourceImpl(grantRequest.getResource()); + String userName = grantRequest.getGrantor(); + Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database + RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource()); boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource); @@ -714,9 +714,9 @@ public class ServiceREST { if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { try { - String userName = revokeRequest.getGrantor(); - Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas - RangerResource resource = new RangerResourceImpl(revokeRequest.getResource()); + String userName = revokeRequest.getGrantor(); + Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas + RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource()); boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource); @@ -1120,7 +1120,7 @@ public class ServiceREST { } } - private boolean isAdminForResource(String userName, Set<String> userGroups, String serviceName, RangerResource resource) throws Exception { + private boolean isAdminForResource(String userName, Set<String> userGroups, String serviceName, RangerAccessResource resource) throws Exception { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.isAdminForResource(" + userName + ", " + serviceName + ", " + resource + ")"); } @@ -1165,7 +1165,7 @@ public class ServiceREST { return ret; } - private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerResource resource) throws Exception { + private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource resource) throws Exception { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + serviceName + ", " + resource + ")"); } @@ -1191,7 +1191,7 @@ public class ServiceREST { return ret; } - private boolean isMatch(RangerPolicy policy, RangerResource resource) throws Exception { + private boolean isMatch(RangerPolicy policy, RangerAccessResource resource) throws Exception { boolean ret = false; String serviceName = policy.getService(); @@ -1216,7 +1216,7 @@ public class ServiceREST { return ret; } - private boolean isSingleAndExactMatch(RangerPolicy policy, RangerResource resource) throws Exception { + private boolean isSingleAndExactMatch(RangerPolicy policy, RangerAccessResource resource) throws Exception { boolean ret = false; String serviceName = policy.getService(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bf8a3fa/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java index db5e0af..b61e209 100644 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java +++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java @@ -10,7 +10,7 @@ import org.apache.ranger.authorization.storm.StormRangerPlugin.StormConstants.Re import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; -import org.apache.ranger.plugin.policyengine.RangerResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.service.RangerBasePlugin; import com.google.common.collect.Sets; @@ -52,7 +52,7 @@ public class StormRangerPlugin extends RangerBasePlugin { request.setAccessType(_operation); request.setClientIPAddress(_clientIp); // build resource and connect stuff into request - RangerResourceImpl resource = new RangerResourceImpl(); + RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); resource.setValue(ResourceName.Topology, _topology); request.setResource(resource);
