RANGER-390: Merge RangerPolicyDb implementation with RangerPolicyEngine
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a93ac46d Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a93ac46d Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a93ac46d Branch: refs/heads/master Commit: a93ac46d69b5b5a1eed6a73d1616bac2c1c3a3d6 Parents: 9693fb8 Author: Madhan Neethiraj <[email protected]> Authored: Fri Apr 10 15:09:45 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Sat Apr 11 16:03:40 2015 -0700 ---------------------------------------------------------------------- .../plugin/policyengine/RangerPolicyDb.java | 122 ----------- .../policyengine/RangerPolicyDbCache.java | 73 ------- .../plugin/policyengine/RangerPolicyEngine.java | 25 ++- .../policyengine/RangerPolicyEngineCache.java | 88 ++++++++ .../policyengine/RangerPolicyEngineImpl.java | 175 +++++++++++---- .../policyengine/RangerPolicyEngineOptions.java | 30 +++ .../RangerPolicyEvaluatorFacade.java | 149 ------------- .../policyengine/RangerPolicyRepository.java | 119 +++++++---- .../RangerAbstractPolicyEvaluator.java | 41 +++- .../RangerCachedPolicyEvaluator.java | 5 +- .../RangerDefaultPolicyEvaluator.java | 120 ++++++----- .../RangerOptimizedPolicyEvaluator.java | 48 ++++- .../policyevaluator/RangerPolicyEvaluator.java | 16 +- .../ranger/plugin/service/RangerBasePlugin.java | 55 ++--- .../ranger/plugin/util/PolicyRefresher.java | 42 ++-- .../plugin/policyengine/TestPolicyDb.java | 14 +- .../plugin/policyengine/TestPolicyEngine.java | 7 +- .../authorization/hbase/HbaseFactory.java | 7 - .../org/apache/ranger/rest/ServiceREST.java | 213 ++++++------------- 19 files changed, 645 insertions(+), 704 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDb.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDb.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDb.java deleted file mode 100644 index d07afe3..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDb.java +++ /dev/null @@ -1,122 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.policyengine; - -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; -import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator; -import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; -import org.apache.ranger.plugin.util.ServicePolicies; - - -public class RangerPolicyDb { - private static final Log LOG = LogFactory.getLog(RangerPolicyDb.class); - - private final ServicePolicies servicePolicies; - private final List<RangerPolicyEvaluator> policyEvaluators; - - public RangerPolicyDb(ServicePolicies servicePolicies) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyDb(" + servicePolicies + ")"); - } - - this.servicePolicies = servicePolicies; - this.policyEvaluators = new ArrayList<RangerPolicyEvaluator>(); - - RangerServiceDef serviceDef = servicePolicies.getServiceDef(); - List<RangerPolicy> policies = servicePolicies.getPolicies(); - - if(serviceDef != null && policies != null) { - for (RangerPolicy policy : policies) { - if (!policy.getIsEnabled()) { - continue; - } - - RangerPolicyEvaluator evaluator = new RangerOptimizedPolicyEvaluator(); - - if (evaluator != null) { - evaluator.init(policy, serviceDef); - - policyEvaluators.add(evaluator); - } - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyDb(" + servicePolicies + ")"); - } - } - - public String getServiceName() { - return servicePolicies.getServiceName(); - } - - public long getPolicyVersion() { - Long policyVersion = servicePolicies.getPolicyVersion(); - - return policyVersion != null ? policyVersion.longValue() : -1; - } - - public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyDb.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); - } - - boolean ret = false; - - for(RangerPolicyEvaluator evaluator : policyEvaluators) { - ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType); - - if(ret) { - break; - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyDb.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); - } - - return ret; - } - - public List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType) { - List<RangerPolicy> ret = new ArrayList<RangerPolicy>(); - - for(RangerPolicyEvaluator evaluator : policyEvaluators) { - RangerPolicy policy = evaluator.getPolicy(); - - boolean isAccessAllowed = isAccessAllowed(policy.getResources(), user, userGroups, accessType); - - if(isAccessAllowed) { - ret.add(policy); - } - } - - return ret; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDbCache.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDbCache.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDbCache.java deleted file mode 100644 index bfa71b8..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDbCache.java +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.policyengine; - -import java.util.Collections; -import java.util.HashMap; -import java.util.Map; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.plugin.store.ServiceStore; -import org.apache.ranger.plugin.util.ServicePolicies; - -public class RangerPolicyDbCache { - private static final Log LOG = LogFactory.getLog(RangerPolicyDbCache.class); - - private static final RangerPolicyDbCache sInstance = new RangerPolicyDbCache(); - - private final Map<String, RangerPolicyDb> policyDbCache = Collections.synchronizedMap(new HashMap<String, RangerPolicyDb>()); - - public static RangerPolicyDbCache getInstance() { - return sInstance; - } - - public RangerPolicyDb getPolicyDb(String serviceName, ServiceStore svcStore) { - RangerPolicyDb ret = null; - - if(serviceName != null) { - ret = policyDbCache.get(serviceName); - - long policyVersion = ret != null ? ret.getPolicyVersion() : -1; - - if(svcStore != null) { - try { - ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion); - - if(policies != null) { - if(ret == null) { - ret = new RangerPolicyDb(policies); - - policyDbCache.put(serviceName, ret); - } else if(policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) { - ret = new RangerPolicyDb(policies); - - policyDbCache.put(serviceName, ret); - } - } - } catch(Exception excp) { - LOG.error("getPolicyDbForService(" + serviceName + "): failed to get latest policies from service-store", excp); - } - } - } - - return ret; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index da83838..3634768 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -21,11 +21,15 @@ package org.apache.ranger.plugin.policyengine; import java.util.Collection; import java.util.List; +import java.util.Map; +import java.util.Set; import org.apache.ranger.plugin.audit.RangerAuditHandler; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.util.ServicePolicies; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; public interface RangerPolicyEngine { public static final String GROUP_PUBLIC = "public"; @@ -37,11 +41,14 @@ public interface RangerPolicyEngine { RangerServiceDef getServiceDef(); - List<RangerContextEnricher> getContextEnrichers(); + List<RangerPolicy> getPolicies(); + + long getPolicyVersion(); - void setPolicies(ServicePolicies policies); + List<RangerPolicyEvaluator> getPolicyEvaluators(); + + List<RangerContextEnricher> getContextEnrichers(); - ServicePolicies getPolicies(); void setDefaultAuditHandler(RangerAuditHandler auditHandler); @@ -49,6 +56,7 @@ public interface RangerPolicyEngine { RangerAccessResult createAccessResult(RangerAccessRequest request); + RangerAccessResult isAccessAllowed(RangerAccessRequest request); Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests); @@ -56,4 +64,13 @@ public interface RangerPolicyEngine { RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler); Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAuditHandler auditHandler); + + + boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType); + + boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); + + RangerPolicy getExactMatchPolicy(RangerAccessResource resource); + + List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java new file mode 100644 index 0000000..09b9f3f --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.store.ServiceStore; +import org.apache.ranger.plugin.util.ServicePolicies; + +public class RangerPolicyEngineCache { + private static final Log LOG = LogFactory.getLog(RangerPolicyEngineCache.class); + + private static final RangerPolicyEngineCache sInstance = new RangerPolicyEngineCache(); + + private final Map<String, RangerPolicyEngine> policyEngineCache = Collections.synchronizedMap(new HashMap<String, RangerPolicyEngine>()); + + private RangerPolicyEngineOptions options = null; + + public static RangerPolicyEngineCache getInstance() { + return sInstance; + } + + public RangerPolicyEngine getPolicyEngine(String serviceName, ServiceStore svcStore) { + RangerPolicyEngine ret = null; + + if(serviceName != null) { + ret = policyEngineCache.get(serviceName); + + long policyVersion = ret != null ? ret.getPolicyVersion() : -1; + + if(svcStore != null) { + try { + ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion); + + if(policies != null) { + if(ret == null) { + ret = addPolicyEngine(policies); + } else if(policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) { + ret = addPolicyEngine(policies); + } + } + } catch(Exception excp) { + LOG.error("getPolicyEngine(" + serviceName + "): failed to get latest policies from service-store", excp); + } + } + } + + return ret; + } + + public RangerPolicyEngineOptions getPolicyEngineOptions() { + return options; + } + + public void setPolicyEngineOptions(RangerPolicyEngineOptions options) { + this.options = options; + } + + private RangerPolicyEngine addPolicyEngine(ServicePolicies policies) { + RangerPolicyEngine ret = new RangerPolicyEngineImpl(policies, options); + + policyEngineCache.put(policies.getServiceName(), ret); + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index f09ad70..5956759 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -25,26 +25,39 @@ import org.apache.ranger.plugin.audit.RangerAuditHandler; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.ServicePolicies; import java.util.ArrayList; import java.util.Collection; import java.util.List; +import java.util.Map; +import java.util.Set; public class RangerPolicyEngineImpl implements RangerPolicyEngine { private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class); - private ServicePolicies servicePolicies = null; - private RangerPolicyRepository policyRepository = null; - private RangerAuditHandler defaultAuditHandler = null; + private final RangerPolicyRepository policyRepository; - public RangerPolicyEngineImpl() { + private RangerAuditHandler defaultAuditHandler = null; + + public RangerPolicyEngineImpl(ServicePolicies servicePolicies) { + this(servicePolicies, null); + } + + public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl()"); + LOG.debug("==> RangerPolicyEngineImpl(" + servicePolicies + ", " + options + ")"); } + if(options == null) { + options = new RangerPolicyEngineOptions(); + } + + policyRepository = new RangerPolicyRepository(servicePolicies, options); + if(LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl()"); } @@ -52,53 +65,32 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public String getServiceName() { - RangerPolicyRepository policyRepository = this.policyRepository; - - return policyRepository == null ? null : policyRepository.getServiceName(); + return policyRepository.getServiceName(); } @Override public RangerServiceDef getServiceDef() { - RangerPolicyRepository policyRepository = this.policyRepository; - - return policyRepository == null ? null : policyRepository.getServiceDef(); + return policyRepository.getServiceDef(); } @Override - public List<RangerContextEnricher> getContextEnrichers() { - RangerPolicyRepository policyRepository = this.policyRepository; - - return policyRepository == null ? null : policyRepository.getContextEnrichers(); + public List<RangerPolicy> getPolicies() { + return policyRepository.getPolicies(); } @Override - public void setPolicies(ServicePolicies servicePolicies) { - String serviceName = servicePolicies != null ? servicePolicies.getServiceName() : null; - RangerServiceDef serviceDef = servicePolicies != null ? servicePolicies.getServiceDef() : null; - List<RangerPolicy> policies = servicePolicies != null ? servicePolicies.getPolicies() : null; - - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.setPolicies(" + serviceName + ", " + serviceDef + ", policies.count=" + (policies == null ? 0 : policies.size()) + ")"); - } - - if (serviceName != null && serviceDef != null && policies != null) { - RangerPolicyRepository policyRepository = new RangerPolicyRepository(serviceName); - policyRepository.init(serviceDef, policies); - - this.servicePolicies = servicePolicies; - this.policyRepository = policyRepository; - } else { - LOG.error("RangerPolicyEngineImpl.setPolicies ->Invalid arguments: serviceName, serviceDef, or policies is null"); - } + public long getPolicyVersion() { + return policyRepository.getPolicyVersion(); + } - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.setPolicies(" + serviceName + ", " + serviceDef + ", policies.count=" + (policies == null ? 0 : policies.size()) + ")"); - } + @Override + public List<RangerPolicyEvaluator> getPolicyEvaluators() { + return policyRepository.getPolicyEvaluators(); } @Override - public ServicePolicies getPolicies() { - return servicePolicies; + public List<RangerContextEnricher> getContextEnrichers() { + return policyRepository.getContextEnrichers(); } @Override @@ -113,9 +105,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public RangerAccessResult createAccessResult(RangerAccessRequest request) { - RangerPolicyRepository policyRepository = this.policyRepository; - - return new RangerAccessResult(this.getServiceName(), policyRepository == null ? null : policyRepository.getServiceDef(), request); + return new RangerAccessResult(this.getServiceName(), policyRepository.getServiceDef(), request); } @Override @@ -174,17 +164,110 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return ret; } + @Override + public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")"); + } + + boolean ret = false; + + for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType); + + if(ret) { + break; + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); + } + + return ret; + } + + + @Override + public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); + } + + boolean ret = false; + + for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType); + + if(ret) { + break; + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); + } + + return ret; + } + + @Override + public RangerPolicy getExactMatchPolicy(RangerAccessResource resource) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + ")"); + } + + RangerPolicy ret = null; + + for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + if(evaluator.isSingleAndExactMatch(resource)) { + ret = evaluator.getPolicy(); + + break; + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + "): " + ret); + } + + return ret; + } + + @Override + public List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + ")"); + } + + List<RangerPolicy> ret = new ArrayList<RangerPolicy>(); + + for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + RangerPolicy policy = evaluator.getPolicy(); + + boolean isAccessAllowed = isAccessAllowed(policy.getResources(), user, userGroups, accessType); + + if(isAccessAllowed) { + ret.add(policy); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + "): policyCount=" + ret.size()); + } + + return ret; + } + protected RangerAccessResult isAccessAllowedNoAudit(RangerAccessRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")"); } - RangerPolicyRepository policyRepository = this.policyRepository; - RangerAccessResult ret = createAccessResult(request); - if(policyRepository != null && ret != null && request != null) { - List<RangerPolicyEvaluatorFacade> evaluators = policyRepository.getPolicyEvaluators(); + if(ret != null && request != null) { + List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(); if(evaluators != null) { boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret); @@ -222,8 +305,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } public StringBuilder toString(StringBuilder sb) { - RangerPolicyRepository policyRepository = this.policyRepository; - sb.append("RangerPolicyEngineImpl={"); sb.append("serviceName={").append(this.getServiceName()).append("} "); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java new file mode 100644 index 0000000..a5c1dfb --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java @@ -0,0 +1,30 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; + + +public class RangerPolicyEngineOptions { + public String evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED; + public boolean cacheAuditResults = true; + public boolean disableContextEnrichers = false; + public boolean disableCustomConditions = false; +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java deleted file mode 100644 index 862cd1a..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java +++ /dev/null @@ -1,149 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.policyengine; - -import org.apache.commons.lang.StringUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; -import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; -import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator; -import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator; -import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator; -import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; - -import java.util.Map; -import java.util.Set; - -public class RangerPolicyEvaluatorFacade implements RangerPolicyEvaluator, Comparable<RangerPolicyEvaluatorFacade> { - private static final Log LOG = LogFactory.getLog(RangerPolicyEvaluatorFacade.class); - - RangerDefaultPolicyEvaluator delegate = null; - int computedPolicyEvalOrder = 0; - - RangerPolicyEvaluatorFacade() { - super(); - - String evaluatorType = RangerConfiguration.getInstance().get("ranger.policyengine.evaluator.type", "cached"); - - if(StringUtils.isEmpty(evaluatorType) || StringUtils.equalsIgnoreCase(evaluatorType, "cached")) { - delegate = new RangerCachedPolicyEvaluator(); - } else { - delegate = new RangerOptimizedPolicyEvaluator(); - } - } - - RangerPolicyEvaluator getPolicyEvaluator() { - return delegate; - } - - @Override - public void init(RangerPolicy policy, RangerServiceDef serviceDef) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEvaluatorFacade.init()"); - } - - delegate.init(policy, serviceDef); - - computedPolicyEvalOrder = computePolicyEvalOrder(); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEvaluatorFacade.init()"); - } - } - - @Override - public RangerPolicy getPolicy() { - return delegate.getPolicy(); - } - - @Override - public RangerServiceDef getServiceDef() { - return delegate.getServiceDef(); - } - - @Override - public void evaluate(RangerAccessRequest request, RangerAccessResult result) { - delegate.evaluate(request, result); - } - - @Override - public boolean isMatch(RangerAccessResource resource) { - return delegate.isMatch(resource); - } - - @Override - public boolean isSingleAndExactMatch(RangerAccessResource resource) { - return delegate.isSingleAndExactMatch(resource); - } - - @Override - public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) { - return delegate.isAccessAllowed(resources, user, userGroups, accessType); - } - - @Override - public int compareTo(RangerPolicyEvaluatorFacade other) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEvaluatorFacade.compareTo()"); - } - - int result; - - if (this.getComputedPolicyEvalOrder() == other.getComputedPolicyEvalOrder()) { - Map<String, RangerConditionEvaluator> myConditionEvaluators = this.delegate.getConditionEvaluators(); - Map<String, RangerConditionEvaluator> otherConditionEvaluators = other.delegate.getConditionEvaluators(); - - int myConditionEvaluatorCount = myConditionEvaluators == null ? 0 : myConditionEvaluators.size(); - int otherConditionEvaluatorCount = otherConditionEvaluators == null ? 0 : otherConditionEvaluators.size(); - - result = Integer.compare(myConditionEvaluatorCount, otherConditionEvaluatorCount); - } else { - result = Integer.compare(computedPolicyEvalOrder, other.computedPolicyEvalOrder); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEvaluatorFacade.compareTo(), result:" + result); - } - - return result; - } - - private int getComputedPolicyEvalOrder() { - return computedPolicyEvalOrder; - } - - private int computePolicyEvalOrder() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEvaluatorFacade.computePolicyEvalOrder()"); - } - - int result = delegate.computePolicyEvalOrder(); - - if(LOG.isDebugEnabled()) { - LOG.debug("<==RangerPolicyEvaluatorFacade.computePolicyEvalOrder(), result:" + result); - } - - return result; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index b1d37ca..8e3d17c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -27,7 +27,11 @@ import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator; +import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator; +import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; +import org.apache.ranger.plugin.util.ServicePolicies; import java.util.ArrayList; import java.util.Collections; @@ -37,42 +41,26 @@ import java.util.Map; public class RangerPolicyRepository { private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class); - private String serviceName = null; - private List<RangerPolicyEvaluatorFacade> policyEvaluators = null; - private List<RangerContextEnricher> contextEnrichers = null; - private RangerServiceDef serviceDef = null; - // Not used at this time - private Map<String, Boolean> accessAuditCache = null; + private final String serviceName; + private final RangerServiceDef serviceDef; + private final List<RangerPolicy> policies; + private final long policyVersion; + private final List<RangerContextEnricher> contextEnrichers; + private final List<RangerPolicyEvaluator> policyEvaluators; + private final Map<String, Boolean> accessAuditCache; private static int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024; - RangerPolicyRepository(String serviceName) { + RangerPolicyRepository(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) { super(); - this.serviceName = serviceName; - } - String getServiceName() { - return serviceName; - } - List<RangerPolicyEvaluatorFacade> getPolicyEvaluators() { - return policyEvaluators; - } - List<RangerContextEnricher> getContextEnrichers() { - return contextEnrichers; - } - RangerServiceDef getServiceDef() { - return serviceDef; - } - void init(RangerServiceDef serviceDef, List<RangerPolicy> policies) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyRepository.init(" + serviceDef + ", policies.count=" + policies.size() + ")"); - } - - this.serviceDef = serviceDef; + serviceName = servicePolicies.getServiceName(); + serviceDef = servicePolicies.getServiceDef(); + policies = Collections.unmodifiableList(servicePolicies.getPolicies()); + policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion().longValue() : -1; - contextEnrichers = new ArrayList<RangerContextEnricher>(); - - if (!CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) { + List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>(); + if (!options.disableContextEnrichers && !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) { for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) { if (enricherDef == null) { continue; @@ -80,36 +68,63 @@ public class RangerPolicyRepository { RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef); - contextEnrichers.add(contextEnricher); + if(contextEnricher != null) { + contextEnrichers.add(contextEnricher); + } } } + this.contextEnrichers = Collections.unmodifiableList(contextEnrichers); - policyEvaluators = new ArrayList<RangerPolicyEvaluatorFacade>(); - - for (RangerPolicy policy : policies) { + List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>(); + for (RangerPolicy policy : servicePolicies.getPolicies()) { if (!policy.getIsEnabled()) { continue; } - RangerPolicyEvaluatorFacade evaluator = buildPolicyEvaluator(policy, serviceDef); + RangerPolicyEvaluator evaluator = buildPolicyEvaluator(policy, serviceDef, options); if (evaluator != null) { policyEvaluators.add(evaluator); } } Collections.sort(policyEvaluators); + this.policyEvaluators = Collections.unmodifiableList(policyEvaluators); String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize"; - int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE); - - accessAuditCache = new CacheMap<String, Boolean>(auditResultCacheSize); + if(options.cacheAuditResults) { + int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE); - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyRepository.init(" + serviceDef + ", policies.count=" + policies.size() + ")"); + accessAuditCache = Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize)); + } else { + accessAuditCache = null; } } + public String getServiceName() { + return serviceName; + } + + public RangerServiceDef getServiceDef() { + return serviceDef; + } + + public List<RangerPolicy> getPolicies() { + return policies; + } + + public long getPolicyVersion() { + return policyVersion; + } + + public List<RangerContextEnricher> getContextEnrichers() { + return contextEnrichers; + } + + public List<RangerPolicyEvaluator> getPolicyEvaluators() { + return policyEvaluators; + } + private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyRepository.buildContextEnricher(" + enricherDef + ")"); @@ -141,19 +156,29 @@ public class RangerPolicyRepository { return ret; } - private RangerPolicyEvaluatorFacade buildPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef) { + private RangerPolicyEvaluator buildPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + ")"); + LOG.debug("==> RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + ", " + options + ")"); } - RangerPolicyEvaluatorFacade ret = null; + RangerPolicyEvaluator ret = null; + + if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_DEFAULT)) { + ret = new RangerDefaultPolicyEvaluator(); + } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED)) { + ret = new RangerOptimizedPolicyEvaluator(); + } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) { + ret = new RangerCachedPolicyEvaluator(); + } else { + ret = new RangerDefaultPolicyEvaluator(); + } - ret = new RangerPolicyEvaluatorFacade(); - ret.init(policy, serviceDef); + ret.init(policy, serviceDef, options); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + "): " + ret); } + return ret; } @@ -164,7 +189,7 @@ public class RangerPolicyRepository { Boolean value = null; - synchronized (accessAuditCache) { + if (accessAuditCache != null) { value = accessAuditCache.get(request.getResource().getAsString(getServiceDef())); } @@ -189,7 +214,7 @@ public class RangerPolicyRepository { Boolean value = ret.getIsAudited() ? Boolean.TRUE : Boolean.FALSE; - synchronized(accessAuditCache) { + if (accessAuditCache != null) { accessAuditCache.put(strResource, value); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 36273eb..85e69f1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -20,10 +20,14 @@ package org.apache.ranger.plugin.policyevaluator; +import java.util.Map; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator { @@ -31,10 +35,11 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu private RangerPolicy policy = null; private RangerServiceDef serviceDef = null; + private int evalOrder = 0; @Override - public void init(RangerPolicy policy, RangerServiceDef serviceDef) { + public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); } @@ -58,6 +63,40 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu } @Override + public int getEvalOrder() { + return evalOrder; + } + + @Override + public int compareTo(RangerPolicyEvaluator other) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAbstractPolicyEvaluator.compareTo()"); + } + + int result = Integer.compare(this.getEvalOrder(), other.getEvalOrder()); + + if (result == 0) { + Map<String, RangerConditionEvaluator> myConditionEvaluators = this.getConditionEvaluators(); + Map<String, RangerConditionEvaluator> otherConditionEvaluators = other.getConditionEvaluators(); + + int myConditionEvaluatorCount = myConditionEvaluators == null ? 0 : myConditionEvaluators.size(); + int otherConditionEvaluatorCount = otherConditionEvaluators == null ? 0 : otherConditionEvaluators.size(); + + result = Integer.compare(myConditionEvaluatorCount, otherConditionEvaluatorCount); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAbstractPolicyEvaluator.compareTo(), result:" + result); + } + + return result; + } + + public void setEvalOrder(int evalOrder) { + this.evalOrder = evalOrder; + } + + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java index f4db52b..d67777c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java @@ -24,6 +24,7 @@ import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerCachedPolicyEvaluator.class); @@ -31,12 +32,12 @@ public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator private RangerResourceAccessCache cache = null; @Override - public void init(RangerPolicy policy, RangerServiceDef serviceDef) { + public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerCachedPolicyEvaluator.init()"); } - super.init(policy, serviceDef); + super.init(policy, serviceDef, options); cache = RangerResourceAccessCacheImpl.getInstance(serviceDef, policy); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 052bb88..b6c98f7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -45,6 +45,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher; import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; @@ -55,18 +56,18 @@ import com.google.common.collect.Sets; public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class); - private Map<String, RangerResourceMatcher> matchers = null; - private Map<String, RangerConditionEvaluator> conditionEvaluators = null; + private Map<String, RangerResourceMatcher> matchers; + private Map<String, RangerConditionEvaluator> conditionEvaluators; @Override - public void init(RangerPolicy policy, RangerServiceDef serviceDef) { + public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.init()"); } preprocessPolicy(policy, serviceDef); - super.init(policy, serviceDef); + super.init(policy, serviceDef, options); this.matchers = new HashMap<String, RangerResourceMatcher>(); @@ -86,18 +87,22 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } } - - conditionEvaluators = initializeConditionEvaluators(policy, serviceDef); + + if(options.disableCustomConditions) { + conditionEvaluators = Collections.<String, RangerConditionEvaluator>emptyMap(); + } else { + conditionEvaluators = initializeConditionEvaluators(policy, serviceDef); + } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyEvaluator.init()"); } } - public Map<String, RangerConditionEvaluator> getConditionEvaluators() { - return conditionEvaluators; + @Override + public Map<String, RangerConditionEvaluator> getConditionEvaluators() { + return conditionEvaluators; } - public int computePolicyEvalOrder() { return 0;} /** * Non-private only for testability. @@ -260,7 +265,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } // Go further to evaluate access only if match or head match was found at this point if (matchResult || headMatchResult) { - evaluatePolicyItemsForAccess(request, result); + evaluatePolicyItemsForAccess(policy, request, result); } } } @@ -270,12 +275,12 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } - protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) { + protected void evaluatePolicyItemsForAccess(RangerPolicy policy, RangerAccessRequest request, RangerAccessResult result) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItemsForAccess(" + request + ", " + result + ")"); } - for (RangerPolicy.RangerPolicyItem policyItem : getPolicy().getPolicyItems()) { + for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) { boolean isUserGroupMatch = matchUserGroup(policyItem, request.getUser(), request.getUserGroups()); @@ -288,7 +293,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (request.isAccessTypeDelegatedAdmin()) { if (policyItem.getDelegateAdmin()) { result.setIsAllowed(true); - result.setPolicyId(getPolicy().getId()); + result.setPolicyId(policy.getId()); break; } continue; @@ -430,12 +435,27 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } @Override + public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")"); + } + + boolean ret = isAccessAllowed(user, userGroups, accessType) && isMatch(resource); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); + } + + return ret; + } + + @Override public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); } - boolean ret = isAccessAllowedNoCustomConditionEval(user, userGroups, accessType) && isMatch(resources); + boolean ret = isAccessAllowed(user, userGroups, accessType) && isMatch(resources); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); @@ -694,59 +714,63 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } - protected boolean isAccessAllowedNoCustomConditionEval(String user, Set<String> userGroups, String accessType) { + protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowedNoCustomConditionEval(" + user + ", " + userGroups + ", " + accessType + ")"); + LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")"); } boolean ret = false; - if (StringUtils.isEmpty(accessType)) { - accessType = RangerPolicyEngine.ANY_ACCESS; - } + RangerPolicy policy = getPolicy(); + + if(policy != null) { + if (StringUtils.isEmpty(accessType)) { + accessType = RangerPolicyEngine.ANY_ACCESS; + } - boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); - boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS); + boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); + boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS); - for (RangerPolicy.RangerPolicyItem policyItem : getPolicy().getPolicyItems()) { - if (isAdminAccess) { - if(! policyItem.getDelegateAdmin()) { + for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) { + if (isAdminAccess) { + if(! policyItem.getDelegateAdmin()) { + continue; + } + } else if (CollectionUtils.isEmpty(policyItem.getAccesses())) { continue; - } - } else if (CollectionUtils.isEmpty(policyItem.getAccesses())) { - continue; - } else if (isAnyAccess) { - boolean accessAllowed = false; + } else if (isAnyAccess) { + boolean accessAllowed = false; - for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) { - if (access.getIsAllowed()) { - accessAllowed = true; - break; + for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) { + if (access.getIsAllowed()) { + accessAllowed = true; + break; + } } - } - if(! accessAllowed) { - continue; + if(! accessAllowed) { + continue; + } + } else { + RangerPolicy.RangerPolicyItemAccess access = getAccess(policyItem, accessType); + if (access == null || !access.getIsAllowed()) { + continue; + } } - } else { - RangerPolicy.RangerPolicyItemAccess access = getAccess(policyItem, accessType); - if (access == null || !access.getIsAllowed()) { + + boolean isUserGroupMatch = matchUserGroup(policyItem, user, userGroups); + + if (!isUserGroupMatch) { continue; } - } - - boolean isUserGroupMatch = matchUserGroup(policyItem, user, userGroups); - if (!isUserGroupMatch) { - continue; + ret = true; + break; } - - ret = true; - break; } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowedNoCustomConditionEval(" + user + ", " + userGroups + ", " + accessType + "): " + ret); + LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret); } return ret; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java index 7ddd155..26d5223 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java @@ -20,6 +20,7 @@ package org.apache.ranger.plugin.policyevaluator; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; @@ -27,6 +28,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import java.util.*; import java.lang.Math; @@ -56,12 +58,12 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator private static final int RANGER_POLICY_EVAL_RESERVED_SLOTS_PER_LEVEL_NUMBER = 1000; @Override - public void init(RangerPolicy policy, RangerServiceDef serviceDef) { + public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerOptimizedPolicyEvaluator.init()"); } - super.init(policy, serviceDef); + super.init(policy, serviceDef, options); accessPerms = new HashSet<String>(); groups = new HashSet<String>(); @@ -90,15 +92,17 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator hasPublicGroup = true; } } + + setEvalOrder(computeEvalOrder()); + if(LOG.isDebugEnabled()) { LOG.debug("<== RangerOptimizedPolicyEvaluator.init()"); } } - @Override - public int computePolicyEvalOrder() { + public int computeEvalOrder() { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerOptimizedPolicyEvaluator.computePolicyEvalOrder()"); + LOG.debug("==> RangerOptimizedPolicyEvaluator.computeEvalOrder()"); } RangerServiceDef serviceDef = getServiceDef(); RangerPolicy policy = getPolicy(); @@ -193,13 +197,41 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator priorityLevel -= Math.round(((float)RANGER_POLICY_EVAL_ALL_ACCESS_TYPES_PREMIUM * accessPerms.size()) / serviceDef.getAccessTypes().size()); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerOptimizedPolicyEvaluator.computePolicyEvalOrder(), policyName:" + policy.getName() + ", priority:" + priorityLevel); + LOG.debug("<== RangerOptimizedPolicyEvaluator.computeEvalOrder(), policyName:" + policy.getName() + ", priority:" + priorityLevel); } return priorityLevel; } @Override - protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) { + protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")"); + } + + boolean ret = false; + + if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) { + if (StringUtils.isEmpty(accessType)) { + accessType = RangerPolicyEngine.ANY_ACCESS; + } + + boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); + boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS); + + if (isAnyAccess || (isAdminAccess && delegateAdmin) || hasAllPerms || accessPerms.contains(accessType)) { + ret = super.isAccessAllowed(user, userGroups, accessType); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret); + } + + return ret; + } + + @Override + protected void evaluatePolicyItemsForAccess(RangerPolicy policy, RangerAccessRequest request, RangerAccessResult result) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerOptimizedPolicyEvaluator.evaluatePolicyItemsForAccess()"); } @@ -209,7 +241,7 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator if (request.isAccessTypeAny() || (request.isAccessTypeDelegatedAdmin() && delegateAdmin) || hasAllPerms || accessPerms.contains(request.getAccessType())) { // No need to reject based on aggregated access permissions - super.evaluatePolicyItemsForAccess(request, result); + super.evaluatePolicyItemsForAccess(policy, request, result); } } if(LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 18ec248..9fe523a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -23,25 +23,37 @@ package org.apache.ranger.plugin.policyevaluator; import java.util.Map; import java.util.Set; +import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; -public interface RangerPolicyEvaluator { - void init(RangerPolicy policy, RangerServiceDef serviceDef); +public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> { + public static final String EVALUATOR_TYPE_DEFAULT = "default"; + public static final String EVALUATOR_TYPE_OPTIMIZED = "optimized"; + public static final String EVALUATOR_TYPE_CACHED = "cached"; + + void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options); RangerPolicy getPolicy(); RangerServiceDef getServiceDef(); + Map<String, RangerConditionEvaluator> getConditionEvaluators(); + + int getEvalOrder(); + void evaluate(RangerAccessRequest request, RangerAccessResult result); boolean isMatch(RangerAccessResource resource); boolean isSingleAndExactMatch(RangerAccessResource resource); + boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType); + boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 5c37c7b..203cf5e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -38,18 +38,22 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.PolicyRefresher; +import org.apache.ranger.plugin.util.ServicePolicies; public class RangerBasePlugin { private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class); - private String serviceType = null; - private String appId = null; - private String serviceName = null; - private PolicyRefresher refresher = null; - private RangerPolicyEngine policyEngine = null; + private String serviceType = null; + private String appId = null; + private String serviceName = null; + private PolicyRefresher refresher = null; + private RangerPolicyEngine policyEngine = null; + private RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); public RangerBasePlugin(String serviceType, String appId) { @@ -82,12 +86,6 @@ public class RangerBasePlugin { } public void init() { - RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(); - - init(policyEngine); - } - - public void init(RangerPolicyEngine policyEngine) { cleanup(); RangerConfiguration.getInstance().addResourcesForServiceType(serviceType); @@ -99,10 +97,21 @@ public class RangerBasePlugin { serviceName = RangerConfiguration.getInstance().get(propertyPrefix + ".service.name"); + policyEngineOptions.evaluatorType = RangerConfiguration.getInstance().get(propertyPrefix + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED); + policyEngineOptions.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true); + policyEngineOptions.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false); + policyEngineOptions.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false); + + RangerAdminClient admin = createAdminClient(propertyPrefix); - refresher = new PolicyRefresher(policyEngine, serviceType, appId, serviceName, admin, pollingIntervalMs, cacheDir); + refresher = new PolicyRefresher(this, serviceType, appId, serviceName, admin, pollingIntervalMs, cacheDir); refresher.startRefresher(); + } + + public void setPolicies(ServicePolicies policies) { + RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(policies, policyEngineOptions); + this.policyEngine = policyEngine; } @@ -140,7 +149,7 @@ public class RangerBasePlugin { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { - enrichRequest(request); + enrichRequest(request, policyEngine); return policyEngine.isAccessAllowed(request); } @@ -153,7 +162,7 @@ public class RangerBasePlugin { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { - enrichRequests(requests); + enrichRequests(requests, policyEngine); return policyEngine.isAccessAllowed(requests); } @@ -166,7 +175,7 @@ public class RangerBasePlugin { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { - enrichRequest(request); + enrichRequest(request, policyEngine); return policyEngine.isAccessAllowed(request, auditHandler); } @@ -179,7 +188,7 @@ public class RangerBasePlugin { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { - enrichRequests(requests); + enrichRequests(requests, policyEngine); return policyEngine.isAccessAllowed(requests, auditHandler); } @@ -290,13 +299,12 @@ public class RangerBasePlugin { return ret; } - private void enrichRequest(RangerAccessRequest request) { - if(request == null) { + private void enrichRequest(RangerAccessRequest request, RangerPolicyEngine policyEngine) { + if(request == null || policyEngine == null) { return; } - RangerPolicyEngine policyEngine = this.policyEngine; - List<RangerContextEnricher> enrichers = policyEngine != null ? policyEngine.getContextEnrichers() : null; + List<RangerContextEnricher> enrichers = policyEngine.getContextEnrichers(); if(! CollectionUtils.isEmpty(enrichers)) { for(RangerContextEnricher enricher : enrichers) { @@ -305,13 +313,12 @@ public class RangerBasePlugin { } } - private void enrichRequests(Collection<RangerAccessRequest> requests) { - if(CollectionUtils.isEmpty(requests)) { + private void enrichRequests(Collection<RangerAccessRequest> requests, RangerPolicyEngine policyEngine) { + if(CollectionUtils.isEmpty(requests) || policyEngine == null) { return; } - RangerPolicyEngine policyEngine = this.policyEngine; - List<RangerContextEnricher> enrichers = policyEngine != null ? policyEngine.getContextEnrichers() : null; + List<RangerContextEnricher> enrichers = policyEngine.getContextEnrichers(); if(! CollectionUtils.isEmpty(enrichers)) { for(RangerContextEnricher enricher : enrichers) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java index 04bc798..36548e4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java @@ -29,7 +29,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.admin.client.RangerAdminClient; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.service.RangerBasePlugin; import com.google.gson.Gson; import com.google.gson.GsonBuilder; @@ -38,24 +38,24 @@ import com.google.gson.GsonBuilder; public class PolicyRefresher extends Thread { private static final Log LOG = LogFactory.getLog(PolicyRefresher.class); - private RangerPolicyEngine policyEngine = null; - private String serviceType = null; - private String serviceName = null; - private RangerAdminClient rangerAdmin = null; - private long pollingIntervalMs = 30 * 1000; - private String cacheFile = null; + private final RangerBasePlugin plugIn; + private final String serviceType; + private final String serviceName; + private final RangerAdminClient rangerAdmin; + private final String cacheFile; + private final Gson gson; - private long lastKnownVersion = -1; - private Gson gson = null; + private long pollingIntervalMs = 30 * 1000; + private long lastKnownVersion = -1; - public PolicyRefresher(RangerPolicyEngine policyEngine, String serviceType, String appId, String serviceName, RangerAdminClient rangerAdmin, long pollingIntervalMs, String cacheDir) { + public PolicyRefresher(RangerBasePlugin plugIn, String serviceType, String appId, String serviceName, RangerAdminClient rangerAdmin, long pollingIntervalMs, String cacheDir) { if(LOG.isDebugEnabled()) { LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").PolicyRefresher()"); } - this.policyEngine = policyEngine; + this.plugIn = plugIn; this.serviceType = serviceType; this.serviceName = serviceName; this.rangerAdmin = rangerAdmin; @@ -71,11 +71,13 @@ public class PolicyRefresher extends Thread { this.cacheFile = cacheDir == null ? null : (cacheDir + File.separator + cacheFilename); - try { - this.gson = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").setPrettyPrinting().create(); + Gson gson = null; + try { + gson = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").setPrettyPrinting().create(); } catch(Throwable excp) { LOG.fatal("PolicyRefresher(): failed to create GsonBuilder object", excp); } + this.gson = gson; if(LOG.isDebugEnabled()) { LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").PolicyRefresher()"); @@ -83,10 +85,10 @@ public class PolicyRefresher extends Thread { } /** - * @return the policyEngine + * @return the plugIn */ - public RangerPolicyEngine getPolicyEngine() { - return policyEngine; + public RangerBasePlugin getPlugin() { + return plugIn; } /** @@ -167,7 +169,7 @@ public class PolicyRefresher extends Thread { lastKnownVersion = newVersion; - policyEngine.setPolicies(svcPolicies); + plugIn.setPolicies(svcPolicies); } else { if(LOG.isDebugEnabled()) { LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): no update found. lastKnownVersion=" + lastKnownVersion); @@ -196,9 +198,9 @@ public class PolicyRefresher extends Thread { LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").loadFromCache()"); } - RangerPolicyEngine policyEngine = this.policyEngine; + RangerBasePlugin plugIn = this.plugIn; - if(policyEngine != null) { + if(plugIn != null) { File cacheFile = StringUtils.isEmpty(this.cacheFile) ? null : new File(this.cacheFile); if(cacheFile != null && cacheFile.isFile() && cacheFile.canRead()) { @@ -218,7 +220,7 @@ public class PolicyRefresher extends Thread { lastKnownVersion = policies.getPolicyVersion() == null ? -1 : policies.getPolicyVersion().longValue(); - policyEngine.setPolicies(policies); + plugIn.setPolicies(policies); } } catch (Exception excp) { LOG.error("failed to load policies from cache file " + cacheFile.getAbsolutePath(), excp); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java index 37b8e9c..1e34132 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java @@ -32,6 +32,7 @@ import java.util.Set; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.policyengine.TestPolicyDb.PolicyDbTestCase.TestData; +import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.ServicePolicies; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -77,13 +78,20 @@ public class TestPolicyDb { assertTrue("invalid input: " + testName, testCase != null && testCase.servicePolicies != null && testCase.tests != null && testCase.servicePolicies.getPolicies() != null); - RangerPolicyDb policyDb = new RangerPolicyDb(testCase.servicePolicies); + RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); + + policyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED; + policyEngineOptions.cacheAuditResults = false; + policyEngineOptions.disableContextEnrichers = true; + policyEngineOptions.disableCustomConditions = true; + + RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testCase.servicePolicies, policyEngineOptions); for(TestData test : testCase.tests) { boolean expected = test.result; if(test.allowedPolicies != null) { - List<RangerPolicy> allowedPolicies = policyDb.getAllowedPolicies(test.user, test.userGroups, test.accessType); + List<RangerPolicy> allowedPolicies = policyEngine.getAllowedPolicies(test.user, test.userGroups, test.accessType); assertEquals("allowed-policy count mismatch!", test.allowedPolicies.size(), allowedPolicies.size()); @@ -93,7 +101,7 @@ public class TestPolicyDb { } assertEquals("allowed-policy list mismatch!", test.allowedPolicies, allowedPolicyIds); } else { - boolean result = policyDb.isAccessAllowed(test.resources, test.user, test.userGroups, test.accessType); + boolean result = policyEngine.isAccessAllowed(test.resources, test.user, test.userGroups, test.accessType); assertEquals("isAccessAllowed mismatched! - " + test.name, expected, result); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 7ebd34e..ed67e8e 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -43,13 +43,12 @@ import com.google.gson.JsonParseException; public class TestPolicyEngine { - static RangerPolicyEngineImpl policyEngine = null; - static Gson gsonBuilder = null; + static RangerPolicyEngine policyEngine = null; + static Gson gsonBuilder = null; @BeforeClass public static void setUpBeforeClass() throws Exception { - policyEngine = new RangerPolicyEngineImpl(); gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") .setPrettyPrinting() .registerTypeAdapter(RangerAccessRequest.class, new RangerAccessRequestDeserializer()) @@ -101,7 +100,7 @@ public class TestPolicyEngine { servicePolicies.setServiceDef(testCase.serviceDef); servicePolicies.setPolicies(testCase.policies); - policyEngine.setPolicies(servicePolicies); + policyEngine = new RangerPolicyEngineImpl(servicePolicies); for(TestData test : testCase.tests) { RangerAccessResult expected = test.result; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java index 97e70ec..5b5690f 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java @@ -18,8 +18,6 @@ */ package org.apache.ranger.authorization.hbase; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; // TODO remove this in favor of Guice DI @@ -27,7 +25,6 @@ public class HbaseFactory { static final HbaseUserUtils _UserUtils = new HbaseUserUtilsImpl(); static final HbaseAuthUtils _AuthUtils = new HbaseAuthUtilsImpl(); - static final RangerPolicyEngine _PolicyEngine = new RangerPolicyEngineImpl(); static final HbaseFactory _Factory = new HbaseFactory(); /** * This is a singleton @@ -48,10 +45,6 @@ public class HbaseFactory { return _UserUtils; } - RangerPolicyEngine getPolicyEngine() { - return _PolicyEngine; - } - HbaseAuditHandler getAuditHandler() { return new HbaseAuditHandlerImpl(); }
