Repository: incubator-ranger Updated Branches: refs/heads/master be2c12ff8 -> 362acbcbe
RANGER-479: ServiceStore class hierarchy refactoring; added filtering based on Policy.ResourceSignature. PolicyEngine interface update to remove few methods. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/362acbcb Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/362acbcb Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/362acbcb Branch: refs/heads/master Commit: 362acbcbe8f95643a6b47784388b38085d38d750 Parents: be2c12f Author: Madhan Neethiraj <mad...@apache.org> Authored: Thu May 14 16:12:08 2015 -0700 Committer: Madhan Neethiraj <mad...@apache.org> Committed: Thu May 14 21:17:14 2015 -0700 ---------------------------------------------------------------------- .../plugin/policyengine/RangerPolicyEngine.java | 12 +- .../policyengine/RangerPolicyEngineImpl.java | 48 +- .../ranger/plugin/service/RangerBasePlugin.java | 34 +- .../plugin/store/AbstractPredicateUtil.java | 627 ++++++++++++++++ .../plugin/store/AbstractServiceStore.java | 742 ------------------- .../plugin/store/ServicePredicateUtil.java | 156 ++++ .../ranger/plugin/store/file/BaseFileStore.java | 4 +- .../plugin/store/file/ServiceFileStore.java | 32 +- .../org/apache/ranger/biz/ServiceDBStore.java | 40 +- .../apache/ranger/common/RangerSearchUtil.java | 1 + 10 files changed, 873 insertions(+), 823 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 8ff71ef..0a0b210 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -24,11 +24,9 @@ import java.util.List; import java.util.Map; import java.util.Set; -import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; -import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; public interface RangerPolicyEngine { public static final String GROUP_PUBLIC = "public"; @@ -40,17 +38,13 @@ public interface RangerPolicyEngine { RangerServiceDef getServiceDef(); - List<RangerPolicy> getPolicies(); - long getPolicyVersion(); - List<RangerPolicyEvaluator> getPolicyEvaluators(); - - List<RangerContextEnricher> getContextEnrichers(); - - RangerAccessResult createAccessResult(RangerAccessRequest request); + void enrichContext(RangerAccessRequest request); + + void enrichContext(Collection<RangerAccessRequest> requests); RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 80c5d58..4219875 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -19,6 +19,7 @@ package org.apache.ranger.plugin.policyengine; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; @@ -72,28 +73,53 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public List<RangerPolicy> getPolicies() { - return policyRepository.getPolicies(); - } - - @Override public long getPolicyVersion() { return policyRepository.getPolicyVersion(); } @Override - public List<RangerPolicyEvaluator> getPolicyEvaluators() { - return policyRepository.getPolicyEvaluators(); + public RangerAccessResult createAccessResult(RangerAccessRequest request) { + return new RangerAccessResult(this.getServiceName(), policyRepository.getServiceDef(), request); } @Override - public List<RangerContextEnricher> getContextEnrichers() { - return policyRepository.getContextEnrichers(); + public void enrichContext(RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.enrichContext(" + request + ")"); + } + + List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers(); + + if(request != null && !CollectionUtils.isEmpty(enrichers)) { + for(RangerContextEnricher enricher : enrichers) { + enricher.enrich(request); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.enrichContext(" + request + ")"); + } } @Override - public RangerAccessResult createAccessResult(RangerAccessRequest request) { - return new RangerAccessResult(this.getServiceName(), policyRepository.getServiceDef(), request); + public void enrichContext(Collection<RangerAccessRequest> requests) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.enrichContext(" + requests + ")"); + } + + List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers(); + + if(!CollectionUtils.isEmpty(requests) && !CollectionUtils.isEmpty(enrichers)) { + for(RangerContextEnricher enricher : enrichers) { + for(RangerAccessRequest request : requests) { + enricher.enrich(request); + } + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.enrichContext(" + requests + ")"); + } } @Override http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 2a50082..a347f75 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -148,7 +148,7 @@ public class RangerBasePlugin { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { - enrichRequest(request, policyEngine); + policyEngine.enrichContext(request); return policyEngine.isAccessAllowed(request, resultProcessor); } @@ -160,7 +160,7 @@ public class RangerBasePlugin { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { - enrichRequests(requests, policyEngine); + policyEngine.enrichContext(requests); return policyEngine.isAccessAllowed(requests, resultProcessor); } @@ -271,36 +271,6 @@ public class RangerBasePlugin { return ret; } - private void enrichRequest(RangerAccessRequest request, RangerPolicyEngine policyEngine) { - if(request == null || policyEngine == null) { - return; - } - - List<RangerContextEnricher> enrichers = policyEngine.getContextEnrichers(); - - if(! CollectionUtils.isEmpty(enrichers)) { - for(RangerContextEnricher enricher : enrichers) { - enricher.enrich(request); - } - } - } - - private void enrichRequests(Collection<RangerAccessRequest> requests, RangerPolicyEngine policyEngine) { - if(CollectionUtils.isEmpty(requests) || policyEngine == null) { - return; - } - - List<RangerContextEnricher> enrichers = policyEngine.getContextEnrichers(); - - if(! CollectionUtils.isEmpty(enrichers)) { - for(RangerContextEnricher enricher : enrichers) { - for(RangerAccessRequest request : requests) { - enricher.enrich(request); - } - } - } - } - private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) { RangerPolicyEngine policyEngine = this.policyEngine; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java new file mode 100644 index 0000000..772c2d7 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java @@ -0,0 +1,627 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.store; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.Comparator; +import java.util.Date; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; +import org.apache.commons.collections.Predicate; +import org.apache.commons.collections.PredicateUtils; +import org.apache.commons.io.FilenameUtils; +import org.apache.commons.lang.ObjectUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.ranger.plugin.model.RangerBaseModelObject; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; +import org.apache.ranger.plugin.util.SearchFilter; + +public class AbstractPredicateUtil { + private static Map<String, Comparator<RangerBaseModelObject>> sorterMap = new HashMap<String, Comparator<RangerBaseModelObject>>(); + + public void applyFilter(List<? extends RangerBaseModelObject> objList, SearchFilter filter) { + if(CollectionUtils.isEmpty(objList)) { + return; + } + + Predicate pred = getPredicate(filter); + + if(pred != null) { + CollectionUtils.filter(objList, pred); + } + + Comparator<RangerBaseModelObject> sorter = getSorter(filter); + + if(sorter != null) { + Collections.sort(objList, sorter); + } + } + + public Predicate getPredicate(SearchFilter filter) { + if(filter == null || filter.isEmpty()) { + return null; + } + + List<Predicate> predicates = new ArrayList<Predicate>(); + + addPredicates(filter, predicates); + + Predicate ret = CollectionUtils.isEmpty(predicates) ? null : PredicateUtils.allPredicate(predicates); + + return ret; + } + + public void addPredicates(SearchFilter filter, List<Predicate> predicates) { + addPredicateForServiceTypeId(filter.getParam(SearchFilter.SERVICE_TYPE_ID), predicates); + addPredicateForServiceName(filter.getParam(SearchFilter.SERVICE_NAME), predicates); + addPredicateForPolicyName(filter.getParam(SearchFilter.POLICY_NAME), predicates); + addPredicateForPolicyId(filter.getParam(SearchFilter.POLICY_ID), predicates); + addPredicateForIsEnabled(filter.getParam(SearchFilter.IS_ENABLED), predicates); + addPredicateForIsRecursive(filter.getParam(SearchFilter.IS_RECURSIVE), predicates); + addPredicateForUserName(filter.getParam(SearchFilter.USER), predicates); + addPredicateForGroupName(filter.getParam(SearchFilter.GROUP), predicates); + addPredicateForResourceSignature(filter.getParam(SearchFilter.RESOURCE_SIGNATURE), predicates); + addPredicateForResources(filter.getParamsWithPrefix(SearchFilter.RESOURCE_PREFIX, true), predicates); + } + + public Comparator<RangerBaseModelObject> getSorter(SearchFilter filter) { + String sortBy = filter == null ? null : filter.getParam(SearchFilter.SORT_BY); + + if(StringUtils.isEmpty(sortBy)) { + return null; + } + + Comparator<RangerBaseModelObject> ret = sorterMap.get(sortBy); + + return ret; + } + + public final static Comparator<RangerBaseModelObject> idComparator = new Comparator<RangerBaseModelObject>() { + @Override + public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { + Long val1 = (o1 != null) ? o1.getId() : null; + Long val2 = (o2 != null) ? o2.getId() : null; + + return ObjectUtils.compare(val1, val2); + } + }; + + protected final static Comparator<RangerBaseModelObject> createTimeComparator = new Comparator<RangerBaseModelObject>() { + @Override + public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { + Date val1 = (o1 != null) ? o1.getCreateTime() : null; + Date val2 = (o2 != null) ? o2.getCreateTime() : null; + + return ObjectUtils.compare(val1, val2); + } + }; + + protected final static Comparator<RangerBaseModelObject> updateTimeComparator = new Comparator<RangerBaseModelObject>() { + @Override + public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { + Date val1 = (o1 != null) ? o1.getUpdateTime() : null; + Date val2 = (o2 != null) ? o2.getUpdateTime() : null; + + return ObjectUtils.compare(val1, val2); + } + }; + + protected final static Comparator<RangerBaseModelObject> serviceDefNameComparator = new Comparator<RangerBaseModelObject>() { + @Override + public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { + String val1 = null; + String val2 = null; + + if(o1 != null) { + if(o1 instanceof RangerServiceDef) { + val1 = ((RangerServiceDef)o1).getName(); + } else if(o1 instanceof RangerService) { + val1 = ((RangerService)o1).getType(); + } + } + + if(o2 != null) { + if(o2 instanceof RangerServiceDef) { + val2 = ((RangerServiceDef)o2).getName(); + } else if(o2 instanceof RangerService) { + val2 = ((RangerService)o2).getType(); + } + } + + return ObjectUtils.compare(val1, val2); + } + }; + + protected final static Comparator<RangerBaseModelObject> serviceNameComparator = new Comparator<RangerBaseModelObject>() { + @Override + public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { + String val1 = null; + String val2 = null; + + if(o1 != null) { + if(o1 instanceof RangerPolicy) { + val1 = ((RangerPolicy)o1).getService(); + } else if(o1 instanceof RangerService) { + val1 = ((RangerService)o1).getType(); + } + } + + if(o2 != null) { + if(o2 instanceof RangerPolicy) { + val2 = ((RangerPolicy)o2).getService(); + } else if(o2 instanceof RangerService) { + val2 = ((RangerService)o2).getType(); + } + } + + return ObjectUtils.compare(val1, val2); + } + }; + + protected final static Comparator<RangerBaseModelObject> policyNameComparator = new Comparator<RangerBaseModelObject>() { + @Override + public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { + String val1 = (o1 != null && o1 instanceof RangerPolicy) ? ((RangerPolicy)o1).getName() : null; + String val2 = (o2 != null && o2 instanceof RangerPolicy) ? ((RangerPolicy)o2).getName() : null; + + return ObjectUtils.compare(val1, val2); + } + }; + + public final static Comparator<RangerResourceDef> resourceLevelComparator = new Comparator<RangerResourceDef>() { + @Override + public int compare(RangerResourceDef o1, RangerResourceDef o2) { + Integer val1 = (o1 != null) ? o1.getLevel() : null; + Integer val2 = (o2 != null) ? o2.getLevel() : null; + + return ObjectUtils.compare(val1, val2); + } + }; + + static { + sorterMap.put(SearchFilter.SERVICE_TYPE, serviceDefNameComparator); + sorterMap.put(SearchFilter.SERVICE_TYPE_ID, idComparator); + sorterMap.put(SearchFilter.SERVICE_NAME, serviceNameComparator); + sorterMap.put(SearchFilter.SERVICE_TYPE_ID, idComparator); + sorterMap.put(SearchFilter.POLICY_NAME, policyNameComparator); + sorterMap.put(SearchFilter.POLICY_ID, idComparator); + sorterMap.put(SearchFilter.CREATE_TIME, createTimeComparator); + sorterMap.put(SearchFilter.UPDATE_TIME, updateTimeComparator); + } + + private Predicate addPredicateForServiceTypeId(final String serviceTypeId, List<Predicate> predicates) { + if(StringUtils.isEmpty(serviceTypeId)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerServiceDef) { + RangerServiceDef serviceDef = (RangerServiceDef)object; + Long svcDefId = serviceDef.getId(); + + if(svcDefId != null) { + ret = StringUtils.equals(serviceTypeId, svcDefId.toString()); + } + } else { + ret = true; + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForServiceName(final String serviceName, List<Predicate> predicates) { + if(StringUtils.isEmpty(serviceName)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + ret = StringUtils.equals(serviceName, policy.getService()); + } else if(object instanceof RangerService) { + RangerService service = (RangerService)object; + + ret = StringUtils.equals(serviceName, service.getName()); + } else { + ret = true; + } + + return ret; + } + }; + + if(ret != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForPolicyName(final String policyName, List<Predicate> predicates) { + if(StringUtils.isEmpty(policyName)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + ret = StringUtils.equals(policyName, policy.getName()); + } else { + ret = true; + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForPolicyId(final String policyId, List<Predicate> predicates) { + if(StringUtils.isEmpty(policyId)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + if(policy.getId() != null) { + ret = StringUtils.equals(policyId, policy.getId().toString()); + } + } else { + ret = true; + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForUserName(final String userName, List<Predicate> predicates) { + if(StringUtils.isEmpty(userName)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + for(RangerPolicyItem policyItem : policy.getPolicyItems()) { + if(policyItem.getUsers().contains(userName)) { + ret = true; + + break; + } + } + } else { + ret = true; + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForGroupName(final String groupName, List<Predicate> predicates) { + if(StringUtils.isEmpty(groupName)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + for(RangerPolicyItem policyItem : policy.getPolicyItems()) { + if(policyItem.getGroups().contains(groupName)) { + ret = true; + + break; + } + } + } else { + ret = true; + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForIsEnabled(final String status, List<Predicate> predicates) { + if(StringUtils.isEmpty(status)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerBaseModelObject) { + RangerBaseModelObject obj = (RangerBaseModelObject)object; + + if(Boolean.parseBoolean(status)) { + ret = obj.getIsEnabled(); + } else { + ret = !obj.getIsEnabled(); + } + } else { + ret = true; + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForResources(final Map<String, String> resources, List<Predicate> predicates) { + if(MapUtils.isEmpty(resources)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + if(! MapUtils.isEmpty(policy.getResources())) { + int numFound = 0; + for(String name : resources.keySet()) { + boolean isMatch = false; + + RangerPolicyResource policyResource = policy.getResources().get(name); + + if(policyResource != null && !CollectionUtils.isEmpty(policyResource.getValues())) { + String val = resources.get(name); + + if(policyResource.getValues().contains(val)) { + isMatch = true; + } else { + for(String policyResourceValue : policyResource.getValues()) { + if(FilenameUtils.wildcardMatch(val, policyResourceValue)) { + isMatch = true; + break; + } + } + } + } + + if(isMatch) { + numFound++; + } else { + break; + } + } + + ret = numFound == resources.size(); + } + } else { + ret = true; + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForIsRecursive(final String isRecursiveStr, List<Predicate> predicates) { + if(StringUtils.isEmpty(isRecursiveStr)) { + return null; + } + + final boolean isRecursive = Boolean.parseBoolean(isRecursiveStr); + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = true; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + if(! MapUtils.isEmpty(policy.getResources())) { + for(Map.Entry<String, RangerPolicyResource> e : policy.getResources().entrySet()) { + RangerPolicyResource resValue = e.getValue(); + + if(resValue.getIsRecursive() == null) { + ret = !isRecursive; + } else { + ret = resValue.getIsRecursive().booleanValue() == isRecursive; + } + + if(ret) { + break; + } + } + } + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForResourceSignature(String signature, List<Predicate> predicates) { + + Predicate ret = createPredicateForResourceSignature(signature); + + if(predicates != null && ret != null) { + predicates.add(ret); + } + + return ret; + } + + /** + * @param policySignature + * @return + */ + public Predicate createPredicateForResourceSignature(final String policySignature) { + + if (StringUtils.isEmpty(policySignature)) { + return null; + } + + return new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if (object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + ret = StringUtils.equals(policy.getResourceSignature(), policySignature); + } else { + ret = true; + } + + return ret; + } + }; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java deleted file mode 100644 index 9bba5e3..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java +++ /dev/null @@ -1,742 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.store; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.Comparator; -import java.util.Date; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Objects; - -import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.collections.MapUtils; -import org.apache.commons.collections.Predicate; -import org.apache.commons.collections.PredicateUtils; -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.lang.ObjectUtils; -import org.apache.commons.lang.StringUtils; -import org.apache.ranger.plugin.model.RangerBaseModelObject; -import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; -import org.apache.ranger.plugin.model.RangerService; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; -import org.apache.ranger.plugin.util.SearchFilter; - -public abstract class AbstractServiceStore implements ServiceStore { - private static Map<String, Comparator<RangerBaseModelObject>> sorterMap = new HashMap<String, Comparator<RangerBaseModelObject>>(); - - public void applyFilter(List<? extends RangerBaseModelObject> objList, SearchFilter filter) { - if(CollectionUtils.isEmpty(objList)) { - return; - } - - Predicate pred = getPredicate(filter); - - if(pred != null) { - CollectionUtils.filter(objList, pred); - } - - Comparator<RangerBaseModelObject> sorter = getSorter(filter); - - if(sorter != null) { - Collections.sort(objList, sorter); - } - } - - public Predicate getPredicate(SearchFilter filter) { - if(filter == null || filter.isEmpty()) { - return null; - } - - List<Predicate> predicates = new ArrayList<Predicate>(); - - addPredicateForServiceType(filter.getParam(SearchFilter.SERVICE_TYPE), predicates); - addPredicateForServiceTypeId(filter.getParam(SearchFilter.SERVICE_TYPE_ID), predicates); - addPredicateForServiceName(filter.getParam(SearchFilter.SERVICE_NAME), predicates); - addPredicateForServiceId(filter.getParam(SearchFilter.SERVICE_ID), predicates); - addPredicateForPolicyName(filter.getParam(SearchFilter.POLICY_NAME), predicates); - addPredicateForPolicyId(filter.getParam(SearchFilter.POLICY_ID), predicates); - addPredicateForIsEnabled(filter.getParam(SearchFilter.IS_ENABLED), predicates); - addPredicateForIsRecursive(filter.getParam(SearchFilter.IS_RECURSIVE), predicates); - addPredicateForUserName(filter.getParam(SearchFilter.USER), predicates); - addPredicateForGroupName(filter.getParam(SearchFilter.GROUP), predicates); - addPredicateForResourceSignature( - filter.getParam(SearchFilter.SERVICE_NAME), - filter.getParam(SearchFilter.RESOURCE_SIGNATURE), - filter.getParam(SearchFilter.IS_ENABLED), predicates); - addPredicateForResources(filter.getParamsWithPrefix(SearchFilter.RESOURCE_PREFIX, true), predicates); - - Predicate ret = CollectionUtils.isEmpty(predicates) ? null : PredicateUtils.allPredicate(predicates); - - return ret; - } - - public Comparator<RangerBaseModelObject> getSorter(SearchFilter filter) { - String sortBy = filter == null ? null : filter.getParam(SearchFilter.SORT_BY); - - if(StringUtils.isEmpty(sortBy)) { - return null; - } - - Comparator<RangerBaseModelObject> ret = sorterMap.get(sortBy); - - return ret; - } - - protected final static Comparator<RangerBaseModelObject> idComparator = new Comparator<RangerBaseModelObject>() { - @Override - public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { - Long val1 = (o1 != null) ? o1.getId() : null; - Long val2 = (o2 != null) ? o2.getId() : null; - - return ObjectUtils.compare(val1, val2); - } - }; - - protected final static Comparator<RangerBaseModelObject> createTimeComparator = new Comparator<RangerBaseModelObject>() { - @Override - public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { - Date val1 = (o1 != null) ? o1.getCreateTime() : null; - Date val2 = (o2 != null) ? o2.getCreateTime() : null; - - return ObjectUtils.compare(val1, val2); - } - }; - - protected final static Comparator<RangerBaseModelObject> updateTimeComparator = new Comparator<RangerBaseModelObject>() { - @Override - public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { - Date val1 = (o1 != null) ? o1.getUpdateTime() : null; - Date val2 = (o2 != null) ? o2.getUpdateTime() : null; - - return ObjectUtils.compare(val1, val2); - } - }; - - protected final static Comparator<RangerBaseModelObject> serviceDefNameComparator = new Comparator<RangerBaseModelObject>() { - @Override - public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { - String val1 = null; - String val2 = null; - - if(o1 != null) { - if(o1 instanceof RangerServiceDef) { - val1 = ((RangerServiceDef)o1).getName(); - } else if(o1 instanceof RangerService) { - val1 = ((RangerService)o1).getType(); - } - } - - if(o2 != null) { - if(o2 instanceof RangerServiceDef) { - val2 = ((RangerServiceDef)o2).getName(); - } else if(o2 instanceof RangerService) { - val2 = ((RangerService)o2).getType(); - } - } - - return ObjectUtils.compare(val1, val2); - } - }; - - protected final static Comparator<RangerBaseModelObject> serviceNameComparator = new Comparator<RangerBaseModelObject>() { - @Override - public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { - String val1 = null; - String val2 = null; - - if(o1 != null) { - if(o1 instanceof RangerPolicy) { - val1 = ((RangerPolicy)o1).getService(); - } else if(o1 instanceof RangerService) { - val1 = ((RangerService)o1).getType(); - } - } - - if(o2 != null) { - if(o2 instanceof RangerPolicy) { - val2 = ((RangerPolicy)o2).getService(); - } else if(o2 instanceof RangerService) { - val2 = ((RangerService)o2).getType(); - } - } - - return ObjectUtils.compare(val1, val2); - } - }; - - protected final static Comparator<RangerBaseModelObject> policyNameComparator = new Comparator<RangerBaseModelObject>() { - @Override - public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) { - String val1 = (o1 != null && o1 instanceof RangerPolicy) ? ((RangerPolicy)o1).getName() : null; - String val2 = (o2 != null && o2 instanceof RangerPolicy) ? ((RangerPolicy)o2).getName() : null; - - return ObjectUtils.compare(val1, val2); - } - }; - - protected final static Comparator<RangerResourceDef> resourceLevelComparator = new Comparator<RangerResourceDef>() { - @Override - public int compare(RangerResourceDef o1, RangerResourceDef o2) { - Integer val1 = (o1 != null) ? o1.getLevel() : null; - Integer val2 = (o2 != null) ? o2.getLevel() : null; - - return ObjectUtils.compare(val1, val2); - } - }; - - static { - sorterMap.put(SearchFilter.SERVICE_TYPE, serviceDefNameComparator); - sorterMap.put(SearchFilter.SERVICE_TYPE_ID, idComparator); - sorterMap.put(SearchFilter.SERVICE_NAME, serviceNameComparator); - sorterMap.put(SearchFilter.SERVICE_TYPE_ID, idComparator); - sorterMap.put(SearchFilter.POLICY_NAME, policyNameComparator); - sorterMap.put(SearchFilter.POLICY_ID, idComparator); - sorterMap.put(SearchFilter.CREATE_TIME, createTimeComparator); - sorterMap.put(SearchFilter.UPDATE_TIME, updateTimeComparator); - } - - private String getServiceType(String serviceName) { - RangerService service = null; - - try { - service = getServiceByName(serviceName); - } catch(Exception excp) { - // ignore - } - - return service != null ? service.getType() : null; - } - - private Long getServiceId(String serviceName) { - RangerService service = null; - - try { - service = getServiceByName(serviceName); - } catch(Exception excp) { - // ignore - } - - return service != null ? service.getId() : null; - } - - private Predicate addPredicateForServiceType(final String serviceType, List<Predicate> predicates) { - if(StringUtils.isEmpty(serviceType)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - ret = StringUtils.equals(serviceType, getServiceType(policy.getService())); - } else if(object instanceof RangerService) { - RangerService service = (RangerService)object; - - ret = StringUtils.equals(serviceType, service.getType()); - } else if(object instanceof RangerServiceDef) { - RangerServiceDef serviceDef = (RangerServiceDef)object; - - ret = StringUtils.equals(serviceType, serviceDef.getName()); - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForServiceTypeId(final String serviceTypeId, List<Predicate> predicates) { - if(StringUtils.isEmpty(serviceTypeId)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerServiceDef) { - RangerServiceDef serviceDef = (RangerServiceDef)object; - Long svcDefId = serviceDef.getId(); - - if(svcDefId != null) { - ret = StringUtils.equals(serviceTypeId, svcDefId.toString()); - } - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForServiceName(final String serviceName, List<Predicate> predicates) { - if(StringUtils.isEmpty(serviceName)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - ret = StringUtils.equals(serviceName, policy.getService()); - } else if(object instanceof RangerService) { - RangerService service = (RangerService)object; - - ret = StringUtils.equals(serviceName, service.getName()); - } else { - ret = true; - } - - return ret; - } - }; - - if(ret != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForServiceId(final String serviceId, List<Predicate> predicates) { - if(StringUtils.isEmpty(serviceId)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - Long svcId = getServiceId(policy.getService()); - - if(svcId != null) { - ret = StringUtils.equals(serviceId, svcId.toString()); - } - } else if(object instanceof RangerService) { - RangerService service = (RangerService)object; - - if(service.getId() != null) { - ret = StringUtils.equals(serviceId, service.getId().toString()); - } - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForPolicyName(final String policyName, List<Predicate> predicates) { - if(StringUtils.isEmpty(policyName)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - ret = StringUtils.equals(policyName, policy.getName()); - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForPolicyId(final String policyId, List<Predicate> predicates) { - if(StringUtils.isEmpty(policyId)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - if(policy.getId() != null) { - ret = StringUtils.equals(policyId, policy.getId().toString()); - } - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForUserName(final String userName, List<Predicate> predicates) { - if(StringUtils.isEmpty(userName)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - if(policyItem.getUsers().contains(userName)) { - ret = true; - - break; - } - } - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForGroupName(final String groupName, List<Predicate> predicates) { - if(StringUtils.isEmpty(groupName)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - if(policyItem.getGroups().contains(groupName)) { - ret = true; - - break; - } - } - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForIsEnabled(final String status, List<Predicate> predicates) { - if(StringUtils.isEmpty(status)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerBaseModelObject) { - RangerBaseModelObject obj = (RangerBaseModelObject)object; - - if(Boolean.parseBoolean(status)) { - ret = obj.getIsEnabled(); - } else { - ret = !obj.getIsEnabled(); - } - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForResources(final Map<String, String> resources, List<Predicate> predicates) { - if(MapUtils.isEmpty(resources)) { - return null; - } - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - if(! MapUtils.isEmpty(policy.getResources())) { - int numFound = 0; - for(String name : resources.keySet()) { - boolean isMatch = false; - - RangerPolicyResource policyResource = policy.getResources().get(name); - - if(policyResource != null && !CollectionUtils.isEmpty(policyResource.getValues())) { - String val = resources.get(name); - - if(policyResource.getValues().contains(val)) { - isMatch = true; - } else { - for(String policyResourceValue : policyResource.getValues()) { - if(FilenameUtils.wildcardMatch(val, policyResourceValue)) { - isMatch = true; - break; - } - } - } - } - - if(isMatch) { - numFound++; - } else { - break; - } - } - - ret = numFound == resources.size(); - } - } else { - ret = true; - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForIsRecursive(final String isRecursiveStr, List<Predicate> predicates) { - if(StringUtils.isEmpty(isRecursiveStr)) { - return null; - } - - final boolean isRecursive = Boolean.parseBoolean(isRecursiveStr); - - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = true; - - if(object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - if(! MapUtils.isEmpty(policy.getResources())) { - for(Map.Entry<String, RangerPolicyResource> e : policy.getResources().entrySet()) { - RangerPolicyResource resValue = e.getValue(); - - if(resValue.getIsRecursive() == null) { - ret = !isRecursive; - } else { - ret = resValue.getIsRecursive().booleanValue() == isRecursive; - } - - if(ret) { - break; - } - } - } - } - - return ret; - } - }; - - if(predicates != null) { - predicates.add(ret); - } - - return ret; - } - - private Predicate addPredicateForResourceSignature(final String serviceName, String signature, String isPolicyEnabled, List<Predicate> predicates) { - - boolean enabled = false; - if ("1".equals(isPolicyEnabled)) { - enabled = true; - } - Predicate ret = createPredicateForResourceSignature(serviceName, signature, enabled); - - if(predicates != null && ret != null) { - predicates.add(ret); - } - - return ret; - } - - /** - * @param serviceName - * @param policySignature - * @param isPolicyEnabled - * @return - */ - public Predicate createPredicateForResourceSignature(final String serviceName, final String policySignature, final Boolean isPolicyEnabled) { - - if (StringUtils.isEmpty(policySignature) || StringUtils.isEmpty(serviceName) || isPolicyEnabled == null) { - return null; - } - - return new Predicate() { - @Override - public boolean evaluate(Object object) { - if(object == null) { - return false; - } - - boolean ret = false; - - if (object instanceof RangerPolicy) { - RangerPolicy policy = (RangerPolicy)object; - - ret = StringUtils.equals(policy.getResourceSignature(), policySignature) && - Objects.equals(policy.getService(), serviceName) && - Objects.equals(policy.getIsEnabled(), isPolicyEnabled); - } else { - ret = true; - } - - return ret; - } - }; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/agents-common/src/main/java/org/apache/ranger/plugin/store/ServicePredicateUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServicePredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServicePredicateUtil.java new file mode 100644 index 0000000..69560e2 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServicePredicateUtil.java @@ -0,0 +1,156 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.store; + +import org.apache.commons.collections.Predicate; +import org.apache.commons.lang.StringUtils; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.util.SearchFilter; + +import java.util.List; + +public class ServicePredicateUtil extends AbstractPredicateUtil { + private ServiceStore serviceStore = null; + + public ServicePredicateUtil(ServiceStore serviceStore) { + super(); + this.serviceStore = serviceStore; + } + + @Override + public void addPredicates(SearchFilter filter, List<Predicate> predicates) { + super.addPredicates(filter, predicates); + + addPredicateForServiceType(filter.getParam(SearchFilter.SERVICE_TYPE), predicates); + addPredicateForServiceId(filter.getParam(SearchFilter.SERVICE_ID), predicates); + } + + private String getServiceType(String serviceName) { + RangerService service = null; + + try { + if (serviceStore != null) { + service = serviceStore.getServiceByName(serviceName); + } + } catch(Exception excp) { + // ignore + } + + return service != null ? service.getType() : null; + } + + private Long getServiceId(String serviceName) { + RangerService service = null; + + try { + if (serviceStore != null) { + service = serviceStore.getServiceByName(serviceName); + } + } catch(Exception excp) { + // ignore + } + + return service != null ? service.getId() : null; + } + + + private Predicate addPredicateForServiceType(final String serviceType, List<Predicate> predicates) { + if(StringUtils.isEmpty(serviceType)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + + ret = StringUtils.equals(serviceType, getServiceType(policy.getService())); + } else if(object instanceof RangerService) { + RangerService service = (RangerService)object; + + ret = StringUtils.equals(serviceType, service.getType()); + } else if(object instanceof RangerServiceDef) { + RangerServiceDef serviceDef = (RangerServiceDef)object; + + ret = StringUtils.equals(serviceType, serviceDef.getName()); + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } + + private Predicate addPredicateForServiceId(final String serviceId, List<Predicate> predicates) { + if(StringUtils.isEmpty(serviceId)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + + boolean ret = false; + + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + Long svcId = getServiceId(policy.getService()); + + if(svcId != null) { + ret = StringUtils.equals(serviceId, svcId.toString()); + } + } else if(object instanceof RangerService) { + RangerService service = (RangerService)object; + + if(service.getId() != null) { + ret = StringUtils.equals(serviceId, service.getId().toString()); + } + } else { + ret = true; + } + + return ret; + } + }; + + if(predicates != null) { + predicates.add(ret); + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/agents-common/src/main/java/org/apache/ranger/plugin/store/file/BaseFileStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/BaseFileStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/BaseFileStore.java index 9785e77..6ce2589 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/BaseFileStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/BaseFileStore.java @@ -41,12 +41,11 @@ import org.apache.ranger.plugin.model.RangerBaseModelObject; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.store.AbstractServiceStore; import com.google.gson.Gson; import com.google.gson.GsonBuilder; -public abstract class BaseFileStore extends AbstractServiceStore { +public class BaseFileStore { private static final Log LOG = LogFactory.getLog(BaseFileStore.class); private Gson gsonBuilder = null; @@ -57,7 +56,6 @@ public abstract class BaseFileStore extends AbstractServiceStore { protected static final String FILE_PREFIX_POLICY = "ranger-policy-"; protected static final String FILE_SUFFIX_JSON = ".json"; - protected void initStore(String dataDir) { this.dataDir = dataDir; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java index 2c161a7..2e469cd 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java @@ -37,11 +37,13 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; +import org.apache.ranger.plugin.store.ServicePredicateUtil; +import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; -public class ServiceFileStore extends BaseFileStore { +public class ServiceFileStore extends BaseFileStore implements ServiceStore { private static final Log LOG = LogFactory.getLog(ServiceFileStore.class); public static final String PROPERTY_SERVICE_FILE_STORE_DIR = "ranger.service.store.file.dir"; @@ -51,12 +53,15 @@ public class ServiceFileStore extends BaseFileStore { private long nextServiceId = 0; private long nextPolicyId = 0; + private ServicePredicateUtil predicateUtil = null; + public ServiceFileStore() { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceFileStore.ServiceFileStore()"); } dataDir = RangerConfiguration.getInstance().get(PROPERTY_SERVICE_FILE_STORE_DIR, "file:///etc/ranger/data"); + predicateUtil = new ServicePredicateUtil(this); if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceFileStore.ServiceFileStore()"); @@ -69,6 +74,7 @@ public class ServiceFileStore extends BaseFileStore { } this.dataDir = dataDir; + predicateUtil = new ServicePredicateUtil(this); if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceFileStore.ServiceFileStore()"); @@ -257,9 +263,9 @@ public class ServiceFileStore extends BaseFileStore { List<RangerServiceDef> ret = getAllServiceDefs(); if(ret != null && filter != null && !filter.isEmpty()) { - CollectionUtils.filter(ret, getPredicate(filter)); + CollectionUtils.filter(ret, predicateUtil.getPredicate(filter)); - Comparator<RangerBaseModelObject> comparator = getSorter(filter); + Comparator<RangerBaseModelObject> comparator = predicateUtil.getSorter(filter); if(comparator != null) { Collections.sort(ret, comparator); @@ -442,9 +448,9 @@ public class ServiceFileStore extends BaseFileStore { List<RangerService> ret = getAllServices(); if(ret != null && filter != null && !filter.isEmpty()) { - CollectionUtils.filter(ret, getPredicate(filter)); + CollectionUtils.filter(ret, predicateUtil.getPredicate(filter)); - Comparator<RangerBaseModelObject> comparator = getSorter(filter); + Comparator<RangerBaseModelObject> comparator = predicateUtil.getSorter(filter); if(comparator != null) { Collections.sort(ret, comparator); @@ -622,7 +628,7 @@ public class ServiceFileStore extends BaseFileStore { List<RangerPolicy> ret = getAllPolicies(); - CollectionUtils.filter(ret, createPredicateForResourceSignature(serviceName, policySignature, isPolicyEnabled)); + CollectionUtils.filter(ret, predicateUtil.createPredicateForResourceSignature(policySignature)); if (LOG.isDebugEnabled()) { LOG.debug(String.format("<== ServiceFileStore.getPoliciesByResourceSignature(%s, %s, %s): count[%d]: %s", @@ -641,9 +647,9 @@ public class ServiceFileStore extends BaseFileStore { List<RangerPolicy> ret = getAllPolicies(); if(ret != null && filter != null && !filter.isEmpty()) { - CollectionUtils.filter(ret, getPredicate(filter)); + CollectionUtils.filter(ret, predicateUtil.getPredicate(filter)); - Comparator<RangerBaseModelObject> comparator = getSorter(filter); + Comparator<RangerBaseModelObject> comparator = predicateUtil.getSorter(filter); if(comparator != null) { Collections.sort(ret, comparator); @@ -745,7 +751,7 @@ public class ServiceFileStore extends BaseFileStore { } if(ret != null && ret.getPolicies() != null) { - Collections.sort(ret.getPolicies(), idComparator); + Collections.sort(ret.getPolicies(), predicateUtil.idComparator); } return ret; @@ -876,10 +882,10 @@ public class ServiceFileStore extends BaseFileStore { } if(ret != null) { - Collections.sort(ret, idComparator); + Collections.sort(ret, predicateUtil.idComparator); for(RangerServiceDef sd : ret) { - Collections.sort(sd.getResources(), resourceLevelComparator); + Collections.sort(sd.getResources(), predicateUtil.resourceLevelComparator); } } @@ -906,7 +912,7 @@ public class ServiceFileStore extends BaseFileStore { } if(ret != null) { - Collections.sort(ret, idComparator); + Collections.sort(ret, predicateUtil.idComparator); } return ret; @@ -928,7 +934,7 @@ public class ServiceFileStore extends BaseFileStore { } if(ret != null) { - Collections.sort(ret, idComparator); + Collections.sort(ret, predicateUtil.idComparator); } if(LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 427b24b..009cbf8 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -99,8 +99,9 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumElementDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef; -import org.apache.ranger.plugin.store.AbstractServiceStore; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; +import org.apache.ranger.plugin.store.ServicePredicateUtil; +import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; import org.apache.ranger.service.RangerAuditFields; @@ -127,7 +128,7 @@ import org.springframework.transaction.support.TransactionTemplate; @Component -public class ServiceDBStore extends AbstractServiceStore { +public class ServiceDBStore implements ServiceStore { private static final Log LOG = LogFactory.getLog(ServiceDBStore.class); @Autowired @@ -181,6 +182,8 @@ public class ServiceDBStore extends AbstractServiceStore { public static final String HIDDEN_PASSWORD_STR = "*****"; public static final String CONFIG_KEY_PASSWORD = "password"; + + private ServicePredicateUtil predicateUtil = null; @Override public void init() throws Exception { @@ -205,6 +208,8 @@ public class ServiceDBStore extends AbstractServiceStore { TransactionTemplate txTemplate = new TransactionTemplate(txManager); final ServiceDBStore dbStore = this; + predicateUtil = new ServicePredicateUtil(dbStore); + txTemplate.execute(new TransactionCallback<Object>() { @Override @@ -926,7 +931,7 @@ public class ServiceDBStore extends AbstractServiceStore { RangerServiceDefList svcDefList = serviceDefService.searchRangerServiceDefs(filter); - applyFilter(svcDefList.getServiceDefs(), filter); + predicateUtil.applyFilter(svcDefList.getServiceDefs(), filter); List<RangerServiceDef> ret = svcDefList.getServiceDefs(); @@ -944,7 +949,7 @@ public class ServiceDBStore extends AbstractServiceStore { RangerServiceDefList svcDefList = serviceDefService.searchRangerServiceDefs(filter); - applyFilter(svcDefList.getServiceDefs(), filter); + predicateUtil.applyFilter(svcDefList.getServiceDefs(), filter); if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceDBStore.getPaginatedServiceDefs(" + filter + ")"); @@ -959,18 +964,27 @@ public class ServiceDBStore extends AbstractServiceStore { LOG.debug("==> ServiceDefDBStore.createService(" + service + ")"); } + if (service == null) { + throw restErrorUtil.createRESTException( + "Service object cannot be null.", + MessageEnums.ERROR_CREATING_OBJECT); + } + boolean createDefaultPolicy = true; - UserSessionBase usb = ContextUtil.getCurrentUserSession(); - List<String> userRoleList=usb.getUserRoleList(); boolean isAllowed=false; + + UserSessionBase usb = ContextUtil.getCurrentUserSession(); + + List<String> userRoleList = usb == null ? null : usb.getUserRoleList(); if (userRoleList != null && userRoleList.contains(RangerConstants.ROLE_KEY_ADMIN)) { - if(service!=null && "KMS".equalsIgnoreCase(service.getType())){ - isAllowed=true; + if ("KMS".equalsIgnoreCase(service.getType())) { + isAllowed = true; } } if (usb != null && usb.isUserAdmin() || populateExistingBaseFields) { - isAllowed=true; + isAllowed = true; } + if (isAllowed) { Map<String, String> configs = service.getConfigs(); Map<String, String> validConfigs = validateRequiredConfigParams( @@ -1246,7 +1260,7 @@ public class ServiceDBStore extends AbstractServiceStore { RangerServiceList serviceList = svcService.searchRangerServices(filter); - applyFilter(serviceList.getServices(), filter); + predicateUtil.applyFilter(serviceList.getServices(), filter); List<RangerService> ret = serviceList.getServices(); @@ -1264,7 +1278,7 @@ public class ServiceDBStore extends AbstractServiceStore { RangerServiceList serviceList = svcService.searchRangerServices(filter); - applyFilter(serviceList.getServices(), filter); + predicateUtil.applyFilter(serviceList.getServices(), filter); if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceDBStore.getPaginatedServices()"); @@ -1450,7 +1464,7 @@ public class ServiceDBStore extends AbstractServiceStore { RangerPolicyList policyList = policyService.searchRangerPolicies(filter); - applyFilter(policyList.getPolicies(), filter); + predicateUtil.applyFilter(policyList.getPolicies(), filter); List<RangerPolicy> ret = policyList.getPolicies(); @@ -1471,7 +1485,7 @@ public class ServiceDBStore extends AbstractServiceStore { if (LOG.isDebugEnabled()) { LOG.debug("before filter: count=" + policyList.getListSize()); } - applyFilter(policyList.getPolicies(), filter); + predicateUtil.applyFilter(policyList.getPolicies(), filter); if (LOG.isDebugEnabled()) { LOG.debug("after filter: count=" + policyList.getListSize()); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/362acbcb/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java index f2b89ba..8b276d5 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java @@ -63,6 +63,7 @@ public class RangerSearchUtil extends SearchUtil { ret.setParam(SearchFilter.USER, request.getParameter(SearchFilter.USER)); ret.setParam(SearchFilter.GROUP, request.getParameter(SearchFilter.GROUP)); ret.setParam(SearchFilter.POL_RESOURCE, request.getParameter(SearchFilter.POL_RESOURCE)); + ret.setParam(SearchFilter.RESOURCE_SIGNATURE, request.getParameter(SearchFilter.RESOURCE_SIGNATURE)); for (Map.Entry<String, String[]> e : request.getParameterMap().entrySet()) { String name = e.getKey();