Initial set of Policy-Engine changes for evaluating tag-policies and changes after second round of review. Revamped tag-policy evaluation, merged with 5e9ff8a commit-id in tag-policy branch.
Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d61bce5c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d61bce5c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d61bce5c Branch: refs/heads/tag-policy Commit: d61bce5c4431a5dda9a5b21aeaa320690795ec99 Parents: 5e9ff8a Author: Abhay Kulkarni <[email protected]> Authored: Mon May 18 14:34:21 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Mon May 25 11:41:18 2015 -0700 ---------------------------------------------------------------------- .../RangerTagAttributeEvaluator.java | 49 +++ .../RangerAbstractContextEnricher.java | 26 ++ .../contextenricher/RangerContextEnricher.java | 9 + .../RangerFileBasedTagProvider.java | 111 ++++++ .../ranger/plugin/model/RangerPolicy.java | 20 +- .../plugin/policyengine/RangerAccessResult.java | 18 +- .../plugin/policyengine/RangerPolicyEngine.java | 10 +- .../policyengine/RangerPolicyEngineImpl.java | 343 ++++++++++++++++--- .../policyengine/RangerPolicyEngineOptions.java | 1 + .../policyengine/RangerPolicyRepository.java | 128 ++++--- .../RangerDefaultPolicyEvaluator.java | 9 + .../policyevaluator/RangerPolicyEvaluator.java | 4 +- .../ranger/plugin/service/RangerBasePlugin.java | 4 + .../plugin/store/AbstractServiceStore.java | 100 ++---- .../ranger/plugin/store/AbstractTagStore.java | 37 +- .../org/apache/ranger/plugin/store/PList.java | 45 +-- .../plugin/store/RangerPolicyPaginatedList.java | 62 ---- .../store/RangerServiceDefPaginatedList.java | 61 ---- .../store/RangerServicePaginatedList.java | 62 ---- .../ranger/plugin/store/ServiceStore.java | 13 +- .../apache/ranger/plugin/store/TagStore.java | 5 + .../plugin/policyengine/TestPolicyEngine.java | 46 ++- .../policyengine/test_policyengine_hdfs.json | 84 +++++ .../org/apache/ranger/biz/ServiceDBStore.java | 60 ++-- .../org/apache/ranger/rest/ServiceREST.java | 34 +- .../apache/ranger/biz/TestServiceDBStore.java | 20 +- .../org/apache/ranger/rest/TestServiceREST.java | 15 +- 27 files changed, 892 insertions(+), 484 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java new file mode 100644 index 0000000..324ae4c --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java @@ -0,0 +1,49 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.conditionevaluator; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; + +public class RangerTagAttributeEvaluator extends RangerAbstractConditionEvaluator { + private static final Log LOG = LogFactory.getLog(RangerTagAttributeEvaluator.class); + + @Override + public void init() { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerTagAttributeEvaluator.init(" + condition + ")"); + } + + super.init(); + } + + @Override + public boolean isMatched(RangerAccessRequest request) { + // TODO + // Set up environment: selected parts of request + // Invoke python interpreter + if (LOG.isDebugEnabled()) { + LOG.debug("RangerTagAttributeEvaluator.isMatched()"); + } + return true; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java index 0e18494..922cfea 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java @@ -27,6 +27,8 @@ import java.util.Properties; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef; @@ -34,6 +36,10 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri private static final Log LOG = LogFactory.getLog(RangerAbstractContextEnricher.class); protected RangerContextEnricherDef enricherDef; + protected String serviceName; + protected RangerServiceDef serviceDef; + protected String componentServiceName; + protected RangerServiceDef componentServiceDef; private Map<String, String> options = null; @@ -55,6 +61,26 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri } } + @Override + public void setContextServiceName(String serviceName) { + this.serviceName = serviceName; + } + + @Override + public void setContextServiceDef(RangerServiceDef serviceDef) { + this.serviceDef = serviceDef; + } + + @Override + public void setContextComponentServiceName(String componentServiceName) { + this.componentServiceName = componentServiceName; + } + + @Override + public void setContextComponentServiceDef(RangerServiceDef componentServiceDef) { + this.componentServiceDef = componentServiceDef; + } + public String getOption(String name) { String ret = null; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java index 073225b..a614a0f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java @@ -20,12 +20,21 @@ package org.apache.ranger.plugin.contextenricher; +import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; public interface RangerContextEnricher { void setContextEnricherDef(RangerContextEnricherDef enricherDef); + void setContextServiceName(String serviceName); + + void setContextServiceDef(RangerServiceDef serviceDef); + + void setContextComponentServiceName(String componentServiceName); + + void setContextComponentServiceDef(RangerServiceDef componentServiceDef); + void init(); void enrich(RangerAccessRequest request); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java new file mode 100644 index 0000000..3b5520e --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.contextenricher; + +import java.lang.reflect.Type; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Properties; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.reflect.TypeToken; +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; + + +public class RangerFileBasedTagProvider extends RangerAbstractContextEnricher { + private static final Log LOG = LogFactory.getLog(RangerFileBasedTagProvider.class); + + private Properties resourceTagsMap = null; + String dataFile = null; + private Gson gsonBuilder = null; + + @Override + public void init() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerFileBasedTagProvider.init()"); + } + + super.init(); + + dataFile = getOption("dataFile", "/etc/ranger/data/resourceTags.txt"); + + resourceTagsMap = readProperties(dataFile); + + gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") + .setPrettyPrinting() + .create(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerFileBasedTagProvider.init()"); + } + } + + @Override + public void enrich(RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerFileBasedTagProvider.enrich(" + request + ")"); + } + + if(request != null && resourceTagsMap != null) { + Map<String, Object> context = request.getContext(); + /* + This needs to know about : + - componentServiceDef (to filter on component-type which is required for getting matchers), and + - serviceName (to filter on cluster-specific tags) + */ + // Provider is file-based. + // tags are a JSON strings + + String requestedResource = request.getResource().getAsString(componentServiceDef); + + if(LOG.isDebugEnabled()) { + LOG.debug("RangerFileBasedTagProvider.enrich(): requestedResource = '"+ requestedResource +"'"); + } + String tagsJsonString = resourceTagsMap.getProperty(requestedResource); + + if(!StringUtils.isEmpty(tagsJsonString) && context != null) { + try { + Type listType = new TypeToken<List<RangerResource.RangerResourceTag>>() { + }.getType(); + List<RangerResource.RangerResourceTag> tagList = gsonBuilder.fromJson(tagsJsonString, listType); + + context.put(RangerPolicyEngine.KEY_CONTEXT_TAGS, tagList); + } catch (Exception e) { + LOG.error("RangerFileBasedTagProvider.enrich(): error parsing file " + this.dataFile + "exception=" + e); + } + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerFileBasedTagProvider.enrich(): skipping due to unavailable context or tags. context=" + context + "; tags=" + tagsJsonString); + } + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerFileBasedTagProvider.enrich(" + request + ")"); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index 4001e7e..d634ea7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -41,6 +41,8 @@ import org.codehaus.jackson.map.annotate.JsonSerialize; @XmlRootElement @XmlAccessorType(XmlAccessType.FIELD) public class RangerPolicy extends RangerBaseModelObject implements java.io.Serializable { + public static final int FINAL_ACCESS_DECIDER_POLICY_TYPE = 1; + private static final long serialVersionUID = 1L; private String service = null; @@ -54,7 +56,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria /** - * @param type + * @param */ public RangerPolicy() { this(null, null, null, null, null, null, null); @@ -106,7 +108,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } /** - * @param type the type to set + * @param service the type to set */ public void setService(String service) { this.service = service; @@ -176,7 +178,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } /** - * @param isEnabled the isEnabled to set + * @param isAuditEnabled the isEnabled to set */ public void setIsAuditEnabled(Boolean isAuditEnabled) { this.isAuditEnabled = isAuditEnabled == null ? Boolean.TRUE : isAuditEnabled; @@ -190,7 +192,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } /** - * @param configs the resources to set + * @param resources the resources to set */ public void setResources(Map<String, RangerPolicyResource> resources) { if(this.resources == null) { @@ -238,6 +240,14 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } } + public boolean isFinalDecider() { + boolean isFinalDecidingPolicy = true; + + if (getPolicyType() == null || getPolicyType() != FINAL_ACCESS_DECIDER_POLICY_TYPE) { + isFinalDecidingPolicy = false; + } + return isFinalDecidingPolicy; + } @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -832,7 +842,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } /** - * @param value the value to set + * @param values the value to set */ public void setValues(List<String> values) { if (CollectionUtils.isEmpty(values)) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 3a1fa1d..934f502 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -23,9 +23,9 @@ import org.apache.ranger.plugin.model.RangerServiceDef; public class RangerAccessResult { - private String serviceName = null; - private RangerServiceDef serviceDef = null; - private RangerAccessRequest request = null; + private final String serviceName; + private final RangerServiceDef serviceDef; + private final RangerAccessRequest request; private boolean isAccessDetermined = false; private boolean isAllowed = false; @@ -34,7 +34,7 @@ public class RangerAccessResult { private long policyId = -1; private String reason = null; - public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request) { + public RangerAccessResult(final String serviceName, final RangerServiceDef serviceDef, final RangerAccessRequest request) { this.serviceName = serviceName; this.serviceDef = serviceDef; this.request = request; @@ -46,6 +46,14 @@ public class RangerAccessResult { this.reason = null; } + public void setAccessResultFrom(final RangerAccessResult other) { + this.isAccessDetermined = other.getIsAccessDetermined(); + this.isAllowed = other.getIsAllowed(); + this.policyId = other.getPolicyId(); + this.reason = other.getReason(); + } + + /** * @return the serviceName */ @@ -129,7 +137,7 @@ public class RangerAccessResult { } /** - * @return the policyId + * @param policyId the policyId to set */ public void setPolicyId(long policyId) { this.policyId = policyId; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 0a0b210..bc4b9a7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -29,10 +29,12 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; public interface RangerPolicyEngine { - public static final String GROUP_PUBLIC = "public"; - public static final String ANY_ACCESS = "_any"; - public static final String ADMIN_ACCESS = "_admin"; - public static final long UNKNOWN_POLICY = -1; + String GROUP_PUBLIC = "public"; + String ANY_ACCESS = "_any"; + String ADMIN_ACCESS = "_admin"; + + String KEY_CONTEXT_TAGS = "TAGS"; + String KEY_CONTEXT_TAG_OBJECT = "TAG_OBJECT"; String getServiceName(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 4219875..0dc7981 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -20,44 +20,81 @@ package org.apache.ranger.plugin.policyengine; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerResource; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.ServicePolicies; -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; -import java.util.Map; -import java.util.Set; +import java.util.*; public class RangerPolicyEngineImpl implements RangerPolicyEngine { private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class); private final RangerPolicyRepository policyRepository; - + private final RangerPolicyRepository tagPolicyRepository; + + private final List<RangerContextEnricher> allContextEnrichers; public RangerPolicyEngineImpl(ServicePolicies servicePolicies) { this(servicePolicies, null); } public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl(" + servicePolicies + ", " + options + ")"); } - if(options == null) { + if (options == null) { options = new RangerPolicyEngineOptions(); } policyRepository = new RangerPolicyRepository(servicePolicies, options); - if(LOG.isDebugEnabled()) { + ServicePolicies.TagPolicies tagPolicies = servicePolicies.getTagPolicies(); + + if (!options.disableTagPolicyEvaluation + && tagPolicies != null + && !StringUtils.isEmpty(tagPolicies.getServiceName()) + && tagPolicies.getServiceDef() != null + && !CollectionUtils.isEmpty(tagPolicies.getPolicies())) { + + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName()); + } + tagPolicyRepository = new RangerPolicyRepository(tagPolicies, options, servicePolicies.getServiceName(), + servicePolicies.getServiceDef()); + + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl : No tag-policy-repository for service " + servicePolicies.getServiceName()); + } + tagPolicyRepository = null; + } + + List<RangerContextEnricher> tmpList; + + List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers(); + List<RangerContextEnricher> resourceContextEnrichers = policyRepository.getContextEnrichers(); + + if (CollectionUtils.isEmpty(tagContextEnrichers)) { + tmpList = resourceContextEnrichers; + } else if (CollectionUtils.isEmpty(resourceContextEnrichers)) { + tmpList = tagContextEnrichers; + } else { + tmpList = new ArrayList<RangerContextEnricher>(tagContextEnrichers); + tmpList.addAll(resourceContextEnrichers); + } + + this.allContextEnrichers = tmpList; + + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl()"); } } @@ -84,57 +121,57 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public void enrichContext(RangerAccessRequest request) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.enrichContext(" + request + ")"); } - List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers(); + List<RangerContextEnricher> enrichers = allContextEnrichers; - if(request != null && !CollectionUtils.isEmpty(enrichers)) { - for(RangerContextEnricher enricher : enrichers) { + if (request != null && !CollectionUtils.isEmpty(enrichers)) { + for (RangerContextEnricher enricher : enrichers) { enricher.enrich(request); } } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.enrichContext(" + request + ")"); } } @Override public void enrichContext(Collection<RangerAccessRequest> requests) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.enrichContext(" + requests + ")"); } - List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers(); + List<RangerContextEnricher> enrichers = allContextEnrichers; - if(!CollectionUtils.isEmpty(requests) && !CollectionUtils.isEmpty(enrichers)) { - for(RangerContextEnricher enricher : enrichers) { - for(RangerAccessRequest request : requests) { + if (!CollectionUtils.isEmpty(requests) && !CollectionUtils.isEmpty(enrichers)) { + for (RangerContextEnricher enricher : enrichers) { + for (RangerAccessRequest request : requests) { enricher.enrich(request); } } } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.enrichContext(" + requests + ")"); } } @Override public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")"); } RangerAccessResult ret = isAccessAllowedNoAudit(request); - if(resultProcessor != null) { + if (resultProcessor != null) { resultProcessor.processResult(ret); } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret); } @@ -143,25 +180,26 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")"); } - + Collection<RangerAccessResult> ret = new ArrayList<RangerAccessResult>(); - if(requests != null) { - for(RangerAccessRequest request : requests) { + if (requests != null) { + for (RangerAccessRequest request : requests) { + RangerAccessResult result = isAccessAllowedNoAudit(request); ret.add(result); } } - if(resultProcessor != null) { + if (resultProcessor != null) { resultProcessor.processResults(ret); } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret); } @@ -170,21 +208,21 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")"); } boolean ret = false; - for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType); - if(ret) { + if (ret) { break; } } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); } @@ -194,21 +232,21 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); } boolean ret = false; - for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType); - if(ret) { + if (ret) { break; } } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); } @@ -217,21 +255,21 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public RangerPolicy getExactMatchPolicy(RangerAccessResource resource) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + ")"); } RangerPolicy ret = null; - for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { - if(evaluator.isSingleAndExactMatch(resource)) { + for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + if (evaluator.isSingleAndExactMatch(resource)) { ret = evaluator.getPolicy(); break; } } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + "): " + ret); } @@ -240,23 +278,23 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + ")"); } List<RangerPolicy> ret = new ArrayList<RangerPolicy>(); - for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { RangerPolicy policy = evaluator.getPolicy(); boolean isAccessAllowed = isAccessAllowed(policy.getResources(), user, userGroups, accessType); - if(isAccessAllowed) { + if (isAccessAllowed) { ret.add(policy); } } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + "): policyCount=" + ret.size()); } @@ -264,41 +302,160 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } protected RangerAccessResult isAccessAllowedNoAudit(RangerAccessRequest request) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")"); } RangerAccessResult ret = createAccessResult(request); - if(ret != null && request != null) { + if (ret != null && request != null) { + + if (tagPolicyRepository != null) { + + RangerAccessResult tagAccessResult = isAccessAllowedForTagPolicies(request); + + if (tagAccessResult.getIsAccessDetermined()) { + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + "): " + tagAccessResult); + } + + return tagAccessResult; + } + } + List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(); - if(evaluators != null) { + if (evaluators != null) { + boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret); - for(RangerPolicyEvaluator evaluator : evaluators) { + for (RangerPolicyEvaluator evaluator : evaluators) { evaluator.evaluate(request, ret); - // stop once allowed==true && auditedDetermined==true - if(ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { + // stop once isAccessDetermined==true && isAuditedDetermined==true + if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { break; } } - if(! foundInCache) { + if (!foundInCache) { policyRepository.storeAuditEnabledInCache(request, ret); } } } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + "): " + ret); } return ret; } + protected RangerAccessResult isAccessAllowedForTagPolicies(final RangerAccessRequest request) { + + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")"); + } + + RangerAccessResult result = createAccessResult(request); + + Map<String, Object> context = request.getContext(); + Object contextObj; + + if (context != null && (contextObj = context.get(KEY_CONTEXT_TAGS)) != null) { + + @SuppressWarnings("unchecked") + List<RangerResource.RangerResourceTag> resourceTags = (List<RangerResource.RangerResourceTag>) contextObj; + + List<RangerPolicyEvaluator> evaluators; + + if (!CollectionUtils.isEmpty(evaluators = tagPolicyRepository.getPolicyEvaluators())) { + + boolean someTagPolicyDeniedAccess = false; + boolean someTagPolicyAllowedAccess = false; + boolean someTagPolicyRequiredAudit = false; + RangerAccessResult allowedAccessResult = createAccessResult(request); + RangerAccessResult deniedAccessResult = createAccessResult(request); + + List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>(); + + for (RangerResource.RangerResourceTag resourceTag : resourceTags) { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + resourceTag.getName() + ")"); + } + + RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(resourceTag, getServiceDef().getName(), request); + RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest); + + for (RangerPolicyEvaluator evaluator : evaluators) { + + evaluator.evaluate(tagEvalRequest, tagEvalResult); + + if (evaluator.isFinalDecider() || + (tagEvalResult.getIsAccessDetermined() && tagEvalResult.getIsAuditedDetermined())) { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval for tag-policy-id=" + tagEvalResult.getPolicyId() + " for tag (" + resourceTag.getName() + ") with authorization=" + tagEvalResult.getIsAllowed()); + } + break; + } + } + + if (tagEvalResult.getIsAuditedDetermined()) { + someTagPolicyRequiredAudit = true; + // And generate an audit event + if (tagEvalResult.getIsAccessDetermined()) { + RangerTagAuditEvent event = new RangerTagAuditEvent(resourceTag.getName(), tagEvalResult); + tagAuditEvents.add(event); + } + } + + if (tagEvalResult.getIsAccessDetermined()) { + if (tagEvalResult.getIsAllowed()) { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: access allowed"); + } + someTagPolicyAllowedAccess = true; + allowedAccessResult.setAccessResultFrom(tagEvalResult); + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: access denied"); + } + someTagPolicyDeniedAccess = true; + deniedAccessResult.setAccessResultFrom(tagEvalResult); + } + } + } + + if (someTagPolicyDeniedAccess) { + result.setAccessResultFrom(deniedAccessResult); + } else if (someTagPolicyAllowedAccess) { + result.setAccessResultFrom(allowedAccessResult); + } + + if (someTagPolicyRequiredAudit) { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: at least one tag-policy requires audit"); + } + result.setIsAudited(true); + RangerTagAuditEvent.processTagEvents(tagAuditEvents, someTagPolicyDeniedAccess); + // Set processed list into result + // result.setAuxilaryAuditInfo(tagAuditEvents); + } + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : result=" + result); + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : auditEventList=" + tagAuditEvents); + } + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")" ); + } + + return result; + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -319,3 +476,83 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return sb; } } +class RangerTagResource extends RangerAccessResourceImpl { + private static final String KEY_TAG = "tag"; + + + public RangerTagResource(String tag) { + super.setValue(KEY_TAG, tag); + } +} + +class RangerTagAccessRequest extends RangerAccessRequestImpl { + public RangerTagAccessRequest(RangerResource.RangerResourceTag resourceTag, String componentName, RangerAccessRequest request) { + super.setResource(new RangerTagResource(resourceTag.getName())); + super.setUser(request.getUser()); + super.setUserGroups(request.getUserGroups()); + super.setAction(request.getAction()); + super.setAccessType(componentName + ":" + request.getAccessType()); + super.setAccessTime(request.getAccessTime()); + super.setRequestData(request.getRequestData()); + + Map<String, Object> requestContext = request.getContext(); + if (requestContext == null) { + requestContext = new HashMap<String, Object>(); + } + requestContext.put(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT, resourceTag); + super.setContext(requestContext); + + super.setClientType(request.getClientType()); + super.setClientIPAddress(request.getClientIPAddress()); + super.setSessionId(request.getSessionId()); + } +} + + +class RangerTagAuditEvent { + private final String tagName; + private final RangerAccessResult result; + + RangerTagAuditEvent(String tagName, RangerAccessResult result) { + this.tagName = tagName; + this.result = result; + } + @Override + public String toString( ) { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public void toString(StringBuilder sb) { + sb.append("RangerTagAuditEvent={"); + + sb.append("tagName={").append(this.tagName).append("} "); + sb.append("isAccessDetermined={").append(this.result.getIsAccessDetermined()).append("}"); + sb.append("isAllowed={").append(this.result.getIsAllowed()).append("}"); + sb.append("policyId={").append(this.result.getPolicyId()).append("}"); + sb.append("reason={").append(this.result.getReason()).append("}"); + + sb.append("}"); + + } + + static void processTagEvents(List<RangerTagAuditEvent> tagAuditEvents, final boolean deniedAccess) { + // Process tagAuditEvents to delete unwanted events + + if (CollectionUtils.isEmpty(tagAuditEvents)) return; + + List<RangerTagAuditEvent> unwantedEvents = new ArrayList<RangerTagAuditEvent> (); + if (deniedAccess) { + for (RangerTagAuditEvent auditEvent : tagAuditEvents) { + RangerAccessResult result = auditEvent.result; + if (result.getIsAllowed()) { + unwantedEvents.add(auditEvent); + } + } + tagAuditEvents.removeAll(unwantedEvents); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java index a5c1dfb..dcd1b3c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java @@ -27,4 +27,5 @@ public class RangerPolicyEngineOptions { public boolean cacheAuditResults = true; public boolean disableContextEnrichers = false; public boolean disableCustomConditions = false; + public boolean disableTagPolicyEvaluation = true; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 6a355ff..c1c71f0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -45,19 +45,84 @@ public class RangerPolicyRepository { private final RangerServiceDef serviceDef; private final List<RangerPolicy> policies; private final long policyVersion; - private final List<RangerContextEnricher> contextEnrichers; - private final List<RangerPolicyEvaluator> policyEvaluators; + private List<RangerContextEnricher> contextEnrichers; + private List<RangerPolicyEvaluator> policyEvaluators; private final Map<String, Boolean> accessAuditCache; - private static int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024; + private final String componentServiceName; + private final RangerServiceDef componentServiceDef; RangerPolicyRepository(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) { super(); - serviceName = servicePolicies.getServiceName(); - serviceDef = servicePolicies.getServiceDef(); - policies = Collections.unmodifiableList(servicePolicies.getPolicies()); - policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion().longValue() : -1; + this.componentServiceName = this.serviceName = servicePolicies.getServiceName(); + this.componentServiceDef = this.serviceDef = servicePolicies.getServiceDef(); + this.policies = Collections.unmodifiableList(servicePolicies.getPolicies()); + this.policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1; + + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRepository : building resource-policy-repository for service " + serviceName); + } + + String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize"; + + if (options.cacheAuditResults) { + final int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024; + + int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE); + accessAuditCache = Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize)); + } else { + accessAuditCache = null; + } + + init(options); + + } + + RangerPolicyRepository(ServicePolicies.TagPolicies tagPolicies, RangerPolicyEngineOptions options, String componentServiceName, + RangerServiceDef componentServiceDef) { + super(); + this.serviceName = tagPolicies.getServiceName(); + this.serviceDef = tagPolicies.getServiceDef(); + this.componentServiceName = componentServiceName; + this.componentServiceDef = componentServiceDef; + this.policies = Collections.unmodifiableList(tagPolicies.getPolicies()); + this.policyVersion = tagPolicies.getPolicyVersion() != null ? tagPolicies.getPolicyVersion() : -1; + this.accessAuditCache = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRepository : building tag-policy-repository for tag service " + serviceName); + } + + init(options); + + } + + public String getServiceName() { return serviceName; } + + public RangerServiceDef getServiceDef() { + return serviceDef; + } + + public List<RangerPolicy> getPolicies() { + return policies; + } + + public long getPolicyVersion() { + return policyVersion; + } + + public List<RangerContextEnricher> getContextEnrichers() { return contextEnrichers; } + + public List<RangerPolicyEvaluator> getPolicyEvaluators() { + return policyEvaluators; + } + + public RangerServiceDef getComponentServiceDef() { return this.componentServiceDef; } + + public String getComponentServiceName() { return this.componentServiceName; } + + private void init(RangerPolicyEngineOptions options) { List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>(); if (!options.disableContextEnrichers && !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) { @@ -69,14 +134,14 @@ public class RangerPolicyRepository { RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef); if(contextEnricher != null) { - contextEnrichers.add(contextEnricher); + contextEnrichers.add(contextEnricher); } } } this.contextEnrichers = Collections.unmodifiableList(contextEnrichers); List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>(); - for (RangerPolicy policy : servicePolicies.getPolicies()) { + for (RangerPolicy policy : policies) { if (!policy.getIsEnabled()) { continue; } @@ -90,39 +155,6 @@ public class RangerPolicyRepository { Collections.sort(policyEvaluators); this.policyEvaluators = Collections.unmodifiableList(policyEvaluators); - String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize"; - - if(options.cacheAuditResults) { - int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE); - - accessAuditCache = Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize)); - } else { - accessAuditCache = null; - } - } - - public String getServiceName() { - return serviceName; - } - - public RangerServiceDef getServiceDef() { - return serviceDef; - } - - public List<RangerPolicy> getPolicies() { - return policies; - } - - public long getPolicyVersion() { - return policyVersion; - } - - public List<RangerContextEnricher> getContextEnrichers() { - return contextEnrichers; - } - - public List<RangerPolicyEvaluator> getPolicyEvaluators() { - return policyEvaluators; } private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) { @@ -148,6 +180,10 @@ public class RangerPolicyRepository { if(ret != null) { ret.setContextEnricherDef(enricherDef); + ret.setContextServiceName(serviceName); + ret.setContextServiceDef(serviceDef); + ret.setContextComponentServiceName(componentServiceName); + ret.setContextComponentServiceDef(componentServiceDef); ret.init(); } @@ -162,7 +198,7 @@ public class RangerPolicyRepository { LOG.debug("==> RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + ", " + options + ")"); } - RangerPolicyEvaluator ret = null; + RangerPolicyEvaluator ret; if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_DEFAULT)) { ret = new RangerDefaultPolicyEvaluator(); @@ -210,7 +246,7 @@ public class RangerPolicyRepository { LOG.debug("==> RangerPolicyRepository.storeAuditEnabledInCache()"); } - if ((ret.getIsAuditedDetermined() == true)) { + if ((ret.getIsAuditedDetermined())) { String strResource = request.getResource().getAsString(getServiceDef()); Boolean value = ret.getIsAudited() ? Boolean.TRUE : Boolean.FALSE; @@ -240,6 +276,10 @@ public class RangerPolicyRepository { sb.append("serviceName={").append(serviceName).append("} "); sb.append("serviceDef={").append(serviceDef).append("} "); + sb.append("componentServiceName={").append(componentServiceName).append("} "); + sb.append("componentServiceDef={").append(componentServiceDef).append("} "); + + sb.append("policyEvaluators={"); if (policyEvaluators != null) { for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index ede91f0..fe98c4b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -226,6 +226,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator boolean matchResult = false; boolean isHeadMatchAttempted = false; boolean headMatchResult = false; + final boolean isPolicyFinalDecider = isFinalDecider(); if (!result.getIsAuditedDetermined()) { // Need to match request.resource first. If it matches (or head matches), then only more progress can be made @@ -270,6 +271,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator evaluatePolicyItemsForAccess(policy, request, result); } } + if ((matchResult || headMatchResult) && !result.getIsAccessDetermined() && isPolicyFinalDecider) { + result.setIsAllowed(false); + result.setPolicyId(getPolicy().getId()); + } } if(LOG.isDebugEnabled()) { @@ -870,4 +875,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } + @Override + public boolean isFinalDecider() { + return getPolicy().isFinalDecider(); + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 9fe523a..b018f3a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -56,4 +56,6 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType); boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); -} + + boolean isFinalDecider(); + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 75ba6b9..fc5b954 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -123,6 +123,10 @@ public class RangerBasePlugin { propertyPrefix + ".policyengine.option.disable.custom.conditions", false); + policyEngineOptions.disableTagPolicyEvaluation = RangerConfiguration + .getInstance().getBoolean( + propertyPrefix + + ".policyengine.option.disable.tagpolicy.evaluation", false); RangerAdminClient admin = createAdminClient(propertyPrefix); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java index 2f75e38..155971f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java @@ -56,7 +56,6 @@ public abstract class AbstractServiceStore implements ServiceStore { if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceDefDBStore.updateTagServiceDefForAccessTypes()"); } - return; } @Override @@ -65,94 +64,43 @@ public abstract class AbstractServiceStore implements ServiceStore { } @Override - public RangerServiceDefPaginatedList getPaginatedServiceDefs(SearchFilter filter) throws Exception { + public PList<RangerServiceDef> getPaginatedServiceDefs(SearchFilter filter) throws Exception { List<RangerServiceDef> resultList = getServiceDefs(filter); - RangerServiceDefPaginatedList ret = new RangerServiceDefPaginatedList(); - - ret.setResultSize(resultList.size()); - ret.setPageSize(resultList.size()); - ret.setSortBy(filter.getSortBy()); - ret.setSortType(filter.getSortType()); - ret.setStartIndex(0); - ret.setTotalCount(resultList.size()); - - ret.setServiceDefs(resultList); - - return ret; + return new PList<RangerServiceDef>(resultList, 0, resultList.size(), + (long)resultList.size(), resultList.size(), filter.getSortType(), filter.getSortBy()); } @Override - public RangerServicePaginatedList getPaginatedServices(SearchFilter filter) throws Exception { + public PList<RangerService> getPaginatedServices(SearchFilter filter) throws Exception { List<RangerService> resultList = getServices(filter); - RangerServicePaginatedList ret = new RangerServicePaginatedList(); - - ret.setResultSize(resultList.size()); - ret.setPageSize(resultList.size()); - ret.setSortBy(filter.getSortBy()); - ret.setSortType(filter.getSortType()); - ret.setStartIndex(0); - ret.setTotalCount(resultList.size()); - - ret.setServices(resultList); - - return ret; + return new PList<RangerService>(resultList, 0, resultList.size(), (long)resultList.size(), + resultList.size(), filter.getSortType(), filter.getSortBy()); } @Override - public RangerPolicyPaginatedList getPaginatedPolicies(SearchFilter filter) throws Exception { + public PList<RangerPolicy> getPaginatedPolicies(SearchFilter filter) throws Exception { List<RangerPolicy> resultList = getPolicies(filter); - RangerPolicyPaginatedList ret = new RangerPolicyPaginatedList(); - - ret.setResultSize(resultList.size()); - ret.setPageSize(resultList.size()); - ret.setSortBy(filter.getSortBy()); - ret.setSortType(filter.getSortType()); - ret.setStartIndex(0); - ret.setTotalCount(resultList.size()); - - ret.setPolicies(resultList); - - return ret; + return new PList<RangerPolicy>(resultList, 0, resultList.size(), (long)resultList.size(), + resultList.size(), filter.getSortType(), filter.getSortBy()); } @Override - public RangerPolicyPaginatedList getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception { + public PList<RangerPolicy> getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception { List<RangerPolicy> resultList = getServicePolicies(serviceId, filter); - RangerPolicyPaginatedList ret = new RangerPolicyPaginatedList(); - - ret.setResultSize(resultList.size()); - ret.setPageSize(resultList.size()); - ret.setSortBy(filter.getSortBy()); - ret.setSortType(filter.getSortType()); - ret.setStartIndex(0); - ret.setTotalCount(resultList.size()); - - ret.setPolicies(resultList); - - return ret; + return new PList<RangerPolicy>(resultList, 0, resultList.size(), (long)resultList.size(), + resultList.size(), filter.getSortType(), filter.getSortBy()); } @Override - public RangerPolicyPaginatedList getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception { + public PList<RangerPolicy> getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception { List<RangerPolicy> resultList = getServicePolicies(serviceName, filter); - RangerPolicyPaginatedList ret = new RangerPolicyPaginatedList(); - - ret.setResultSize(resultList.size()); - ret.setPageSize(resultList.size()); - ret.setSortBy(filter.getSortBy()); - ret.setSortType(filter.getSortType()); - ret.setStartIndex(0); - ret.setTotalCount(resultList.size()); - - ret.setPolicies(resultList); - - return ret; - + return new PList<RangerPolicy>(resultList, 0, resultList.size(), (long)resultList.size(), + resultList.size(), filter.getSortType(), filter.getSortBy()); } @Override @@ -189,17 +137,17 @@ public abstract class AbstractServiceStore implements ServiceStore { } protected void preCreate(RangerBaseModelObject obj) throws Exception { - obj.setId(new Long(0)); + obj.setId(0L); obj.setGuid(UUID.randomUUID().toString()); obj.setCreateTime(new Date()); obj.setUpdateTime(obj.getCreateTime()); - obj.setVersion(new Long(1)); + obj.setVersion(1L); } protected void preCreate(RangerService service) throws Exception { preCreate((RangerBaseModelObject)service); - service.setPolicyVersion(new Long(0)); + service.setPolicyVersion(0L); service.setPolicyUpdateTime(service.getCreateTime()); } @@ -211,7 +159,7 @@ public abstract class AbstractServiceStore implements ServiceStore { protected void preUpdate(RangerBaseModelObject obj) throws Exception { if(obj.getId() == null) { - obj.setId(new Long(0)); + obj.setId(0L); } if(obj.getGuid() == null) { @@ -225,9 +173,9 @@ public abstract class AbstractServiceStore implements ServiceStore { Long version = obj.getVersion(); if(version == null) { - version = new Long(1); + version = 1L; } else { - version = new Long(version.longValue() + 1); + version = version + 1; } obj.setVersion(version); @@ -323,7 +271,7 @@ public abstract class AbstractServiceStore implements ServiceStore { String serviceDefName = serviceDef.getName(); - RangerServiceDef tagServiceDef = null; + RangerServiceDef tagServiceDef; try { tagServiceDef = this.getServiceDef(EmbeddedServiceDefsUtil.instance().getTagServiceDefId()); } catch (Exception e) { @@ -438,7 +386,7 @@ public abstract class AbstractServiceStore implements ServiceStore { return; } - RangerServiceDef tagServiceDef = null; + RangerServiceDef tagServiceDef; try { tagServiceDef = this.getServiceDef(EmbeddedServiceDefsUtil.instance().getTagServiceDefId()); } catch (Exception e) { @@ -464,6 +412,6 @@ public abstract class AbstractServiceStore implements ServiceStore { } protected long getNextVersion(Long currentVersion) { - return currentVersion == null ? 1L : currentVersion.longValue() + 1; + return currentVersion == null ? 1L : currentVersion + 1; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java index 9be733d..558014b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java @@ -20,7 +20,9 @@ package org.apache.ranger.plugin.store; import org.apache.ranger.plugin.model.RangerBaseModelObject; -import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerResource; +import org.apache.ranger.plugin.model.RangerTagDef; +import org.apache.ranger.plugin.util.SearchFilter; import java.util.Date; import java.util.List; @@ -28,11 +30,11 @@ import java.util.UUID; public abstract class AbstractTagStore implements TagStore { protected void preCreate(RangerBaseModelObject obj) throws Exception { - obj.setId(new Long(0)); + obj.setId(0L); obj.setGuid(UUID.randomUUID().toString()); obj.setCreateTime(new Date()); obj.setUpdateTime(obj.getCreateTime()); - obj.setVersion(new Long(1)); + obj.setVersion(1L); } protected void postCreate(RangerBaseModelObject obj) throws Exception { @@ -40,7 +42,7 @@ public abstract class AbstractTagStore implements TagStore { protected void preUpdate(RangerBaseModelObject obj) throws Exception { if(obj.getId() == null) { - obj.setId(new Long(0)); + obj.setId(0L); } if(obj.getGuid() == null) { @@ -54,9 +56,9 @@ public abstract class AbstractTagStore implements TagStore { Long version = obj.getVersion(); if(version == null) { - version = new Long(1); + version = 1L; } else { - version = new Long(version.longValue() + 1); + version = version + 1; } obj.setVersion(version); @@ -85,4 +87,27 @@ public abstract class AbstractTagStore implements TagStore { } return ret; } + + @Override + public PList<RangerTagDef> getPaginatedTagDefs(SearchFilter filter) throws Exception { + List<RangerTagDef> list = getTagDefs(filter); + + return new PList<RangerTagDef>(list, 0, list.size(), + (long)list.size(), list.size(), filter.getSortType(), filter.getSortBy()); + } + + public PList<RangerResource> getPaginatedResources(String tagServiceName, String serviceType) throws Exception { + List<RangerResource> list = getResources(tagServiceName, serviceType); + + return new PList<RangerResource>(list, 0, list.size(), + (long)list.size(), list.size(), null, null); + } + + public PList<RangerResource> getPaginatedResources(SearchFilter filter) throws Exception { + List<RangerResource> list = getResources(filter); + + return new PList<RangerResource>(list, 0, list.size(), + (long)list.size(), list.size(), filter.getSortType(), filter.getSortBy()); + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java index 8c3e0a9..2402fea 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java @@ -21,7 +21,8 @@ package org.apache.ranger.plugin.store; import java.util.List; -public abstract class PList implements java.io.Serializable { +public class PList<T> implements java.io.Serializable { + private static final long serialVersionUID = 1L; /** @@ -51,35 +52,39 @@ public abstract class PList implements java.io.Serializable { protected long queryTimeMS = System.currentTimeMillis(); - + protected List<T> list; /** * Default constructor. This will set all the attributes to default value. */ public PList() { - } - - /** - * Initialize with existing list - * - * @param objectList - */ - public PList(@SuppressWarnings("rawtypes") List objectList) { - int size = 0; - if (objectList != null) { - size = objectList.size(); - } - startIndex = 0; - pageSize = size; - totalCount = size; - resultSize = size; + pageSize = 0; + totalCount = 0; + resultSize = 0; sortType = null; sortBy = null; } - abstract public int getListSize(); + public PList(List<T> list, int startIndex, int pageSize, long totalCount, int resultSize, String sortType, String sortBy) { + this.list = list; + this.startIndex = startIndex; + this.pageSize = pageSize; + this.totalCount = totalCount; + this.resultSize = resultSize; + this.sortType = sortType; + this.sortBy = sortBy; + + } + + public int getListSize() { + return list == null ? 0 : list.size(); + } - abstract public List<?> getList(); + public void setList(List<T> list) {this.list = list;} + + public List<T> getList() { + return list; + } /** * This method sets the value to the member attribute <b>startIndex</b>. You http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerPolicyPaginatedList.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerPolicyPaginatedList.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerPolicyPaginatedList.java deleted file mode 100644 index 9573886..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerPolicyPaginatedList.java +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.store; - -import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerServiceDef; - -import java.util.ArrayList; -import java.util.List; - -public class RangerPolicyPaginatedList extends PList { - private static final long serialVersionUID = 1L; - - List<RangerPolicy> policies = new ArrayList<RangerPolicy>(); - - public RangerPolicyPaginatedList() { - super(); - } - - public RangerPolicyPaginatedList(List<RangerPolicy> objList) { - super(objList); - this.policies = objList; - } - - public List<RangerPolicy> getPolicies() { - return policies; - } - - public void setPolicies(List<RangerPolicy> policies) { - this.policies = policies; - } - - @Override - public int getListSize() { - if (policies != null) { - return policies.size(); - } - return 0; - } - - @Override - public List<?> getList() { - return policies; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceDefPaginatedList.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceDefPaginatedList.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceDefPaginatedList.java deleted file mode 100644 index 7366ac8..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceDefPaginatedList.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.store; - -import org.apache.ranger.plugin.model.RangerServiceDef; - -import java.util.ArrayList; -import java.util.List; - -public class RangerServiceDefPaginatedList extends PList { - private static final long serialVersionUID = 1L; - - List<RangerServiceDef> serviceDefs = new ArrayList<RangerServiceDef>(); - - public RangerServiceDefPaginatedList() { - super(); - } - - public RangerServiceDefPaginatedList(List<RangerServiceDef> objList) { - super(objList); - this.serviceDefs = objList; - } - - public List<RangerServiceDef> getServiceDefs() { - return serviceDefs; - } - - public void setServiceDefs(List<RangerServiceDef> serviceDefs) { - this.serviceDefs = serviceDefs; - } - - @Override - public int getListSize() { - if (serviceDefs != null) { - return serviceDefs.size(); - } - return 0; - } - - @Override - public List<?> getList() { - return serviceDefs; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServicePaginatedList.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServicePaginatedList.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServicePaginatedList.java deleted file mode 100644 index 6194bb8..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServicePaginatedList.java +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.store; - -import org.apache.ranger.plugin.model.RangerService; -import org.apache.ranger.plugin.model.RangerServiceDef; - -import java.util.ArrayList; -import java.util.List; - -public class RangerServicePaginatedList extends PList { - private static final long serialVersionUID = 1L; - - List<RangerService> services = new ArrayList<RangerService>(); - - public RangerServicePaginatedList() { - super(); - } - - public RangerServicePaginatedList(List<RangerService> objList) { - super(objList); - this.services = objList; - } - - public List<RangerService> getServices() { - return services; - } - - public void setServices(List<RangerService> services) { - this.services = services; - } - - @Override - public int getListSize() { - if (services != null) { - return services.size(); - } - return 0; - } - - @Override - public List<?> getList() { - return services; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java index 0915cf5..cbf6022 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java @@ -46,7 +46,8 @@ public interface ServiceStore { List<RangerServiceDef> getServiceDefs(SearchFilter filter) throws Exception; - RangerServiceDefPaginatedList getPaginatedServiceDefs(SearchFilter filter) throws Exception; + + PList<RangerServiceDef> getPaginatedServiceDefs(SearchFilter filter) throws Exception; RangerService createService(RangerService service) throws Exception; @@ -60,7 +61,7 @@ public interface ServiceStore { List<RangerService> getServices(SearchFilter filter) throws Exception; - RangerServicePaginatedList getPaginatedServices(SearchFilter filter) throws Exception; + PList<RangerService> getPaginatedServices(SearchFilter filter) throws Exception; RangerPolicy createPolicy(RangerPolicy policy) throws Exception; @@ -72,17 +73,19 @@ public interface ServiceStore { List<RangerPolicy> getPolicies(SearchFilter filter) throws Exception; - RangerPolicyPaginatedList getPaginatedPolicies(SearchFilter filter) throws Exception; + + PList<RangerPolicy> getPaginatedPolicies(SearchFilter filter) throws Exception; List<RangerPolicy> getPoliciesByResourceSignature(String serviceName, String policySignature, Boolean isPolicyEnabled) throws Exception; List<RangerPolicy> getServicePolicies(Long serviceId, SearchFilter filter) throws Exception; - RangerPolicyPaginatedList getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception; + + PList<RangerPolicy> getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception; List<RangerPolicy> getServicePolicies(String serviceName, SearchFilter filter) throws Exception; - RangerPolicyPaginatedList getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception; + PList<RangerPolicy> getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception; ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long lastKnownVersion) throws Exception; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java index 87e2b6f..991e913 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java @@ -44,6 +44,7 @@ public interface TagStore { List<RangerTagDef> getTagDefs(SearchFilter filter) throws Exception; + PList<RangerTagDef> getPaginatedTagDefs(SearchFilter filter) throws Exception; RangerResource createResource(RangerResource resource) throws Exception; @@ -55,5 +56,9 @@ public interface TagStore { List<RangerResource> getResources(String tagServiceName, String serviceType) throws Exception; + PList<RangerResource> getPaginatedResources(String tagServiceName, String serviceType) throws Exception; + List<RangerResource> getResources(SearchFilter filter) throws Exception; + PList<RangerResource> getPaginatedResources(SearchFilter filter) throws Exception; + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index ed67e8e..42da42d 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -19,13 +19,7 @@ package org.apache.ranger.plugin.policyengine; -import static org.junit.Assert.*; - -import java.io.InputStream; -import java.io.InputStreamReader; -import java.lang.reflect.Type; -import java.util.List; - +import com.google.gson.*; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData; @@ -34,12 +28,12 @@ import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.google.gson.JsonDeserializationContext; -import com.google.gson.JsonDeserializer; -import com.google.gson.JsonElement; -import com.google.gson.JsonParseException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.lang.reflect.Type; +import java.util.List; + +import static org.junit.Assert.*; public class TestPolicyEngine { @@ -100,10 +94,27 @@ public class TestPolicyEngine { servicePolicies.setServiceDef(testCase.serviceDef); servicePolicies.setPolicies(testCase.policies); - policyEngine = new RangerPolicyEngineImpl(servicePolicies); + if (null != testCase.tagPolicyInfo) { + ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies(); + tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName); + tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef); + tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies); + + servicePolicies.setTagPolicies(tagPolicies); + } + + String componentName = testCase.serviceDef.getName(); + + RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); + + // Uncomment next line for testing tag-policy evaluation + // policyEngineOptions.disableTagPolicyEvaluation = false; + + policyEngine = new RangerPolicyEngineImpl(servicePolicies, policyEngineOptions); for(TestData test : testCase.tests) { RangerAccessResult expected = test.result; + policyEngine.enrichContext(test.request); RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null); assertNotNull("result was null! - " + test.name, result); @@ -117,6 +128,7 @@ public class TestPolicyEngine { public String serviceName; public RangerServiceDef serviceDef; public List<RangerPolicy> policies; + public TagPolicyInfo tagPolicyInfo; public List<TestData> tests; class TestData { @@ -124,6 +136,12 @@ public class TestPolicyEngine { public RangerAccessRequest request; public RangerAccessResult result; } + + class TagPolicyInfo { + public String serviceName; + public RangerServiceDef serviceDef; + public List<RangerPolicy> tagPolicies; + } } static class RangerAccessRequestDeserializer implements JsonDeserializer<RangerAccessRequest> { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json index eed71be..4ef634c 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -36,7 +36,91 @@ ] } ], + "tagPolicyInfo": { + "serviceName":"tagdev", + "serviceDef": { + "name": "_tag_", + "id": 101, + "resources": [ + { + "itemId": 1, + "name": "tag", + "type": "string", + "level": 1, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": false, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": false + }, + "validationRegEx": "", + "validationMessage": "", + "uiHint": "", + "label": "TAG", + "description": "TAG" + } + ], + "accessTypes": [ + { + "name": "hdfs:read", + "label": "hdfs:Read" + }, + { + "name": "hdfs:write", + "label": "hdfs:Write" + }, + { + "name": "hdfs:execute", + "label": "hdfs:Execute" + } + ], + "contextEnrichers" : [ + { + "name" : "test_enricher", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagProvider", + "enricherOptions" : {"wildCard":true, "ignoreCase":true, "dataFile":"/etc/ranger/data/resourceTags.txt"} + } + ], + "policyConditions": [ + { + "itemId":1, + "name":"Default_TagAttributeValueEvaluator", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerTagAttributeEvaluator", + "evaluatorOptions" : {"interpreter":"python"}, + "label":"Python-Script", + "description": "Python script to execute" + } + ] + }, + "tagPolicies":[ + {"id":5,"name":"allow somethingelse tag","isEnabled":true,"isAuditEnabled":true,"policyType":0, + "resources":{"tag":{"values":["restricte?"],"isRecursive":false}}, + "policyItems":[ + {"accesses":[{"type":"hdfs:read","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false, + "conditions" : [{"type":"Default_TagAttributeValueEvaluator", "values":["Test_Script"]}]} + ] + } + , + {"id":4,"name":"allow partial-match tag","isEnabled":true,"isAuditEnabled":true, + "resources":{"tag":{"values":["restr*"],"isRecursive":false}}, + "policyItems":[ + {"accesses":[{"type":"hdfs:write","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false} + ] + } + , + {"id":3,"name":"restricted tags","isEnabled":true,"isAuditEnabled":true,"policyType":0, + "resources":{"tag":{"values":["res*"],"isRecursive":false}}, + "policyItems":[ + {"accesses":[{"type":"hdfs:write","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false} + ] + } + ] + }, "tests":[ {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance", "request":{
