Repository: incubator-ranger Updated Branches: refs/heads/tag-policy c8c98ea97 -> 525fd59ce
RANGER-274: added RangerScriptConditionEvaluator and related updates (read-only request/resource/context/tags objects, etc) Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/525fd59c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/525fd59c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/525fd59c Branch: refs/heads/tag-policy Commit: 525fd59ce576f9a002d817938214ce36aa3ab10b Parents: c8c98ea Author: Abhay Kulkarni <[email protected]> Authored: Wed May 27 17:34:04 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu May 28 20:31:49 2015 -0700 ---------------------------------------------------------------------- .../RangerScriptConditionEvaluator.java | 137 +++++++++++++++ .../RangerTagAttributeEvaluator.java | 173 ------------------- ...gerTagAttributeEvaluatorResultProcessor.java | 30 ---- .../ScriptingLanguageFinderUtil.java | 35 ---- .../RangerFileBasedTagProvider.java | 3 +- .../ranger/plugin/model/RangerPolicy.java | 10 +- .../ranger/plugin/model/RangerResource.java | 107 ++++-------- .../policyengine/RangerAccessRequest.java | 2 + .../policyengine/RangerAccessRequestImpl.java | 4 + .../RangerAccessRequestReadOnly.java | 86 +++++++++ .../policyengine/RangerAccessResource.java | 2 + .../policyengine/RangerAccessResourceImpl.java | 5 + .../RangerAccessResourceReadOnly.java | 57 ++++++ .../plugin/policyengine/RangerPolicyEngine.java | 2 + .../policyengine/RangerPolicyEngineImpl.java | 10 +- .../RangerDefaultPolicyEvaluator.java | 4 +- .../ranger/plugin/store/TagPredicateUtil.java | 2 +- .../ranger/plugin/store/file/TagFileStore.java | 83 ++++----- .../policyengine/test_policyengine_hdfs.json | 26 ++- .../java/org/apache/ranger/rest/TagREST.java | 57 +++--- 20 files changed, 423 insertions(+), 412 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java new file mode 100644 index 0000000..558e35e --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java @@ -0,0 +1,137 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.conditionevaluator; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerResource; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; + +import javax.script.Bindings; +import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; +import javax.script.ScriptException; +import java.util.Collections; +import java.util.List; +import java.util.Map; + +public class RangerScriptConditionEvaluator extends RangerAbstractConditionEvaluator { + private static final Log LOG = LogFactory.getLog(RangerScriptConditionEvaluator.class); + + private ScriptEngine scriptEngine; + + @Override + public void init() { + + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerScriptConditionEvaluator.init(" + condition + ")"); + } + + super.init(); + + String engineName = "JavaScript"; + + Map<String, String> evalOptions = conditionDef. getEvaluatorOptions(); + + if (MapUtils.isNotEmpty(evalOptions)) { + engineName = evalOptions.get("engineName"); + } + + if (StringUtils.isBlank(engineName)) { + engineName = "JavaScript"; + } + + ScriptEngineManager manager = new ScriptEngineManager(); + scriptEngine = manager.getEngineByName(engineName); + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerScriptConditionEvaluator.init(" + condition + ")"); + } + } + + @Override + public boolean isMatched(RangerAccessRequest request) { + if (LOG.isDebugEnabled()) { + LOG.debug("==>RangerScriptConditionEvaluator.isMatched()"); + } + + Boolean result = false; + + List<String> values = condition.getValues(); + + if (!CollectionUtils.isEmpty(values)) { + + // Evaluate the first string + String value = values.get(0); + if (StringUtils.isNotBlank(value)) { + + RangerAccessRequest readOnlyRequest = request.getReadOnlyCopy(); + + @SuppressWarnings("unchecked") + List<RangerResource.RangerResourceTag> tagsList = (List <RangerResource.RangerResourceTag>)readOnlyRequest.getContext().get("TAGS"); + + Bindings bindings = scriptEngine.createBindings(); + + if (CollectionUtils.isNotEmpty(tagsList)) { + List<RangerResource.RangerResourceTag> readOnlyTags = Collections.unmodifiableList(tagsList); + bindings.put("tags", readOnlyTags); + } + + bindings.put("request", readOnlyRequest); + bindings.put("ctx", readOnlyRequest.getContext()); + bindings.put("result", result); + + String script = value.trim(); + + if (LOG.isDebugEnabled()) { + LOG.debug("RangerScriptConditionEvaluator.isMatched(): script={" + script + "}"); + } + try { + + Object ret = scriptEngine.eval(script, bindings); + + if (ret == null) { + ret = bindings.get("result"); + } + if (ret != null && ret instanceof Boolean) { + result = (Boolean) ret; + } + + } catch (NullPointerException nullp) { + LOG.error("RangerScriptConditionEvaluator.isMatched(): eval called with NULL argument(s)"); + + } catch (ScriptException exception) { + LOG.error("RangerScriptConditionEvaluator.isMatched(): failed to evaluate script," + + " exception=" + exception); + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<==RangerScriptConditionEvaluator.isMatched(), result=" + result); + } + + return result; + + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java deleted file mode 100644 index 1f12bb8..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java +++ /dev/null @@ -1,173 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.conditionevaluator; - -import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.lang.StringUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.plugin.model.RangerResource; -import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; - -import javax.script.ScriptEngine; -import javax.script.ScriptEngineManager; -import javax.script.ScriptException; -import java.util.List; -import java.util.Map; - -public class RangerTagAttributeEvaluator extends RangerAbstractConditionEvaluator { - private static final Log LOG = LogFactory.getLog(RangerTagAttributeEvaluator.class); - - private ScriptEngine scriptEngine; - - @Override - public void init() { - - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerTagAttributeEvaluator.init(" + condition + ")"); - } - - super.init(); - - Map<String, String> evalOptions = conditionDef.getEvaluatorOptions(); - - if (evalOptions != null) { - String engineType = evalOptions.get("interpreter"); - if (StringUtils.equals(engineType, "JavaScript")) { - ScriptEngineManager manager = new ScriptEngineManager(); - scriptEngine = manager.getEngineByName("JavaScript"); - } - } - - //scriptEngine.put("conditionDef", conditionDef); - //scriptEngine.put("condition", condition); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerTagAttributeEvaluator.init(" + condition + ")"); - } - } - - @Override - public boolean isMatched(RangerAccessRequest request) { - // TODO - // Set up environment: selected parts of request - if (LOG.isDebugEnabled()) { - LOG.debug("==>RangerTagAttributeEvaluator.isMatched()"); - } - - Map<String, Object> requestContext = request.getContext(); - - @SuppressWarnings("unchecked") - RangerResource.RangerResourceTag tagObject = (RangerResource.RangerResourceTag)requestContext.get(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT); - - if (tagObject == null) { - LOG.error("RangerTagAttributeEvalator.isMatched(), No tag object found in the context. Weird!!!!"); - return false; - } - - String tagAsJSON = tagObject.getJSONRepresentation(); - - if (LOG.isDebugEnabled()) { - LOG.debug("RangerTagAttributeEvaluator.isMatched(), tagObject as JSON=" + tagAsJSON); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("RangerTagAttributeEvaluator.isMatched(), tagObject=" + tagObject); - } - - RangerTagAttributeEvaluatorResultProcessor resultProcessor = new RangerTagAttributeEvaluatorResultProcessor(); - - /* - Map<String, String> map = new HashMap<String, String>(); - map.put("bye", "now"); - */ - /* - // Convert it to a NativeObject (yes, this could have been done directly) - NativeObject nobj = new NativeObject(); - for (Map.Entry<String, String> entry : map.entrySet()) { - nobj.defineProperty(entry.getKey(), entry.getValue(), NativeObject.READONLY); - } - - // Place native object into the context - scriptEngine.put("map", nobj); - */ - - /* - try { - //scriptEngine.eval("println(map.bye)"); - - scriptEngine.eval("var map = " + new Gson().toJson(map) + ";\n" - + "println(map.bye);"); - } catch (Exception e) { - System.out.println("Failed"); - } - System.out.println("Succeeded"); - return true; - */ - - // Place remaining objects directly into context - /* - scriptEngine.put("tagName", tagObject.getName()); - scriptEngine.put("request", request); - */ - scriptEngine.put("result", resultProcessor); - - String preamble = "var tag = " + tagAsJSON +";\n"; - - List<String> values = condition.getValues(); - - if (LOG.isDebugEnabled()) { - LOG.debug("RangerTagAttributeEvaluator.isMatched(), values=" + values); - } - - if (!CollectionUtils.isEmpty(values)) { - - String script = values.get(0); - - if (!StringUtils.isEmpty(script)) { - - if (LOG.isDebugEnabled()) { - LOG.debug("RangerTagAttributeEvaluator.isMatched(), evaluating script '" + script +"'"); - } - if (scriptEngine != null) { - try { - scriptEngine.eval(preamble+script); - } catch (ScriptException exception) { - LOG.error("RangerTagAttributeEvaluator.isMatched(): failed to evaluate script," + - " exception=" + exception); - } - } else { - LOG.error("RangerTagAttributeEvaluator.isMatched(), No engine to evaluate script '" + script + "'"); - resultProcessor.setFailed(); - } - - } - - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<==RangerTagAttributeEvaluator.isMatched(), result=" + resultProcessor.getResult()); - } - - return resultProcessor.getResult(); - - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java deleted file mode 100644 index 0deeefc..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.conditionevaluator; - -public class RangerTagAttributeEvaluatorResultProcessor { - private boolean result = false; - - RangerTagAttributeEvaluatorResultProcessor() {} - - public void setSucceeded() { this.result = true; } - public void setFailed() { this.result = false; } - boolean getResult() { return this.result; } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java deleted file mode 100644 index bd6b435..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java +++ /dev/null @@ -1,35 +0,0 @@ -package org.apache.ranger.plugin.conditionevaluator; - -import java.util.*; -import javax.script.*; - -public class ScriptingLanguageFinderUtil { - - public static void main( String[] args ) { - - ScriptEngineManager mgr = new ScriptEngineManager(); - List<ScriptEngineFactory> factories = mgr.getEngineFactories(); - - for (ScriptEngineFactory factory : factories) { - - System.out.println("ScriptEngineFactory Info"); - - String engName = factory.getEngineName(); - String engVersion = factory.getEngineVersion(); - String langName = factory.getLanguageName(); - String langVersion = factory.getLanguageVersion(); - - System.out.printf("\tScript Engine: %s (%s)%n", engName, engVersion); - - List<String> engNames = factory.getNames(); - for(String name : engNames) { - System.out.printf("\tEngine Alias: %s%n", name); - } - - System.out.printf("\tLanguage: %s (%s)%n", langName, langVersion); - - } - - } - -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java index 3b5520e..5cade5b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java @@ -20,7 +20,6 @@ package org.apache.ranger.plugin.contextenricher; import java.lang.reflect.Type; -import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Properties; @@ -95,7 +94,7 @@ public class RangerFileBasedTagProvider extends RangerAbstractContextEnricher { context.put(RangerPolicyEngine.KEY_CONTEXT_TAGS, tagList); } catch (Exception e) { - LOG.error("RangerFileBasedTagProvider.enrich(): error parsing file " + this.dataFile + "exception=" + e); + LOG.error("RangerFileBasedTagProvider.enrich(): error parsing file " + this.dataFile + ", exception=" + e); } } else { if(LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index 338174c..e9f9ef9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -46,8 +46,8 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria private static final long serialVersionUID = 1L; public static final int POLICY_TYPE_DEFAULT = 0x0; - public static final int POLICY_TYPE_FINAL = 0x1 << 0; - public static final int POLICY_TYPE_DENIER = 0x1 << 1; + public static final int POLICY_TYPE_MASK_FINAL = 0x1 << 0; + public static final int POLICY_TYPE_MASK_DENIER = 0x1 << 1; private String service = null; @@ -224,9 +224,9 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria final public void setPolicyTypeFinal(boolean set) { if (set) { - this.policyType |= POLICY_TYPE_FINAL; + this.policyType |= POLICY_TYPE_MASK_FINAL; } else { - this.policyType &= (~POLICY_TYPE_FINAL); + this.policyType &= (~POLICY_TYPE_MASK_FINAL); } } @@ -263,7 +263,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria if (this.policyType == null) { isFinalDecidingPolicy = false; - } else if ((this.policyType.intValue() & POLICY_TYPE_FINAL) == 0x0) { + } else if ((this.policyType & POLICY_TYPE_MASK_FINAL) == 0x0) { isFinalDecidingPolicy = false; } return isFinalDecidingPolicy; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java index 2ffedbe..49d4739 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java @@ -19,21 +19,14 @@ package org.apache.ranger.plugin.model; -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import org.apache.commons.lang.StringUtils; import org.codehaus.jackson.annotate.JsonAutoDetect; -import org.codehaus.jackson.annotate.JsonIgnore; import org.codehaus.jackson.annotate.JsonIgnoreProperties; import org.codehaus.jackson.map.annotate.JsonSerialize; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlRootElement; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; +import java.util.*; /** * This class represents a RangerResource including the service-type (such as hdfs, hive, etc.) in which it is supported. @@ -53,54 +46,54 @@ import java.util.Map; public class RangerResource extends RangerBaseModelObject { private static final long serialVersionUID = 1L; - private String serviceType = null; // one of any supported by any component - private Map<String, RangerPolicy.RangerPolicyResource> resourceSpec = null; // - private String tagServiceName = null; - private List<RangerResourceTag> tagsAndValues = null; + private String componentType = null; // one of any supported by any component + private String tagServiceName = null; + private Map<String, RangerPolicy.RangerPolicyResource> resourceSpec = null; + private List<RangerResourceTag> tags = null; - public RangerResource(String serviceType, Map<String, RangerPolicy.RangerPolicyResource> resourceSpecs, String tagServiceName, List<RangerResourceTag> tagsAndValues) { + public RangerResource(String componentType, String tagServiceName, Map<String, RangerPolicy.RangerPolicyResource> resourceSpec, List<RangerResourceTag> tags) { super(); - setServiceType(serviceType); - setResourceSpecs(resourceSpecs); + setComponentType(componentType); setTagServiceName(tagServiceName); - setTagsAndValues(tagsAndValues); + setResourceSpec(resourceSpec); + setTags(tags); } public RangerResource() { this(null, null, null, null); } - public String getServiceType() { - return serviceType; - } - - public Map<String, RangerPolicy.RangerPolicyResource> getResourceSpecs() { - return resourceSpec; + public String getComponentType() { + return componentType; } public String getTagServiceName() { return tagServiceName; } - public List<RangerResourceTag> getTagsAndValues() { - return tagsAndValues; + public Map<String, RangerPolicy.RangerPolicyResource> getResourceSpec() { + return resourceSpec; } - // And corresponding set methods - public void setServiceType(String serviceType) { - this.serviceType = serviceType == null ? new String() : serviceType; + public List<RangerResourceTag> getTags() { + return tags; } - public void setResourceSpecs(Map<String, RangerPolicy.RangerPolicyResource> fullName) { - this.resourceSpec = resourceSpec == null ? new HashMap<String, RangerPolicy.RangerPolicyResource>() : resourceSpec; + // And corresponding set methods + public void setComponentType(String componentType) { + this.componentType = componentType; } public void setTagServiceName(String tagServiceName) { - this.tagServiceName = tagServiceName == null ? new String() : tagServiceName; + this.tagServiceName = tagServiceName; + } + + public void setResourceSpec(Map<String, RangerPolicy.RangerPolicyResource> resourceSpec) { + this.resourceSpec = resourceSpec == null ? new HashMap<String, RangerPolicy.RangerPolicyResource>() : resourceSpec; } - public void setTagsAndValues(List<RangerResourceTag> tagsAndValues) { - this.tagsAndValues = tagsAndValues == null ? new ArrayList<RangerResourceTag>() : tagsAndValues; + public void setTags(List<RangerResourceTag> tags) { + this.tags = tags == null ? new ArrayList<RangerResourceTag>() : tags; } /** @@ -115,21 +108,10 @@ public class RangerResource extends RangerBaseModelObject { public static class RangerResourceTag implements java.io.Serializable { - private static Gson gsonBuilder; - - private String name = null; - private Map<String, Object> attributeValues = null; // Will be JSON string with (name, value) pairs of tag attributes in database - - @JsonIgnore - private transient String jSONRepresentation = null; + private String name = null; + private Map<String, String> attributeValues = null; - static { - gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") - .setPrettyPrinting() - .create(); - } - - public RangerResourceTag(String name, Map<String, Object> attributeValues) { + public RangerResourceTag(String name, Map<String, String> attributeValues) { super(); setName(name); setAttributeValues(attributeValues); @@ -142,38 +124,11 @@ public class RangerResource extends RangerBaseModelObject { public String getName() { return name; } + public void setName(String name) { this.name = name; } - public Map<String, Object> getAttributeValues() { + public Map<String, String> getAttributeValues() { return attributeValues; } - - public void setName(String name) { - this.name = name; - this.jSONRepresentation = null; - } - - public void setAttributeValues(Map<String, Object> attributeValues) { - this.attributeValues = attributeValues; - this.jSONRepresentation = null; - } - - public String getJSONRepresentation() { - if (StringUtils.isEmpty(jSONRepresentation)) { - jSONRepresentation = gsonBuilder.toJson(this); - } - return jSONRepresentation; - } - public RangerResourceTag deepCopy() { - - RangerResourceTag tag; - - if (StringUtils.isEmpty(getJSONRepresentation())) { - tag = new RangerResourceTag(); - } else { - tag = gsonBuilder.fromJson(jSONRepresentation, this.getClass()); - } - - return tag; - } + public void setAttributeValues(Map<String, String> attributeValues) { this.attributeValues = attributeValues; } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java index 82a18fc..4308086 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java @@ -49,4 +49,6 @@ public interface RangerAccessRequest { String getSessionId(); Map<String, Object> getContext(); + + RangerAccessRequest getReadOnlyCopy(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index e1326ea..aa2c918 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -224,4 +224,8 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { return sb; } + @Override + public RangerAccessRequest getReadOnlyCopy() { + return new RangerAccessRequestReadOnly(this); + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java new file mode 100644 index 0000000..3ca72f2 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import org.apache.commons.lang.StringUtils; + +import java.util.Collections; +import java.util.Date; +import java.util.Map; +import java.util.Set; + +public class RangerAccessRequestReadOnly implements RangerAccessRequest { + private final RangerAccessRequest source; + + // Cached here for reducing access overhead + private final RangerAccessResource resource; + private final Set<String> userGroups; + private final Map<String, Object> context; + + RangerAccessRequestReadOnly(final RangerAccessRequest source) { + this.source = source; + this.resource = source.getResource().getReadOnlyCopy(); + this.userGroups = Collections.unmodifiableSet(source.getUserGroups()); + this.context = Collections.unmodifiableMap(source.getContext()); + } + + @Override + public RangerAccessResource getResource() { return resource; } + + @Override + public String getAccessType() { return source.getAccessType(); } + + @Override + public boolean isAccessTypeAny() { return source.isAccessTypeAny(); } + + @Override + public boolean isAccessTypeDelegatedAdmin() { return source.isAccessTypeDelegatedAdmin(); } + + @Override + public String getUser() { return source.getUser(); } + + @Override + public Set<String> getUserGroups() { return userGroups; } + + @Override + public Date getAccessTime() { return source.getAccessTime(); } + + @Override + public String getClientIPAddress() { return source.getClientIPAddress(); } + + @Override + public String getClientType() { return source.getClientType(); } + + @Override + public String getAction() { return source.getAction(); } + + @Override + public String getRequestData() { return source.getRequestData(); } + + @Override + public String getSessionId() { return source.getSessionId(); } + + @Override + public Map<String, Object> getContext() { return context; } + + @Override + public RangerAccessRequest getReadOnlyCopy() { return this; } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java index 82c0248..c2f4665 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java @@ -41,4 +41,6 @@ public interface RangerAccessResource { public String getAsString(RangerServiceDef serviceDef); public Map<String, String> getAsMap(); + + public RangerAccessResource getReadOnlyCopy(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java index 7c26f90..f818f80 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java @@ -168,6 +168,11 @@ public class RangerAccessResourceImpl implements RangerMutableResource { } @Override + public RangerAccessResource getReadOnlyCopy() { + return new RangerAccessResourceReadOnly(this); + } + + @Override public boolean equals(Object obj) { if(obj == null || !(obj instanceof RangerAccessResourceImpl)) { return false; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java new file mode 100644 index 0000000..70e30d3 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java @@ -0,0 +1,57 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import org.apache.ranger.plugin.model.RangerServiceDef; + +import java.util.Collections; +import java.util.Map; +import java.util.Set; + +public class RangerAccessResourceReadOnly implements RangerAccessResource { + + private final RangerAccessResource source; + private final Set<String> keys; + private final Map<String, String> map; + + public RangerAccessResourceReadOnly(final RangerAccessResource source) { + this.source = source; + + // Cached here for reducing access overhead + this.keys = Collections.unmodifiableSet(source.getKeys()); + this.map = Collections.unmodifiableMap(source.getAsMap()); + } + + public String getOwnerUser() { return source.getOwnerUser(); } + + public boolean exists(String name) { return source.exists(name); } + + public String getValue(String name) { return source.getValue(name); } + + public Set<String> getKeys() { return keys; } + + public String getLeafName(RangerServiceDef serviceDef) { return source.getLeafName(serviceDef); } + + public String getAsString(RangerServiceDef serviceDef) { return source.getAsString(serviceDef); } + + public Map<String, String> getAsMap() { return map; } + + public RangerAccessResource getReadOnlyCopy() { return this; } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index bc4b9a7..8bf1388 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -36,6 +36,8 @@ public interface RangerPolicyEngine { String KEY_CONTEXT_TAGS = "TAGS"; String KEY_CONTEXT_TAG_OBJECT = "TAG_OBJECT"; + String KEY_CONTEXT_RESOURCE = "RESOURCE"; + String getServiceName(); RangerServiceDef getServiceDef(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 7b6eb35..69757da 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -480,8 +480,8 @@ class RangerTagResource extends RangerAccessResourceImpl { private static final String KEY_TAG = "tag"; - public RangerTagResource(String tag) { - super.setValue(KEY_TAG, tag); + public RangerTagResource(String tagName) { + super.setValue(KEY_TAG, tagName); } } @@ -496,10 +496,10 @@ class RangerTagAccessRequest extends RangerAccessRequestImpl { super.setRequestData(request.getRequestData()); Map<String, Object> requestContext = request.getContext(); - if (requestContext == null) { - requestContext = new HashMap<String, Object>(); - } + requestContext.put(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT, resourceTag); + requestContext.put(RangerPolicyEngine.KEY_CONTEXT_RESOURCE, request.getResource()); + super.setContext(requestContext); super.setClientType(request.getClientType()); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index cb9a1ea..8a13839 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -211,7 +211,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator boolean matchResult = false; boolean isHeadMatchAttempted = false; boolean headMatchResult = false; - final boolean isPolicyFinalDecider = isFinal(); + final boolean isFinalPolicy = isFinal(); if (!result.getIsAuditedDetermined()) { // Need to match request.resource first. If it matches (or head matches), then only more progress can be made @@ -256,7 +256,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator evaluatePolicyItemsForAccess(policy, request, result); } } - if ((matchResult || headMatchResult) && !result.getIsAccessDetermined() && isPolicyFinalDecider) { + if ((matchResult || headMatchResult) && !result.getIsAccessDetermined() && isFinalPolicy) { result.setIsAllowed(false); result.setPolicyId(getPolicy().getId()); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java index b880179..fd48d63 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java @@ -165,7 +165,7 @@ public class TagPredicateUtil extends AbstractPredicateUtil { if (object instanceof RangerResource) { RangerResource rangerResource = (RangerResource) object; - ret = StringUtils.equals(type, rangerResource.getServiceType()); + ret = StringUtils.equals(type, rangerResource.getComponentType()); } return ret; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java index 073488f..48059ce 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java @@ -79,20 +79,6 @@ public class TagFileStore extends AbstractTagStore { } } - public TagFileStore(String dataDir) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> TagFileStore.TagFileStore()"); - } - - this.tagDataDir = dataDir; - fileStoreUtil = new FileStoreUtil(); - - - if (LOG.isDebugEnabled()) { - LOG.debug("<== TagFileStore.TagFileStore()"); - } - } - @Override public void init() throws Exception { if (LOG.isDebugEnabled()) { @@ -130,7 +116,7 @@ public class TagFileStore extends AbstractTagStore { throw new Exception(tagDef.getName() + ": tag-def already exists (id=" + existing.getId() + ")"); } - RangerTagDef ret = null; + RangerTagDef ret; try { preCreate(tagDef); @@ -165,7 +151,7 @@ public class TagFileStore extends AbstractTagStore { throw new Exception(tagDef.getName() + ": tag-def does not exist (id=" + tagDef.getId() + ")"); } - RangerTagDef ret = null; + RangerTagDef ret; try { preUpdate(existing); @@ -225,14 +211,16 @@ public class TagFileStore extends AbstractTagStore { LOG.debug("==> TagFileStore.getTagDef(" + name + ")"); } - RangerTagDef ret = null; + RangerTagDef ret; - if (name != null) { + if (StringUtils.isNotBlank(name)) { SearchFilter filter = new SearchFilter(SearchFilter.TAG_DEF_NAME, name); List<RangerTagDef> tagDefs = getTagDefs(filter); ret = CollectionUtils.isEmpty(tagDefs) ? null : tagDefs.get(0); + } else { + ret = null; } if (LOG.isDebugEnabled()) { @@ -248,7 +236,7 @@ public class TagFileStore extends AbstractTagStore { LOG.debug("==> TagFileStore.getTagDefById(" + id + ")"); } - RangerTagDef ret = null; + RangerTagDef ret; if (id != null) { SearchFilter filter = new SearchFilter(SearchFilter.TAG_DEF_ID, id.toString()); @@ -256,6 +244,8 @@ public class TagFileStore extends AbstractTagStore { List<RangerTagDef> tagDefs = getTagDefs(filter); ret = CollectionUtils.isEmpty(tagDefs) ? null : tagDefs.get(0); + } else { + ret = null; } if (LOG.isDebugEnabled()) { @@ -274,7 +264,7 @@ public class TagFileStore extends AbstractTagStore { List<RangerTagDef> ret = getAllTagDefs(); - if (ret != null && filter != null && !filter.isEmpty()) { + if (CollectionUtils.isNotEmpty(ret) && filter != null && !filter.isEmpty()) { CollectionUtils.filter(ret, predicateUtil.getPredicate(filter)); //Comparator<RangerBaseModelObject> comparator = getSorter(filter); @@ -306,7 +296,7 @@ public class TagFileStore extends AbstractTagStore { throw new Exception(resource.getId() + ": resource already exists (id=" + existing.getId() + ")"); } - RangerResource ret = null; + RangerResource ret; try { preCreate(resource); @@ -340,15 +330,15 @@ public class TagFileStore extends AbstractTagStore { throw new Exception(resource.getId() + ": resource does not exist (id=" + resource.getId() + ")"); } - RangerResource ret = null; + RangerResource ret; try { preUpdate(existing); - existing.setServiceType(resource.getServiceType()); - existing.setResourceSpecs(resource.getResourceSpecs()); + existing.setComponentType(resource.getComponentType()); + existing.setResourceSpec(resource.getResourceSpec()); existing.setTagServiceName(resource.getTagServiceName()); - existing.setTagsAndValues(resource.getTagsAndValues()); + existing.setTags(resource.getTags()); ret = fileStoreUtil.saveToFile(existing, new Path(fileStoreUtil.getDataFile(FILE_PREFIX_TAG_RESOURCE, existing.getId())), true); @@ -363,7 +353,7 @@ public class TagFileStore extends AbstractTagStore { if (LOG.isDebugEnabled()) { LOG.debug("<== TagFileStore.updateResource(" + resource + ")"); } - return null; + return ret; } @Override @@ -400,7 +390,7 @@ public class TagFileStore extends AbstractTagStore { if (LOG.isDebugEnabled()) { LOG.debug("==> TagFileStore.getResource(" + id + ")"); } - RangerResource ret = null; + RangerResource ret; if (id != null) { SearchFilter filter = new SearchFilter(SearchFilter.TAG_RESOURCE_ID, id.toString()); @@ -408,6 +398,8 @@ public class TagFileStore extends AbstractTagStore { List<RangerResource> resources = getResources(filter); ret = CollectionUtils.isEmpty(resources) ? null : resources.get(0); + } else { + ret = null; } if (LOG.isDebugEnabled()) { LOG.debug("<== TagFileStore.getResource(" + id + ")"); @@ -420,19 +412,15 @@ public class TagFileStore extends AbstractTagStore { if (LOG.isDebugEnabled()) { LOG.debug("==> TagFileStore.getResources(" + tagServiceName + ", " + serviceType + ")"); } - List<RangerResource> ret = null; + List<RangerResource> ret; SearchFilter filter = new SearchFilter(); - if (tagServiceName == null || tagServiceName.isEmpty()) { - // Get all tagged resources - } else { + if (StringUtils.isNotBlank(tagServiceName)) { filter.setParam(SearchFilter.TAG_RESOURCE_SERVICE_NAME, tagServiceName); } - if (serviceType == null || serviceType.isEmpty()) { - // Get all tagged resources - } else { + if (StringUtils.isNotBlank(serviceType)) { filter.setParam(SearchFilter.TAG_RESOURCE_SERVICE_TYPE, serviceType); } @@ -453,7 +441,7 @@ public class TagFileStore extends AbstractTagStore { List<RangerResource> ret = getAllTaggedResources(); - if (ret != null && filter != null && !filter.isEmpty()) { + if (CollectionUtils.isNotEmpty(ret) && filter != null && !filter.isEmpty()) { CollectionUtils.filter(ret, predicateUtil.getPredicate(filter)); //Comparator<RangerBaseModelObject> comparator = getSorter(filter); @@ -481,7 +469,7 @@ public class TagFileStore extends AbstractTagStore { // load Tag definitions from file system List<RangerTagDef> sds = fileStoreUtil.loadFromDir(new Path(fileStoreUtil.getDataDir()), FILE_PREFIX_TAG_DEF, RangerTagDef.class); - if (sds != null) { + if (CollectionUtils.isNotEmpty(sds)) { for (RangerTagDef sd : sds) { if (sd != null) { // if the TagDef is already found, remove the earlier definition @@ -504,16 +492,14 @@ public class TagFileStore extends AbstractTagStore { } if (LOG.isDebugEnabled()) { - LOG.debug("<== TagFileStore.getAllTagDefs(): count=" + (ret == null ? 0 : ret.size())); + LOG.debug("<== TagFileStore.getAllTagDefs(): count=" + ret.size()); } - if (ret != null) { - //Collections.sort(ret, idComparator); + //Collections.sort(ret, idComparator); - //for (RangerTagDef sd : ret) { + //for (RangerTagDef sd : ret) { //Collections.sort(sd.getResources(), resourceLevelComparator); - //} - } + //} return ret; } @@ -529,7 +515,7 @@ public class TagFileStore extends AbstractTagStore { // load resource definitions from file system List<RangerResource> resources = fileStoreUtil.loadFromDir(new Path(fileStoreUtil.getDataDir()), FILE_PREFIX_TAG_RESOURCE, RangerResource.class); - if (resources != null) { + if (CollectionUtils.isNotEmpty(resources)) { for (RangerResource resource : resources) { if (resource != null) { // if the RangerResource is already found, remove the earlier definition @@ -551,16 +537,15 @@ public class TagFileStore extends AbstractTagStore { } if (LOG.isDebugEnabled()) { - LOG.debug("<== TagFileStore.getAllTaggedResources(): count=" + (ret == null ? 0 : ret.size())); + LOG.debug("<== TagFileStore.getAllTaggedResources(): count=" + ret.size()); } - if (ret != null) { - //Collections.sort(ret, idComparator); - //for (RangerTagDef sd : ret) { + //Collections.sort(ret, idComparator); + + //for (RangerTagDef sd : ret) { //Collections.sort(sd.getResources(), resourceLevelComparator); - //} - } + //} return ret; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json index ea2c87a..46f95a4 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -89,11 +89,11 @@ "policyConditions": [ { "itemId":1, - "name":"Default_TagAttributeValueEvaluator", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerTagAttributeEvaluator", - "evaluatorOptions" : {"interpreter":"JavaScript"}, - "label":"JavaScript script", - "description": "JavaScript script to execute" + "name":"ScriptConditionEvaluator", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript"}, + "label":"Script", + "description": "Script to execute" } ] }, @@ -102,9 +102,21 @@ "resources":{"tag":{"values":["restricte?"],"isRecursive":false}}, "policyItems":[ {"accesses":[{"type":"hdfs:read","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false, - "conditions" : [{"type":"Default_TagAttributeValueEvaluator", "values":[ - "result.setFailed(); var tagName = tag.name; var attrValues = tag.attributeValues; var expiryDate = attrValues[\"expiry_date\"]; println(expiryDate); result.setSucceeded();"]}]} + "conditions" : [{"type":"ScriptConditionEvaluator", "values": [ + "var accessTime = request.getAccessTime(); println('accessTime=' + accessTime); result = true;" + , + "var accessTime = request.accessTime; println('accessTime=' + accessTime); result = true;" + , + "var ownerUser = request.resource.getOwnerUser(); println('ownerUser=' + ownerUser); result = true;" + , + "var ownerUser = request.resource.ownerUser; println('ownerUser=' + ownerUser); result = true;" + , + "var resource = ctx.get('RESOURCE').getAsMap(); println('resource path=' + resource.get('path')); result = true;" + ] + }] + } + ] } , {"id":4,"name":"allow partial-match tag","isEnabled":true,"isAuditEnabled":true, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java index 2383cc4..d093a35 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java @@ -19,18 +19,16 @@ package org.apache.ranger.rest; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.plugin.model.RangerResource; -import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerTagDef; import org.apache.ranger.plugin.store.file.TagFileStore; import org.apache.ranger.plugin.util.SearchFilter; -import org.owasp.html.TagBalancingHtmlStreamEventReceiver; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; -import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Component; import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; @@ -57,7 +55,7 @@ public class TagREST { TagFileStore tagStore; */ - private TagFileStore tagStore = null; + private TagFileStore tagStore; public TagREST() { tagStore = TagFileStore.getInstance(); } @@ -71,7 +69,7 @@ public class TagREST { LOG.debug("==> TagREST.createTagDef(" + tagDef + ")"); } - RangerTagDef ret = null; + RangerTagDef ret; try { //RangerTagDefValidator validator = validatorFactory.getTagDefValidator(tagStore); @@ -106,7 +104,7 @@ public class TagREST { throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "tag name mismatch", true); } - RangerTagDef ret = null; + RangerTagDef ret; try { ret = tagStore.updateTagDef(tagDef); @@ -153,7 +151,7 @@ public class TagREST { LOG.debug("==> TagREST.getTagDefByName(" + name + ")"); } - RangerTagDef ret = null; + RangerTagDef ret; try { ret = tagStore.getTagDef(name); @@ -182,7 +180,7 @@ public class TagREST { LOG.debug("==> TagREST.getTagDefs()"); } - List<RangerTagDef> ret = null; + List<RangerTagDef> ret; try { ret = tagStore.getTagDefs(new SearchFilter()); @@ -212,7 +210,7 @@ public class TagREST { LOG.debug("==> TagREST.createResource(" + resource + ")"); } - RangerResource ret = null; + RangerResource ret; try { //RangerResourceValidator validator = validatorFactory.getResourceValidator(tagStore); @@ -246,14 +244,14 @@ public class TagREST { throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "resource id mismatch", true); } - RangerResource ret = null; + RangerResource ret; try { //RangerResourceValidator validator = validatorFactory.getResourceValidator(tagStore); //validator.validate(resource, Action.UPDATE); ret = tagStore.updateResource(resource); } catch(Exception excp) { - LOG.error("updateResource(" + ret + ") failed", excp); + LOG.error("updateResource(" + id + ") failed", excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } @@ -272,12 +270,12 @@ public class TagREST { public RangerResource updateResource(@PathParam("id") final Long id, @DefaultValue(TagRESTConstants.ACTION_ADD) @QueryParam(TagRESTConstants.ACTION_OP) String op, List<RangerResource.RangerResourceTag> resourceTagList) { - RangerResource ret = null; + RangerResource ret; if (op.equals(TagRESTConstants.ACTION_ADD) || op.equals(TagRESTConstants.ACTION_REPLACE) || op.equals(TagRESTConstants.ACTION_DELETE)) { - RangerResource oldResource = null; + RangerResource oldResource; try { oldResource = tagStore.getResource(id); } catch (Exception excp) { @@ -285,24 +283,29 @@ public class TagREST { throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - List<RangerResource.RangerResourceTag> oldTagsAndValues = oldResource.getTagsAndValues(); - - if (op.equals(TagRESTConstants.ACTION_ADD)) { - oldTagsAndValues.addAll(resourceTagList); - oldResource.setTagsAndValues(oldTagsAndValues); - } else if (op.equals(TagRESTConstants.ACTION_REPLACE)) { - oldResource.setTagsAndValues(resourceTagList); - } else if (op.equals(TagRESTConstants.ACTION_DELETE)) { - oldTagsAndValues.removeAll(resourceTagList); - oldResource.setTagsAndValues(oldTagsAndValues); + List<RangerResource.RangerResourceTag> oldTagsAndValues = oldResource.getTags(); + + switch (op) { + case TagRESTConstants.ACTION_ADD: + oldTagsAndValues.addAll(resourceTagList); + break; + case TagRESTConstants.ACTION_REPLACE: + oldResource.setTags(resourceTagList); + break; + case TagRESTConstants.ACTION_DELETE: + oldTagsAndValues.removeAll(resourceTagList); + break; + default: + break; } + oldResource.setTags(oldTagsAndValues); try { //RangerResourceValidator validator = validatorFactory.getResourceValidator(tagStore); //validator.validate(resource, Action.UPDATE); ret = tagStore.updateResource(oldResource); } catch (Exception excp) { - LOG.error("updateResource(" + ret + ") failed", excp); + LOG.error("updateResource(" + id + ") failed", excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } @@ -347,7 +350,7 @@ public class TagREST { LOG.debug("==> TagREST.getResource(" + id + ")"); } - RangerResource ret = null; + RangerResource ret; try { ret = tagStore.getResource(id); @@ -377,7 +380,7 @@ public class TagREST { LOG.debug("==> TagREST.getResources(" + tagServiceName + ", " + serviceType + ")"); } - List<RangerResource> ret = null; + List<RangerResource> ret; try { ret = tagStore.getResources(tagServiceName, serviceType); @@ -394,7 +397,7 @@ public class TagREST { List<RangerResource> toBeFilteredOut = new ArrayList<RangerResource>(); for (RangerResource rangerResource : ret) { - if (rangerResource.getTagsAndValues().isEmpty()) { + if (CollectionUtils.isEmpty(rangerResource.getTags())) { toBeFilteredOut.add(rangerResource); } }
