RANGER-521: updated RangerAccessReqest.getAsString() and isLeafName() to not require serviceDef argument
Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/f35d53b8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/f35d53b8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/f35d53b8 Branch: refs/heads/ranger-0.5 Commit: f35d53b8770c406c7cbeef00562333de5225fb32 Parents: f51878c Author: Abhay Kulkarni <[email protected]> Authored: Mon Jun 1 17:41:47 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Jun 2 10:23:59 2015 -0700 ---------------------------------------------------------------------- .gitignore | 2 + .../plugin/audit/RangerDefaultAuditHandler.java | 4 +- .../policyengine/RangerAccessResource.java | 6 ++- .../policyengine/RangerAccessResourceImpl.java | 16 ++++++- .../policyengine/RangerMutableResource.java | 3 ++ .../plugin/policyengine/RangerPolicyEngine.java | 4 +- .../policyengine/RangerPolicyEngineImpl.java | 45 ++++++++++++++------ .../policyengine/RangerPolicyRepository.java | 4 +- .../RangerResourceAccessCacheImpl.java | 4 +- .../ranger/plugin/service/RangerBasePlugin.java | 14 ++---- .../plugin/policyengine/TestPolicyEngine.java | 2 + .../hadoop/RangerHdfsAuthorizer.java | 4 +- .../hive/authorizer/RangerHiveAuditHandler.java | 4 +- .../hive/authorizer/RangerHiveAuthorizer.java | 6 +-- 14 files changed, 77 insertions(+), 41 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/.gitignore ---------------------------------------------------------------------- diff --git a/.gitignore b/.gitignore index 7f41f0c..bced5a7 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ /target/ winpkg/target .DS_Store +.gitignore +.idea http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java index 253a180..844d0ac 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -85,8 +85,8 @@ public class RangerDefaultAuditHandler implements RangerAccessResultProcessor { if(request != null && result != null && result.getIsAudited()) { RangerServiceDef serviceDef = result.getServiceDef(); RangerAccessResource resource = request.getResource(); - String resourceType = resource == null ? null : resource.getLeafName(serviceDef); - String resourcePath = resource == null ? null : resource.getAsString(serviceDef); + String resourceType = resource == null ? null : resource.getLeafName(); + String resourcePath = resource == null ? null : resource.getAsString(); ret = createAuthzAuditEvent(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java index 82c0248..d645e56 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java @@ -34,11 +34,13 @@ public interface RangerAccessResource { public abstract String getValue(String name); + public RangerServiceDef getServiceDef(); + public Set<String> getKeys(); - public String getLeafName(RangerServiceDef serviceDef); + public String getLeafName(); - public String getAsString(RangerServiceDef serviceDef); + public String getAsString(); public Map<String, String> getAsMap(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java index 7c26f90..e1c3222 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java @@ -35,6 +35,7 @@ public class RangerAccessResourceImpl implements RangerMutableResource { private Map<String, String> elements = null; private String stringifiedValue = null; private String leafName = null; + private RangerServiceDef serviceDef = null; public RangerAccessResourceImpl() { @@ -109,7 +110,18 @@ public class RangerAccessResourceImpl implements RangerMutableResource { } @Override - public String getLeafName(RangerServiceDef serviceDef) { + public void setServiceDef(final RangerServiceDef serviceDef) { + this.serviceDef = serviceDef; + this.stringifiedValue = this.leafName = null; + } + + @Override + public RangerServiceDef getServiceDef() { + return this.serviceDef; + } + + @Override + public String getLeafName() { String ret = leafName; if(ret == null) { @@ -134,7 +146,7 @@ public class RangerAccessResourceImpl implements RangerMutableResource { } @Override - public String getAsString(RangerServiceDef serviceDef) { + public String getAsString() { String ret = stringifiedValue; if(ret == null) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java index 16ab725..5d9b509 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java @@ -20,8 +20,11 @@ package org.apache.ranger.plugin.policyengine; +import org.apache.ranger.plugin.model.RangerServiceDef; + public interface RangerMutableResource extends RangerAccessResource { void setOwnerUser(String ownerUser); void setValue(String type, String value); + void setServiceDef(RangerServiceDef serviceDef); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 0a0b210..497c344 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -42,9 +42,9 @@ public interface RangerPolicyEngine { RangerAccessResult createAccessResult(RangerAccessRequest request); - void enrichContext(RangerAccessRequest request); + void preProcess(RangerAccessRequest request); - void enrichContext(Collection<RangerAccessRequest> requests); + void preProcess(Collection<RangerAccessRequest> requests); RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 4219875..d2b3a5c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -83,42 +83,50 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public void enrichContext(RangerAccessRequest request) { + public void preProcess(RangerAccessRequest request) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.enrichContext(" + request + ")"); + LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + request + ")"); } + setResourceServiceDef(request); + List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers(); - if(request != null && !CollectionUtils.isEmpty(enrichers)) { + if(!CollectionUtils.isEmpty(enrichers)) { for(RangerContextEnricher enricher : enrichers) { enricher.enrich(request); } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.enrichContext(" + request + ")"); + LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + request + ")"); } } @Override - public void enrichContext(Collection<RangerAccessRequest> requests) { + public void preProcess(Collection<RangerAccessRequest> requests) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.enrichContext(" + requests + ")"); + LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + requests + ")"); } - List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers(); + if(CollectionUtils.isNotEmpty(requests)) { + for(RangerAccessRequest request : requests) { + setResourceServiceDef(request); + } - if(!CollectionUtils.isEmpty(requests) && !CollectionUtils.isEmpty(enrichers)) { - for(RangerContextEnricher enricher : enrichers) { - for(RangerAccessRequest request : requests) { - enricher.enrich(request); + List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers(); + + if(CollectionUtils.isNotEmpty(enrichers)) { + for(RangerContextEnricher enricher : enrichers) { + for(RangerAccessRequest request : requests) { + enricher.enrich(request); + } } } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.enrichContext(" + requests + ")"); + LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + requests + ")"); } } @@ -299,6 +307,19 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return ret; } + private void setResourceServiceDef(RangerAccessRequest request) { + RangerAccessResource resource = request.getResource(); + + if (resource.getServiceDef() == null) { + if (resource instanceof RangerMutableResource) { + RangerMutableResource mutable = (RangerMutableResource) resource; + mutable.setServiceDef(getServiceDef()); + } else { + LOG.debug("RangerPolicyEngineImpl.setResourceServiceDef(): Cannot set ServiceDef in RangerResource."); + } + } + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 6a355ff..c063b94 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -191,7 +191,7 @@ public class RangerPolicyRepository { Boolean value = null; if (accessAuditCache != null) { - value = accessAuditCache.get(request.getResource().getAsString(getServiceDef())); + value = accessAuditCache.get(request.getResource().getAsString()); } if ((value != null)) { @@ -211,7 +211,7 @@ public class RangerPolicyRepository { } if ((ret.getIsAuditedDetermined() == true)) { - String strResource = request.getResource().getAsString(getServiceDef()); + String strResource = request.getResource().getAsString(); Boolean value = ret.getIsAudited() ? Boolean.TRUE : Boolean.FALSE; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerResourceAccessCacheImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerResourceAccessCacheImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerResourceAccessCacheImpl.java index 3388361..5f3f899 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerResourceAccessCacheImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerResourceAccessCacheImpl.java @@ -62,7 +62,7 @@ public class RangerResourceAccessCacheImpl implements RangerResourceAccessCache @Override public LookupResult lookup(RangerAccessResource resource) { - String strResource = resource.getAsString(serviceDef); + String strResource = resource.getAsString(); if(LOG.isDebugEnabled()) { LOG.debug("==> RangerResourceAccessCacheImpl.lookup(" + strResource + ")"); @@ -91,7 +91,7 @@ public class RangerResourceAccessCacheImpl implements RangerResourceAccessCache @Override public void add(RangerAccessResource resource, CacheType cacheType) { - String strResource = resource.getAsString(serviceDef); + String strResource = resource.getAsString(); if(LOG.isDebugEnabled()) { LOG.debug("==> RangerResourceAccessCacheImpl.add(" + strResource + ", " + cacheType + ")"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 574dd5b..095eafb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -23,6 +23,7 @@ import java.util.Collection; import java.util.Hashtable; import java.util.Map; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -30,14 +31,7 @@ import org.apache.ranger.admin.client.RangerAdminClient; import org.apache.ranger.admin.client.RangerAdminRESTClient; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; -import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; -import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.*; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.PolicyRefresher; @@ -150,7 +144,7 @@ public class RangerBasePlugin { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { - policyEngine.enrichContext(request); + policyEngine.preProcess(request); return policyEngine.isAccessAllowed(request, resultProcessor); } @@ -162,7 +156,7 @@ public class RangerBasePlugin { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { - policyEngine.enrichContext(requests); + policyEngine.preProcess(requests); return policyEngine.isAccessAllowed(requests, resultProcessor); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index ed67e8e..38b7302 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -103,6 +103,8 @@ public class TestPolicyEngine { policyEngine = new RangerPolicyEngineImpl(servicePolicies); for(TestData test : testCase.tests) { + policyEngine.preProcess(test.request); + RangerAccessResult expected = test.result; RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index 5b115b2..f6fa8bd 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -480,8 +480,8 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler { RangerAccessRequest request = result.getAccessRequest(); RangerServiceDef serviceDef = result.getServiceDef(); RangerAccessResource resource = request.getResource(); - String resourceType = resource != null ? resource.getLeafName(serviceDef) : null; - String resourcePath = resource != null ? resource.getAsString(serviceDef) : null; + String resourceType = resource != null ? resource.getLeafName() : null; + String resourcePath = resource != null ? resource.getAsString() : null; auditEvent.setUser(request.getUser()); auditEvent.setResourceType(resourceType) ; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index 3c16c8f..2675a67 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -52,7 +52,7 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { AuthzAuditEvent createAuditEvent(RangerAccessResult result, String accessType, String resourcePath) { RangerAccessRequest request = result.getAccessRequest(); RangerAccessResource resource = request.getResource(); - String resourceType = resource != null ? resource.getLeafName(result.getServiceDef()) : null; + String resourceType = resource != null ? resource.getLeafName() : null; AuthzAuditEvent auditEvent = new AuthzAuditEvent(); auditEvent.setAclEnforcer(RangerModuleName); @@ -89,7 +89,7 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { accessType = request.getAccessType(); } - String resourcePath = resource != null ? resource.getAsString(result.getServiceDef()) : null; + String resourcePath = resource != null ? resource.getAsString() : null; return createAuditEvent(result, accessType, resourcePath); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f35d53b8/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 190c241..ad73682 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -292,7 +292,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege", user, hiveOpType)); } else if (!result.getIsAllowed()) { - String path = resource.getAsString(result.getServiceDef()); + String path = resource.getAsString(); throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, hiveOpType.name(), path)); } else { @@ -345,7 +345,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } if(result != null && !result.getIsAllowed()) { - String path = resource.getAsString(result.getServiceDef()); + String path = resource.getAsString(); throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path)); @@ -452,7 +452,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { LOG.error("filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()!"); } else if (!result.getIsAllowed()) { if (!LOG.isDebugEnabled()) { - String path = resource.getAsString(result.getServiceDef()); + String path = resource.getAsString(); LOG.debug(String.format("filterListCmdObjects: Permission denied: user [%s] does not have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path)); } } else {
