Repository: incubator-ranger Updated Branches: refs/heads/tag-policy 85e13c4de -> 0c6d87890
RANGER-274: Fixed Service policyVersion not getting updated. Cleaned up tag policy evaluation loop. Fixed issues found during testing with Hive Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0c6d8789 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0c6d8789 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0c6d8789 Branch: refs/heads/tag-policy Commit: 0c6d87890994f32e13b28f44e10fb4c5ec2a60ec Parents: 85e13c4 Author: Abhay Kulkarni <[email protected]> Authored: Thu Jun 4 21:13:27 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Jun 5 18:36:30 2015 -0700 ---------------------------------------------------------------------- .../policyengine/RangerPolicyEngineImpl.java | 50 +++++++++----------- .../service-defs/ranger-servicedef-_tag_.json | 2 +- .../policyengine/test_policyengine_hdfs.json | 4 +- .../org/apache/ranger/biz/ServiceDBStore.java | 2 + 4 files changed, 29 insertions(+), 29 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0c6d8789/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 63a63d1..16cad9b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -320,6 +320,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (tagAccessResult.getIsAccessDetermined()) { if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedNoAudit() - access determined by tag policy. No resource policies will be evaluated, request=" + request + ", result=" + tagAccessResult); + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + "): " + tagAccessResult); } @@ -376,15 +378,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (!CollectionUtils.isEmpty(evaluators = tagPolicyRepository.getPolicyEvaluators())) { - boolean someTagPolicyDeniedAccess = false; - boolean someTagPolicyAllowedAccess = false; - boolean someTagPolicyRequiredAudit = false; - RangerAccessResult allowedAccessResult = createAccessResult(request); - RangerAccessResult deniedAccessResult = createAccessResult(request); + boolean someTagAllowedAudit = false; + + RangerAccessResult savedAccessResult = createAccessResult(request); List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>(); for (RangerResource.RangerResourceTag resourceTag : resourceTags) { + if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + resourceTag.getName() + ")"); } @@ -400,14 +401,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (evaluator.isFinal() || (tagEvalResult.getIsAccessDetermined() && tagEvalResult.getIsAuditedDetermined())) { if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval for tag-policy-id=" + tagEvalResult.getPolicyId() + " for tag (" + resourceTag.getName() + ") with authorization=" + tagEvalResult.getIsAllowed()); + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + resourceTag.getName() + ") with authorization=" + tagEvalResult.getIsAllowed()); } - break; + break; // Break out of policy-evaluation loop for this tag } } if (tagEvalResult.getIsAuditedDetermined()) { - someTagPolicyRequiredAudit = true; + someTagAllowedAudit = true; // And generate an audit event if (tagEvalResult.getIsAccessDetermined()) { RangerTagAuditEvent event = new RangerTagAuditEvent(resourceTag.getName(), tagEvalResult); @@ -416,34 +417,29 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } if (tagEvalResult.getIsAccessDetermined()) { - if (tagEvalResult.getIsAllowed()) { - if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: access allowed"); - } - someTagPolicyAllowedAccess = true; - allowedAccessResult.setAccessResultFrom(tagEvalResult); - } else { + + savedAccessResult.setAccessResultFrom(tagEvalResult); + + if (!tagEvalResult.getIsAllowed()) { if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: access denied"); + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag-policies as tag (" + resourceTag.getName() + "), tag-policy-id=" + tagEvalResult.getPolicyId() + " denied access."); } - someTagPolicyDeniedAccess = true; - deniedAccessResult.setAccessResultFrom(tagEvalResult); + break; // Break out of tags evaluation loop altogether } } } - if (someTagPolicyDeniedAccess) { - result.setAccessResultFrom(deniedAccessResult); - } else if (someTagPolicyAllowedAccess) { - result.setAccessResultFrom(allowedAccessResult); - } + result.setAccessResultFrom(savedAccessResult); - if (someTagPolicyRequiredAudit) { + if (someTagAllowedAudit) { if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: at least one tag-policy requires audit"); + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: at least one tag-policy requires generation of audit event"); } result.setIsAudited(true); - RangerTagAuditEvent.processTagEvents(tagAuditEvents, someTagPolicyDeniedAccess); + + boolean isAccessDenied = result.getIsAccessDetermined() && !result.getIsAllowed(); + + RangerTagAuditEvent.processTagEvents(tagAuditEvents, isAccessDenied); // Set processed list into result // result.setAuxilaryAuditInfo(tagAuditEvents); } @@ -454,7 +450,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")" ); + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + result + ")" ); } return result; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0c6d8789/agents-common/src/main/resources/service-defs/ranger-servicedef-_tag_.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-_tag_.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-_tag_.json index ee8333d..b590108 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-_tag_.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-_tag_.json @@ -54,7 +54,7 @@ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagProvider", "enricherOptions" : { "TagProviderType":"FILESTORE_BASED_TAG_PROVIDER", - "pollingInterval":10000 + "pollingInterval":60000 } } ], http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0c6d8789/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json index 46a9eb1..3c38919 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -121,10 +121,12 @@ }, "tagPolicies":[ {"id":5,"name":"allow somethingelse tag","isEnabled":true,"isAuditEnabled":true,"policyType":0, - "resources":{"tag":{"values":["restricte?"],"isRecursive":false}}, + "resources":{"tag":{"values":["pii"],"isRecursive":false}}, "policyItems":[ {"accesses":[{"type":"hdfs:read", "isAllowed":true}, {"type":"hive:grant", "isAllowed":true}, {"type":"delete", "isAllowed":true}, {"type":":write", "isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false, "conditions" : [{"type":"ScriptConditionEvaluator", "values": [ + "importPackage(java.util); var accessDate = ctx.getAsDate(ctx.accessTime); var expiryDate =ctx.getTagAttributeAsDate('pii','expiry'); expiryDate.getTime() < accessDate.getTime();" + , "importPackage(java.util); var accessTime = ctx.accessTime; print('accessTime=' + accessTime); var accessDate = ctx.getAsDate(accessTime); println('accessDate=' + accessDate); var currentDate = new Date(); println('currentDate=' + currentDate); println('current=' +currentDate.getTime()); println('access='+ accessDate.getTime()); result = true;" , "importPackage(java.util); var accessTime = ctx.accessTime; var currentTime = Date(); print('accessTime=' + accessTime); println('currentTime=' + currentTime); accessTime.after(currentTime)" http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0c6d8789/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 55a6d9c..50dd318 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1133,6 +1133,8 @@ public class ServiceDBStore extends AbstractServiceStore { service.setVersion(version); + service.setPolicyVersion(getNextVersion(service.getPolicyVersion())); + if(populateExistingBaseFields) { svcServiceWithAssignedId.setPopulateExistingBaseFields(true); service = svcServiceWithAssignedId.update(service);
