Merge branch 'master' into tag-policy
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ea3bcb38 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ea3bcb38 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ea3bcb38 Branch: refs/heads/tag-policy Commit: ea3bcb38eb28ebebed8a29d3429ce6b3ee794141 Parents: c6133b7 c5f61c8 Author: Madhan Neethiraj <[email protected]> Authored: Wed Jun 10 22:09:30 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Jun 10 22:09:30 2015 -0700 ---------------------------------------------------------------------- .../conditionevaluator/RangerSimpleMatcher.java | 10 +- .../RangerTimeOfDayMatcher.java | 70 ++-- .../model/validation/RangerPolicyValidator.java | 8 + .../RangerAbstractPolicyEvaluator.java | 15 +- .../RangerAbstractPolicyItemEvaluator.java | 61 +++ .../RangerDefaultPolicyEvaluator.java | 387 +++---------------- .../RangerDefaultPolicyItemEvaluator.java | 273 +++++++++++++ .../RangerOptimizedPolicyEvaluator.java | 4 +- .../policyevaluator/RangerPolicyEvaluator.java | 7 +- .../RangerPolicyItemEvaluator.java | 55 +++ .../RangerTimeOfDayMatcherTest.java | 15 +- .../plugin/policyengine/TestPolicyEngine.java | 7 + .../RangerDefaultPolicyEvaluatorTest.java | 256 ------------ .../test_policyengine_conditions.json | 230 +++++++++++ .../policyengine/test_policyengine_hbase.json | 2 +- .../hbase/AuthorizationSession.java | 21 +- .../authorization/hbase/HbaseAuditHandler.java | 4 +- .../hbase/HbaseAuditHandlerImpl.java | 61 ++- .../hbase/RangerAuthorizationCoprocessor.java | 295 ++++++++------ .../hbase/RangerAuthorizationFilter.java | 134 +++++-- .../hbase/RangerAuthorizationFilterTest.java | 120 +++--- pom.xml | 35 +- .../org/apache/ranger/common/RESTErrorUtil.java | 9 + .../org/apache/ranger/common/ServiceUtil.java | 2 +- .../java/org/apache/ranger/rest/AssetREST.java | 25 +- .../org/apache/ranger/rest/ServiceREST.java | 164 +++++--- .../RangerAuthenticationEntryPoint.java | 54 +-- .../src/main/resources/META-INF/persistence.xml | 4 +- .../conf.dist/ranger-admin-default-site.xml | 2 +- .../webapp/scripts/views/service/ServiceForm.js | 22 +- .../org/apache/ranger/rest/TestServiceREST.java | 16 +- .../config/UserGroupSyncConfig.java | 37 +- .../ranger/usergroupsync/UserGroupSync.java | 3 +- unixauthservice/pom.xml | 12 +- .../authentication/PasswordValidator.java | 3 +- 35 files changed, 1385 insertions(+), 1038 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ea3bcb38/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --cc agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 8a13839,030cd87..56d15ee --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@@ -204,14 -102,12 +102,13 @@@ public class RangerDefaultPolicyEvaluat if (LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); } - RangerPolicy policy = getPolicy(); - if (policy != null && request != null && result != null) { - boolean isMatchAttempted = false; - boolean matchResult = false; + if (request != null && result != null) { + boolean isMatchAttempted = false; + boolean matchResult = false; boolean isHeadMatchAttempted = false; - boolean headMatchResult = false; - final boolean isFinalPolicy = isFinal(); + boolean headMatchResult = false; ++ final boolean isFinalPolicy = isFinal(); if (!result.getIsAuditedDetermined()) { // Need to match request.resource first. If it matches (or head matches), then only more progress can be made @@@ -253,13 -149,9 +150,13 @@@ } // Go further to evaluate access only if match or head match was found at this point if (matchResult || headMatchResult) { - evaluatePolicyItemsForAccess(policy, request, result); + evaluatePolicyItemsForAccess(request, result); } } + if ((matchResult || headMatchResult) && !result.getIsAccessDetermined() && isFinalPolicy) { + result.setIsAllowed(false); + result.setPolicyId(getPolicy().getId()); + } } if(LOG.isDebugEnabled()) { @@@ -680,8 -397,23 +402,25 @@@ return ret; } + + private RangerPolicyItemAccess getAccess(RangerPolicyItem policyItem, String accessType) { + RangerPolicyItemAccess ret = null; + + if(policyItem != null && CollectionUtils.isNotEmpty(policyItem.getAccesses())) { + for(RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) { + if(StringUtils.equalsIgnoreCase(itemAccess.getType(), accessType)) { + ret = itemAccess; + + break; + } + } + } + + return ret; + } -} - - + + @Override + public boolean isFinal() { + return getPolicy().isPolicyTypeFinal(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ea3bcb38/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ea3bcb38/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ea3bcb38/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ea3bcb38/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --cc security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 1e724c9,3d2e8b0..fd9fc3d --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@@ -342,25 -348,15 +352,27 @@@ public class ServiceREST SearchFilter filter = searchUtil.getSearchFilter(request, serviceDefService.sortFields); try { - ret = svcStore.getPaginatedServiceDefs(filter); + paginatedSvcDefs = svcStore.getPaginatedServiceDefs(filter); - } catch (Exception excp) { + } catch(WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { LOG.error("getServiceDefs() failed", excp); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + throw restErrorUtil.createRESTException(excp.getMessage()); } + if(paginatedSvcDefs != null) { + ret = new RangerServiceDefList(); + + ret.setServiceDefs(paginatedSvcDefs.getList()); + ret.setPageSize(paginatedSvcDefs.getPageSize()); + ret.setResultSize(paginatedSvcDefs.getResultSize()); + ret.setStartIndex(paginatedSvcDefs.getStartIndex()); + ret.setTotalCount(paginatedSvcDefs.getTotalCount()); + ret.setSortBy(paginatedSvcDefs.getSortBy()); + ret.setSortType(paginatedSvcDefs.getSortType()); + } + if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.getServiceDefs(): count=" + (ret == null ? 0 : ret.getListSize())); } @@@ -548,26 -552,15 +570,28 @@@ SearchFilter filter = searchUtil.getSearchFilter(request, svcService.sortFields); try { - ret = svcStore.getPaginatedServices(filter); + paginatedSvcs = svcStore.getPaginatedServices(filter); - } catch (Exception excp) { + } catch(WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { LOG.error("getServices() failed", excp); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + throw restErrorUtil.createRESTException(excp.getMessage()); } + if(paginatedSvcs != null) { + ret = new RangerServiceList(); + + + ret.setServices(paginatedSvcs.getList()); + ret.setPageSize(paginatedSvcs.getPageSize()); + ret.setResultSize(paginatedSvcs.getResultSize()); + ret.setStartIndex(paginatedSvcs.getStartIndex()); + ret.setTotalCount(paginatedSvcs.getTotalCount()); + ret.setSortBy(paginatedSvcs.getSortBy()); + ret.setSortType(paginatedSvcs.getSortType()); + } + if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.getServices(): count=" + (ret == null ? 0 : ret.getListSize())); } @@@ -1080,25 -1083,15 +1116,27 @@@ SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); try { - ret = svcStore.getPaginatedPolicies(filter); + paginatedPolicies = svcStore.getPaginatedPolicies(filter); - applyAdminAccessFilter(ret); + if(paginatedPolicies != null) { + ret = new RangerPolicyList(); + + ret.setPolicies(paginatedPolicies.getList()); + ret.setPageSize(paginatedPolicies.getPageSize()); + ret.setResultSize(paginatedPolicies.getResultSize()); + ret.setStartIndex(paginatedPolicies.getStartIndex()); + ret.setTotalCount(paginatedPolicies.getTotalCount()); + ret.setSortBy(paginatedPolicies.getSortBy()); + ret.setSortType(paginatedPolicies.getSortType()); + + applyAdminAccessFilter(ret); + } - } catch (Exception excp) { + } catch(WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { LOG.error("getPolicies() failed", excp); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + throw restErrorUtil.createRESTException(excp.getMessage()); } if (LOG.isDebugEnabled()) { @@@ -1176,25 -1171,15 +1218,27 @@@ SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); try { - ret = svcStore.getPaginatedServicePolicies(serviceId, filter); + paginatedPolicies = svcStore.getPaginatedServicePolicies(serviceId, filter); - applyAdminAccessFilter(ret); + if(paginatedPolicies != null) { + ret = new RangerPolicyList(); + + ret.setPolicies(paginatedPolicies.getList()); + ret.setPageSize(paginatedPolicies.getPageSize()); + ret.setResultSize(paginatedPolicies.getResultSize()); + ret.setStartIndex(paginatedPolicies.getStartIndex()); + ret.setTotalCount(paginatedPolicies.getTotalCount()); + ret.setSortBy(paginatedPolicies.getSortBy()); + ret.setSortType(paginatedPolicies.getSortType()); + + applyAdminAccessFilter(ret); + } - } catch (Exception excp) { + } catch(WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { LOG.error("getServicePolicies(" + serviceId + ") failed", excp); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + throw restErrorUtil.createRESTException(excp.getMessage()); } if (ret == null) { @@@ -1224,25 -1207,15 +1268,27 @@@ SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); try { - ret = svcStore.getPaginatedServicePolicies(serviceName, filter); + paginatedPolicies = svcStore.getPaginatedServicePolicies(serviceName, filter); - applyAdminAccessFilter(ret); + if(paginatedPolicies != null) { + ret = new RangerPolicyList(); + + ret.setPolicies(paginatedPolicies.getList()); + ret.setPageSize(paginatedPolicies.getPageSize()); + ret.setResultSize(paginatedPolicies.getResultSize()); + ret.setStartIndex(paginatedPolicies.getStartIndex()); + ret.setTotalCount(paginatedPolicies.getTotalCount()); + ret.setSortBy(paginatedPolicies.getSortBy()); + ret.setSortType(paginatedPolicies.getSortType()); + + applyAdminAccessFilter(ret); + } - } catch (Exception excp) { + } catch(WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { LOG.error("getServicePolicies(" + serviceName + ") failed", excp); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + throw restErrorUtil.createRESTException(excp.getMessage()); } if (ret == null) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ea3bcb38/security-admin/src/main/webapp/scripts/views/service/ServiceForm.js ---------------------------------------------------------------------- diff --cc security-admin/src/main/webapp/scripts/views/service/ServiceForm.js index da1da83,f073036..058a407 --- a/security-admin/src/main/webapp/scripts/views/service/ServiceForm.js +++ b/security-admin/src/main/webapp/scripts/views/service/ServiceForm.js @@@ -149,20 -150,20 +149,22 @@@ define(function(require) var that = this; //Set configs for service var config = {}; + if(!_.isEmpty(this.rangerServiceDefModel.get('configs'))){ - _.each(this.rangerServiceDefModel.get('configs'),function(obj){ - if(!_.isNull(obj)){ - if(obj.type == 'bool'){ - config[obj.name] = that.getBooleanForConfig(obj, that.model); - }else{ - config[obj.name] = that.model.get(obj.name).toString(); - } + _.each(this.rangerServiceDefModel.get('configs'),function(obj){ + if(!_.isNull(obj)){ + if(obj.type == 'bool'){ + config[obj.name] = that.getBooleanForConfig(obj, that.model); + }else{ + config[obj.name] = _.isNull(that.model.get(obj.name)) ? "" : that.model.get(obj.name).toString(); + } + if(!_.isNull(obj.name)) { that.model.unset(obj.name); } - }); - this.extraConfigColl.each(function(obj){ config[obj.get('name')] = obj.get('value');}) - this.model.set('configs',config); + } + }); + this.extraConfigColl.each(function(obj){ config[obj.get('name')] = obj.get('value');}) + this.model.set('configs',config); + } //Set service type this.model.set('type',this.rangerServiceDefModel.get('name')) http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ea3bcb38/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java ----------------------------------------------------------------------
