[7/7] incubator-ranger git commit: Merge branch 'master' into tag-policy

Wed, 17 Jun 2015 19:32:08 -0700 

Merge branch 'master' into tag-policy


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c8ab096c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c8ab096c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c8ab096c

Branch: refs/heads/tag-policy
Commit: c8ab096cf8f28b78b41e1de6574ab0f0ccf58c2b
Parents: 858156e e73fe78
Author: Madhan Neethiraj <[email protected]>
Authored: Wed Jun 17 19:30:50 2015 -0700
Committer: Madhan Neethiraj <[email protected]>
Committed: Wed Jun 17 19:30:50 2015 -0700

----------------------------------------------------------------------
 .../model/validation/RangerPolicyValidator.java | 38 ++++++------
 .../policyengine/RangerAccessRequest.java       |  4 ++
 .../policyengine/RangerAccessRequestImpl.java   | 10 +++-
 .../RangerAccessRequestReadOnly.java            |  2 +
 .../RangerDefaultPolicyEvaluator.java           |  5 +-
 .../hbase/AuthorizationSession.java             | 10 +++-
 .../hbase/RangerAuthorizationCoprocessor.java   | 13 ++--
 .../RangerAuthorizationCoprocessorBase.java     | 13 ++++
 .../java/org/apache/ranger/biz/KmsKeyMgr.java   | 52 ++++++++++++----
 .../org/apache/ranger/db/XXDataHistDao.java     | 20 ++++++-
 .../java/org/apache/ranger/rest/XKeyREST.java   |  3 +-
 .../storm/authorizer/RangerStormAuthorizer.java | 62 +++++++++++---------
 12 files changed, 161 insertions(+), 71 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c8ab096c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
----------------------------------------------------------------------
diff --cc 
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index 4308086,63a7f5a..4a2aef8
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@@ -50,5 -50,7 +50,9 @@@ public interface RangerAccessRequest 
        
        Map<String, Object> getContext();
  
 +      RangerAccessRequest getReadOnlyCopy();
++
+       ResourceMatchingScope getResourceMatchingScope();
+ 
+       enum ResourceMatchingScope {SELF, SELF_OR_DESCENDANTS}
  }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c8ab096c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
----------------------------------------------------------------------

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c8ab096c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
----------------------------------------------------------------------
diff --cc 
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
index 3ca72f2,0000000..796a9df
mode 100644,000000..100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
@@@ -1,86 -1,0 +1,88 @@@
 +/*
 + * Licensed to the Apache Software Foundation (ASF) under one
 + * or more contributor license agreements.  See the NOTICE file
 + * distributed with this work for additional information
 + * regarding copyright ownership.  The ASF licenses this file
 + * to you under the Apache License, Version 2.0 (the
 + * "License"); you may not use this file except in compliance
 + * with the License.  You may obtain a copy of the License at
 + *
 + * http://www.apache.org/licenses/LICENSE-2.0
 + *
 + * Unless required by applicable law or agreed to in writing,
 + * software distributed under the License is distributed on an
 + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 + * KIND, either express or implied.  See the License for the
 + * specific language governing permissions and limitations
 + * under the License.
 + */
 +
 +package org.apache.ranger.plugin.policyengine;
 +
 +import org.apache.commons.lang.StringUtils;
 +
 +import java.util.Collections;
 +import java.util.Date;
 +import java.util.Map;
 +import java.util.Set;
 +
 +public class RangerAccessRequestReadOnly implements RangerAccessRequest {
 +      private final RangerAccessRequest source;
 +
 +      // Cached here for reducing access overhead
 +      private final RangerAccessResource resource;
 +      private final Set<String> userGroups;
 +      private final Map<String, Object> context;
 +
 +      RangerAccessRequestReadOnly(final RangerAccessRequest source) {
 +              this.source = source;
 +              this.resource = source.getResource().getReadOnlyCopy();
 +              this.userGroups = 
Collections.unmodifiableSet(source.getUserGroups());
 +              this.context = Collections.unmodifiableMap(source.getContext());
 +      }
 +
 +      @Override
 +      public RangerAccessResource getResource() { return resource; }
 +
 +      @Override
 +      public String getAccessType() { return source.getAccessType(); }
 +
 +      @Override
 +      public boolean isAccessTypeAny() { return source.isAccessTypeAny(); }
 +
 +      @Override
 +      public boolean isAccessTypeDelegatedAdmin() { return 
source.isAccessTypeDelegatedAdmin(); }
 +
 +      @Override
 +      public String getUser() { return source.getUser(); }
 +
 +      @Override
 +      public Set<String> getUserGroups() { return userGroups; }
 +
 +      @Override
 +      public Date getAccessTime() { return source.getAccessTime(); }
 +
 +      @Override
 +      public String getClientIPAddress() { return 
source.getClientIPAddress(); }
 +
 +      @Override
 +      public String getClientType() { return source.getClientType(); }
 +
 +      @Override
 +      public String getAction() { return source.getAction(); }
 +
 +      @Override
 +      public String getRequestData() { return source.getRequestData(); }
 +
 +      @Override
 +      public String getSessionId() { return source.getSessionId(); }
 +
 +      @Override
 +      public Map<String, Object> getContext() { return context; }
 +
 +      @Override
 +      public RangerAccessRequest getReadOnlyCopy() { return this; }
 +
++      @Override
++      public ResourceMatchingScope getResourceMatchingScope() { return 
source.getResourceMatchingScope(); }
 +}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c8ab096c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --cc 
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index dec8a37,9f60b7b..c3a3680
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@@ -108,7 -108,7 +108,8 @@@ public class RangerDefaultPolicyEvaluat
              boolean matchResult          = false;
              boolean isHeadMatchAttempted = false;
              boolean headMatchResult      = false;
+                       final boolean attemptHeadMatch = 
request.isAccessTypeAny() || request.getResourceMatchingScope() == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS;
 +                      final boolean isFinalPolicy  = isFinal();
  
              if (!result.getIsAuditedDetermined()) {
                  // Need to match request.resource first. If it matches (or 
head matches), then only more progress can be made

Reply via email to