Repository: incubator-ranger Updated Branches: refs/heads/tag-policy 8c37c47fa -> 6ba371535
RANGER-606: added support for deny policy Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/6ba37153 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/6ba37153 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/6ba37153 Branch: refs/heads/tag-policy Commit: 6ba371535ee99aa236a16d96922652e2fa056422 Parents: 8c37c47 Author: Madhan Neethiraj <[email protected]> Authored: Thu Aug 13 11:43:12 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Aug 13 11:43:12 2015 -0700 ---------------------------------------------------------------------- .../ranger/plugin/model/RangerPolicy.java | 46 ++++---- .../policyengine/RangerPolicyEngineImpl.java | 38 +++---- .../RangerAbstractPolicyItemEvaluator.java | 2 - .../RangerDefaultPolicyEvaluator.java | 107 +++++++++++-------- .../RangerDefaultPolicyItemEvaluator.java | 25 ++--- .../RangerOptimizedPolicyEvaluator.java | 25 +++-- .../policyevaluator/RangerPolicyEvaluator.java | 4 +- .../RangerPolicyItemEvaluator.java | 16 +-- .../test_policyengine_tag_hdfs.json | 2 +- .../test_policyengine_tag_hive.json | 4 +- .../org/apache/ranger/biz/ServiceDBStore.java | 2 +- .../main/webapp/scripts/models/RangerPolicy.js | 7 +- .../scripts/modules/globalize/message/en.js | 4 +- .../src/main/webapp/scripts/utils/XAEnums.js | 13 +-- .../scripts/views/policies/RangerPolicyForm.js | 20 ++-- 15 files changed, 156 insertions(+), 159 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index e9f9ef9..e0aee6b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -45,14 +45,14 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria // For future use private static final long serialVersionUID = 1L; - public static final int POLICY_TYPE_DEFAULT = 0x0; - public static final int POLICY_TYPE_MASK_FINAL = 0x1 << 0; - public static final int POLICY_TYPE_MASK_DENIER = 0x1 << 1; + public static final int POLICY_TYPE_ALLOW = 0; + public static final int POLICY_TYPE_DENY = 1; + public static final int POLICY_TYPE_EXCLUSIVE_ALLOW = 2; private String service = null; private String name = null; - private Integer policyType = POLICY_TYPE_DEFAULT; + private Integer policyType = POLICY_TYPE_ALLOW; private String description = null; private String resourceSignature = null; private Boolean isAuditEnabled = null; @@ -64,7 +64,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param */ public RangerPolicy() { - this(null, null, POLICY_TYPE_DEFAULT, null, null, null, null); + this(null, null, POLICY_TYPE_ALLOW, null, null, null, null); } /** @@ -217,19 +217,6 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } } - final public void setPolicyTypeDefault() { - policyType = POLICY_TYPE_DEFAULT; - } - - final public void setPolicyTypeFinal(boolean set) { - - if (set) { - this.policyType |= POLICY_TYPE_MASK_FINAL; - } else { - this.policyType &= (~POLICY_TYPE_MASK_FINAL); - } - } - /** * @return the policyItems */ @@ -258,15 +245,22 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } } - final public boolean isPolicyTypeFinal() { - boolean isFinalDecidingPolicy = true; + final public boolean isPolicyTypeAllow() { + boolean ret = this.policyType == null || this.policyType == POLICY_TYPE_ALLOW; - if (this.policyType == null) { - isFinalDecidingPolicy = false; - } else if ((this.policyType & POLICY_TYPE_MASK_FINAL) == 0x0) { - isFinalDecidingPolicy = false; - } - return isFinalDecidingPolicy; + return ret; + } + + final public boolean isPolicyTypeDeny() { + boolean ret = this.policyType != null && this.policyType == POLICY_TYPE_DENY; + + return ret; + } + + final public boolean isPolicyTypeExclusiveAllow() { + boolean ret = this.policyType != null && this.policyType == POLICY_TYPE_EXCLUSIVE_ALLOW; + + return ret; } @Override http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index dd8dd7d..cab3ff0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -312,46 +312,38 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerAccessResult ret = createAccessResult(request); if (ret != null && request != null) { - if (tagPolicyRepository != null && CollectionUtils.isNotEmpty(tagPolicyRepository.getPolicies())) { - RangerAccessResult tagAccessResult = isAccessAllowedForTagPolicies(request); - if (tagAccessResult.getIsAccessDetermined() && tagAccessResult.getIsAuditedDetermined()) { - - if (LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { + if (tagAccessResult.getIsAccessDetermined() && tagAccessResult.getIsAuditedDetermined()) { LOG.debug("RangerPolicyEngineImpl.isAccessAllowedNoAudit() - access and audit determined by tag policy. No resource policies will be evaluated, request=" + request + ", result=" + tagAccessResult); - - LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + "): " + tagAccessResult); } - - return tagAccessResult; } ret.setAccessResultFrom(tagAccessResult); ret.setAuditResultFrom(tagAccessResult); - } - List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(); - - if (evaluators != null) { + if (!ret.getIsAccessDetermined() || !ret.getIsAuditedDetermined()) { + List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(); - boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret); + if (CollectionUtils.isNotEmpty(evaluators)) { + boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret); - for (RangerPolicyEvaluator evaluator : evaluators) { - evaluator.evaluate(request, ret); + for (RangerPolicyEvaluator evaluator : evaluators) { + evaluator.evaluate(request, ret); - // stop once isAccessDetermined==true && isAuditedDetermined==true - if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { - break; + // stop once isAccessDetermined==true && isAuditedDetermined==true + if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { + break; + } } - } - if (!foundInCache) { - policyRepository.storeAuditEnabledInCache(request, ret); + if (!foundInCache) { + policyRepository.storeAuditEnabledInCache(request, ret); + } } - } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java index a986ca6..9696e03 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java @@ -32,7 +32,6 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyItemEvaluator { final RangerPolicyEngineOptions options; final RangerServiceDef serviceDef; - final RangerPolicy policy; final RangerPolicyItem policyItem; final long policyId; @@ -40,7 +39,6 @@ public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyI RangerAbstractPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerPolicyItem policyItem, RangerPolicyEngineOptions options) { this.serviceDef = serviceDef; - this.policy = policy; this.policyItem = policyItem; this.options = options; this.policyId = policy != null && policy.getId() != null ? policy.getId() : -1; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index c3a3680..57d1be9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -104,29 +104,28 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } if (request != null && result != null) { - boolean isMatchAttempted = false; - boolean matchResult = false; - boolean isHeadMatchAttempted = false; - boolean headMatchResult = false; - final boolean attemptHeadMatch = request.isAccessTypeAny() || request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS; - final boolean isFinalPolicy = isFinal(); + boolean isResourceMatch = false; + boolean isResourceHeadMatch = false; + boolean isResourceMatchAttempted = false; + boolean isResourceHeadMatchAttempted = false; + final boolean attemptResourceHeadMatch = request.isAccessTypeAny() || request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS; if (!result.getIsAuditedDetermined()) { // Need to match request.resource first. If it matches (or head matches), then only more progress can be made - if (!isMatchAttempted) { - matchResult = isMatch(request.getResource()); - isMatchAttempted = true; + if (!isResourceMatchAttempted) { + isResourceMatch = isMatch(request.getResource()); + isResourceMatchAttempted = true; } // Try head match only if match was not found and ANY access was requested - if (!matchResult) { - if (attemptHeadMatch && !isHeadMatchAttempted) { - headMatchResult = matchResourceHead(request.getResource()); - isHeadMatchAttempted = true; + if (!isResourceMatch) { + if (attemptResourceHeadMatch && !isResourceHeadMatchAttempted) { + isResourceHeadMatch = matchResourceHead(request.getResource()); + isResourceHeadMatchAttempted = true; } } - if (matchResult || headMatchResult) { + if (isResourceMatch || isResourceHeadMatch) { // We are done for determining if audit is needed for this policy if (isAuditEnabled()) { result.setIsAudited(true); @@ -136,55 +135,74 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!result.getIsAccessDetermined()) { // Try Match only if it was not attempted as part of evaluating Audit requirement - if (!isMatchAttempted) { - matchResult = isMatch(request.getResource()); - isMatchAttempted = true; + if (!isResourceMatchAttempted) { + isResourceMatch = isMatch(request.getResource()); + isResourceMatchAttempted = true; } // Try Head Match only if no match was found so far AND a head match was not attempted as part of evaluating // Audit requirement - if (!matchResult) { - if (attemptHeadMatch && !isHeadMatchAttempted) { - headMatchResult = matchResourceHead(request.getResource()); - isHeadMatchAttempted = true; + if (!isResourceMatch) { + if (attemptResourceHeadMatch && !isResourceHeadMatchAttempted) { + isResourceHeadMatch = matchResourceHead(request.getResource()); + isResourceHeadMatchAttempted = true; } } // Go further to evaluate access only if match or head match was found at this point - if (matchResult || headMatchResult) { - evaluatePolicyItemsForAccess(request, result); + if (isResourceMatch || isResourceHeadMatch) { + boolean isPolicyItemsMatch = isPolicyItemsMatch(request); + + RangerPolicy policy = getPolicy(); + + if(isPolicyItemsMatch) { + if(policy.isPolicyTypeDeny()) { + if(isResourceMatch) { + result.setIsAllowed(false); + result.setPolicyId(policy.getId()); + } + } else { + result.setIsAllowed(true); + result.setPolicyId(policy.getId()); + } + } else { + if(policy.isPolicyTypeExclusiveAllow()) { + if(isResourceMatch) { + result.setIsAllowed(false); + result.setPolicyId(policy.getId()); + } + } + } } } - if (isFinalPolicy - && !result.getIsAccessDetermined() - && (matchResult || headMatchResult)) { - result.setIsAllowed(false); - result.setPolicyId(getPolicy().getId()); - } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); - } - } + LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); + } + } - protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) { + protected boolean isPolicyItemsMatch(RangerAccessRequest request) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItemsForAccess(" + request + ", " + result + ")"); + LOG.debug("==> RangerDefaultPolicyEvaluator.isPolicyItemsMatch(" + request + ")"); } - if(CollectionUtils.isNotEmpty(policyItemEvaluators) && !result.getIsAccessDetermined()) { - for (RangerPolicyItemEvaluator policyItemEvaluator : policyItemEvaluators) { - policyItemEvaluator.evaluate(request, result); + boolean ret = false; - if(result.getIsAccessDetermined()) { - break; - } - } + if(CollectionUtils.isNotEmpty(policyItemEvaluators)) { + for (RangerPolicyItemEvaluator policyItemEvaluator : policyItemEvaluators) { + ret = policyItemEvaluator.isMatch(request); + + if(ret) { + break; + } + } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItemsForAccess(" + request + ", " + result + ")"); + LOG.debug("<== RangerDefaultPolicyEvaluator.isPolicyItemsMatch(" + request + "): " + ret); } + + return ret; } @Override @@ -421,9 +439,4 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } - - @Override - public boolean isFinal() { - return getPolicy().isPolicyTypeFinal(); - } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java index bf9b243..16335fa 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java @@ -34,7 +34,6 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; @@ -84,41 +83,41 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv } @Override - public void evaluate(RangerAccessRequest request, RangerAccessResult result) { + public boolean isMatch(RangerAccessRequest request) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyItemEvaluator.evaluate(" + request + ", " + result + ")"); + LOG.debug("==> RangerDefaultPolicyItemEvaluator.isMatch(" + request + ")"); } + boolean ret = false; + if(policyItem != null) { if(matchUserGroup(request.getUser(), request.getUserGroups())) { if (request.isAccessTypeDelegatedAdmin()) { // used only in grant/revoke scenario if (policyItem.getDelegateAdmin()) { - result.setIsAllowed(true); - result.setPolicyId(policyId); + ret = true; } } else if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) { - boolean accessAllowed = false; + boolean isAccessTypeMatched = false; if (request.isAccessTypeAny()) { for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) { if (access.getIsAllowed()) { - accessAllowed = true; + isAccessTypeMatched = true; break; } } } else { for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) { if (access.getIsAllowed() && StringUtils.equalsIgnoreCase(access.getType(), request.getAccessType())) { - accessAllowed = true; + isAccessTypeMatched = true; break; } } } - if(accessAllowed) { + if(isAccessTypeMatched) { if(matchCustomConditions(request)) { - result.setIsAllowed(true); - result.setPolicyId(policyId); + ret = true; } } } @@ -126,8 +125,10 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyItemEvaluator.evaluate(" + request + ", " + result + ")"); + LOG.debug("<== RangerDefaultPolicyItemEvaluator.isMatch(" + request + "): " + ret); } + + return ret; } @Override http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java index 8e726f4..f660ae6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java @@ -26,7 +26,6 @@ import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; @@ -54,7 +53,8 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator private static final int RANGER_POLICY_EVAL_IS_RECURSIVE_PREMIUM = 25; private static final int RANGER_POLICY_EVAL_PUBLIC_GROUP_ACCESS_PREMIUM = 25; private static final int RANGER_POLICY_EVAL_ALL_ACCESS_TYPES_PREMIUM = 25; - private static final int RANGER_POLICY_EVAL_FINAL_POLICY_PREMIUM = 400; + private static final int RANGER_POLICY_EVAL_EXCLUSIVE_ALLOW_POLICY_PREMIUM = 400; + private static final int RANGER_POLICY_EVAL_DENY_POLICY_PREMIUM = 600; private static final int RANGER_POLICY_EVAL_RESERVED_SLOTS_NUMBER = 10000; private static final int RANGER_POLICY_EVAL_RESERVED_SLOTS_PER_LEVEL_NUMBER = 1000; @@ -198,8 +198,10 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator priorityLevel -= Math.round(((float)RANGER_POLICY_EVAL_ALL_ACCESS_TYPES_PREMIUM * accessPerms.size()) / serviceDef.getAccessTypes().size()); - if (policy.isPolicyTypeFinal()) { - priorityLevel -= RANGER_POLICY_EVAL_FINAL_POLICY_PREMIUM; + if (policy.isPolicyTypeDeny()) { + priorityLevel -= RANGER_POLICY_EVAL_DENY_POLICY_PREMIUM; + } else if (policy.isPolicyTypeExclusiveAllow()) { + priorityLevel -= RANGER_POLICY_EVAL_EXCLUSIVE_ALLOW_POLICY_PREMIUM; } if(LOG.isDebugEnabled()) { @@ -237,25 +239,30 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator } @Override - protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) { + protected boolean isPolicyItemsMatch(RangerAccessRequest request) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerOptimizedPolicyEvaluator.evaluatePolicyItemsForAccess()"); + LOG.debug("==> RangerOptimizedPolicyEvaluator.isPolicyItemsMatch()"); } + boolean ret = false; + if (hasPublicGroup || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups())) { // No need to reject based on users and groups if (request.isAccessTypeAny() || (request.isAccessTypeDelegatedAdmin() && delegateAdmin) || hasAllPerms || accessPerms.contains(request.getAccessType())) { // No need to reject based on aggregated access permissions - super.evaluatePolicyItemsForAccess(request, result); + ret = super.isPolicyItemsMatch(request); } } + if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerOptimizedPolicyEvaluator.evaluatePolicyItemsForAccess()"); + LOG.debug("<== RangerOptimizedPolicyEvaluator.isPolicyItemsMatch(): " + ret); } + return ret; } - private boolean checkIfHasAllPerms() { + + private boolean checkIfHasAllPerms() { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerOptimizedPolicyEvaluator.checkIfHasAllPerms()"); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 57b9723..624ff1c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -57,6 +57,4 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType); boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); - - boolean isFinal(); - } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java index 9bbe4e3..96312fe 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java @@ -22,30 +22,16 @@ import java.util.List; import java.util.Set; import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; -import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerAccessResult; public interface RangerPolicyItemEvaluator { void init(); - /* - RangerServiceDef getServiceDef(); - - RangerPolicy getPolicy(); - - RangerPolicyItem getPolicyItem(); - - long getPolicyId(); - */ - List<RangerConditionEvaluator> getConditionEvaluators(); - void evaluate(RangerAccessRequest request, RangerAccessResult result); + boolean isMatch(RangerAccessRequest request); boolean matchUserGroup(String user, Set<String> userGroups); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json index f228449..9e59cb0 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json @@ -120,7 +120,7 @@ ] }, "tagPolicies":[ - {"id":101,"name":"test_policy","isEnabled":true,"isAuditEnabled":true,"policyType":1, + {"id":101,"name":"test_policy","isEnabled":true,"isAuditEnabled":true,"policyType":2, "resources":{"tag":{"values":["PII"],"isRecursive":false}}, "policyItems":[ {"accesses":[{"type":"hdfs:read", "isAllowed":true}, {"type":"hive:grant", "isAllowed":true}, {"type":"delete", "isAllowed":true}, {"type":":write", "isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json index e6e137d..2b4b056 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json @@ -163,13 +163,13 @@ {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false} ] }, - {"id":3,"name":"PII_TAG_POLICY-FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":1, + {"id":3,"name":"PII_TAG_POLICY-FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":2, "resources":{"tag":{"values":["PII-FINAL"],"isRecursive":false}}, "policyItems":[ {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false} ] }, - {"id":4,"name":"RESTRICTED_TAG_POLICY_FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":1, + {"id":4,"name":"RESTRICTED_TAG_POLICY_FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":2, "resources":{"tag":{"values":["RESTRICTED-FINAL"],"isRecursive":false}}, "policyItems":[ { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index cdde7e8..7278fe9 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1837,7 +1837,7 @@ public class ServiceDBStore extends AbstractServiceStore { policy.setService(createdService.getName()); policy.setDescription("Default Policy for TAG: " + tagName + " for TAG Service: " + createdService.getName()); policy.setIsAuditEnabled(true); - policy.setPolicyTypeFinal(true); + policy.setPolicyType(RangerPolicy.POLICY_TYPE_EXCLUSIVE_ALLOW); Map<String, RangerPolicyResource> resourceMap = new HashMap<>(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/security-admin/src/main/webapp/scripts/models/RangerPolicy.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/models/RangerPolicy.js b/security-admin/src/main/webapp/scripts/models/RangerPolicy.js index feacfec..3546549 100644 --- a/security-admin/src/main/webapp/scripts/models/RangerPolicy.js +++ b/security-admin/src/main/webapp/scripts/models/RangerPolicy.js @@ -81,8 +81,11 @@ define(function(require){ switchOn : true }, policyType : { - type : 'Checkbox', - title : localization.tt("lbl.isFinalPolicy"), + type : 'Radio', + options : function(callback, editor){ + var nvPairs = XAUtils.enumToSelectPairs(XAEnums.PolicyType); + callback(nvPairs); + } }, }); }, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js index c8d187e..a5474c9 100644 --- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js +++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js @@ -228,7 +228,9 @@ define(function(require) { editService : 'Edit Service', serviceDetails : 'Service Details', serviceName : 'Service Name', - isFinalPolicy : 'Is Final Policy', + PolicyType_ALLOW : 'Allow', + PolicyType_DENY : 'Deny', + PolicyType_EXCLUSIVE_ALLOW : 'Exclusive Allow', componentPermissions : 'Component Permissions' }, btn : { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/security-admin/src/main/webapp/scripts/utils/XAEnums.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/utils/XAEnums.js b/security-admin/src/main/webapp/scripts/utils/XAEnums.js index f94e200..183d201 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAEnums.js +++ b/security-admin/src/main/webapp/scripts/utils/XAEnums.js @@ -100,6 +100,12 @@ define(function(require) { STATUS_DELETED:{value:2, label:'Deleted', rbkey:'xa.enum.ActiveStatus.STATUS_DELETED', tt: 'lbl.ActiveStatus_STATUS_DELETED'} }); + XAEnums.PolicyType = mergeParams(XAEnums.PolicyType, { + POLICY_TYPE_ALLOW:{value:0, label:'Allow', rbkey:'xa.enum.PolicyType.POLICY_TYPE_ALLOW', tt: 'lbl.PolicyType_ALLOW'}, + POLICY_TYPE_DENY:{value:1, label:'Deny', rbkey:'xa.enum.PolicyType.POLICY_TYPE_DENY', tt: 'lbl.PolicyType_DENY'}, + POLICY_TYPE_EXCLUSIVE_ALLOW:{value:2, label:'Exclusive Allow', rbkey:'xa.enum.PolicyType.POLICY_TYPE_EXCLUSIVE_ALLOW', tt: 'lbl.PolicyType_EXCLUSIVE_ALLOW'} + }); + XAEnums.AssetType = mergeParams(XAEnums.AssetType, { ASSET_UNKNOWN:{value:0, label:'Unknown', rbkey:'xa.enum.AssetType.ASSET_UNKNOWN', tt: 'lbl.AssetType_ASSET_UNKNOWN'}, ASSET_HDFS:{value:1, label:'HDFS', rbkey:'xa.enum.AssetType.ASSET_HDFS', tt: 'lbl.AssetType_ASSET_HDFS'}, @@ -243,11 +249,6 @@ define(function(require) { PWD_RESET_DISABLED:{value:3, label:'Disabled', rbkey:'xa.enum.PasswordResetStatus.PWD_RESET_DISABLED', tt: 'lbl.PasswordResetStatus_PWD_RESET_DISABLED'} }); - XAEnums.PolicyType = mergeParams(XAEnums.PolicyType, { - POLICY_INCLUSION:{value:0, label:'Inclusion', rbkey:'xa.enum.PolicyType.POLICY_INCLUSION', tt: 'lbl.PolicyType_POLICY_INCLUSION'}, - POLICY_EXCLUSION:{value:1, label:'Exclusion', rbkey:'xa.enum.PolicyType.POLICY_EXCLUSION', tt: 'lbl.PolicyType_POLICY_EXCLUSION'} - }); - XAEnums.PriorityType = mergeParams(XAEnums.PriorityType, { PRIORITY_NORMAL:{value:0, label:'Normal', rbkey:'xa.enum.PriorityType.PRIORITY_NORMAL', tt: 'lbl.PriorityType_PRIORITY_NORMAL'}, PRIORITY_LOW:{value:1, label:'Low', rbkey:'xa.enum.PriorityType.PRIORITY_LOW', tt: 'lbl.PriorityType_PRIORITY_LOW'}, @@ -366,4 +367,4 @@ define(function(require) { }); return XAEnums; -}); \ No newline at end of file +}); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6ba37153/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js index 0f36791..b0c910f 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js @@ -76,18 +76,21 @@ define(function(require){ this.on('isEnabled:change', function(form, fieldEditor){ this.evIsEnabledChange(form, fieldEditor); }); + this.on('policyType:change', function(form, fieldEditor){ + this.evPolicyTypeChange(form, fieldEditor); + }); this.on('policyForm:parentChildHideShow',this.renderParentChildHideShow); }, /** fields for the form */ - fields: ['name', 'description', 'isEnabled', 'isAuditEnabled'], + fields: ['name', 'policyType', 'description', 'isEnabled', 'isAuditEnabled'], schema :function(){ return this.getSchema(); }, getSchema : function(){ var attrs = {}; - var basicSchema = ['name','isEnabled'] + var basicSchema = ['name','isEnabled','policyType'] var schemaNames = this.getPolicyBaseFieldNames(); var formDataType = new BackboneFormDataType(); @@ -123,6 +126,9 @@ define(function(require){ evIsEnabledChange : function(form, fieldEditor){ XAUtil.checkDirtyFieldForToggle(fieldEditor.$el); }, + evPolicyTypeChange : function(form, fieldEditor){ + XAUtil.checkDirtyFieldForToggle(fieldEditor.$el); + }, setupForm : function() { if(!this.model.isNew()){ this.selectedResourceTypes = {}; @@ -144,6 +150,7 @@ define(function(require){ var that = this; this.fields.isAuditEnabled.editor.setValue(this.model.get('isAuditEnabled')); this.fields.isEnabled.editor.setValue(this.model.get('isEnabled')); + this.fields.policyType.editor.setValue(this.model.get('policyType')); }, /** all custom field rendering */ @@ -261,11 +268,6 @@ define(function(require){ _.each(this.model.attributes.resources,function(obj,key){ this.model.unset(key, obj.values.toString()) },this)*/ - - if(!_.isUndefined(this.model.get('policyType'))){ - this.model.set('policyType',this.model.get('policyType') ? 1 : 0) - } - }, setPermissionsToColl : function(list, policyItemList) { list.each(function(m){ @@ -560,8 +562,8 @@ define(function(require){ return obj; }, getPolicyBaseFieldNames : function(){ - var fields = ['description', 'isAuditEnabled','policyType']; - return this.rangerServiceDefModel.get('name') == XAEnums.ServiceType.SERVICE_TAG.label ? fields : fields.slice(0,fields.indexOf("policyType")); + var fields = ['description', 'isAuditEnabled']; + return fields; } });
