RANGER-274: Updates to tag model and tag REST APIs Signed-off-by: Madhan Neethiraj <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/83cb21e0 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/83cb21e0 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/83cb21e0 Branch: refs/heads/tag-policy Commit: 83cb21e0b26d10e2f61f1219431f352227c8c437 Parents: cc2b96e Author: Abhay Kulkarni <[email protected]> Authored: Tue Aug 18 17:18:04 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Aug 26 17:35:34 2015 -0700 ---------------------------------------------------------------------- .../ranger/admin/client/RangerAdminClient.java | 13 +- .../admin/client/RangerAdminRESTClient.java | 111 +--- .../plugin/audit/RangerDefaultAuditHandler.java | 17 +- .../RangerScriptExecutionContext.java | 31 +- .../RangerAdminTagRetriever.java | 36 +- .../RangerFileBasedTagProvider.java | 110 ---- .../RangerServiceResourceMatcher.java | 42 ++ .../RangerTagFileStoreRetriever.java | 20 +- .../contextenricher/RangerTagProvider.java | 77 ++- .../contextenricher/RangerTagReceiver.java | 4 +- .../RangerTaggedResourceMatcher.java | 38 -- .../ranger/plugin/model/RangerService.java | 41 +- .../plugin/model/RangerServiceResource.java | 117 ++++ .../apache/ranger/plugin/model/RangerTag.java | 106 +++ .../plugin/model/RangerTagResourceMap.java | 82 +++ .../plugin/model/RangerTaggedResource.java | 207 ------ .../plugin/model/RangerTaggedResourceKey.java | 81 --- .../policyengine/RangerPolicyEngineImpl.java | 14 +- .../plugin/store/AbstractServiceStore.java | 7 +- .../ranger/plugin/store/AbstractTagStore.java | 328 +++++++++- .../store/RangerServiceResourceSignature.java | 102 +++ .../ranger/plugin/store/TagPredicateUtil.java | 305 ++++++++- .../apache/ranger/plugin/store/TagStore.java | 60 +- .../ranger/plugin/store/TagValidator.java | 260 ++++++++ .../ranger/plugin/store/file/TagFileStore.java | 433 +++++++------ .../ranger/plugin/util/RangerRESTUtils.java | 16 +- .../apache/ranger/plugin/util/SearchFilter.java | 16 +- .../apache/ranger/plugin/util/ServiceTags.java | 146 +++++ .../ranger/plugin/util/TagServiceResources.java | 93 --- .../plugin/policyengine/TestPolicyEngine.java | 30 +- .../ranger/plugin/store/TestTagStore.java | 283 ++++++-- .../service-defs/test-hive-servicedef.json | 226 +++++++ .../test_policyengine_tag_hdfs.json | 2 +- .../test_policyengine_tag_hive.json | 2 +- .../hive/authorizer/RangerHiveAuditHandler.java | 12 +- .../client/RangerAdminJersey2RESTClient.java | 23 +- .../java/org/apache/ranger/biz/TagDBStore.java | 609 +++++++++-------- .../java/org/apache/ranger/entity/XXTag.java | 36 ++ .../java/org/apache/ranger/rest/TagREST.java | 645 +++++++++++++------ .../apache/ranger/rest/TagRESTConstants.java | 36 +- .../ranger/service/RangerTagDefService.java | 2 +- .../apache/ranger/service/RangerTagService.java | 35 + .../ranger/service/RangerTagServiceBase.java | 100 +++ .../service/RangerTaggedResourceService.java | 10 +- .../RangerTaggedResourceServiceBase.java | 86 +-- .../conf.dist/security-applicationContext.xml | 8 +- 46 files changed, 3389 insertions(+), 1669 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java index d1c7135..c083a98 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java @@ -20,11 +20,9 @@ package org.apache.ranger.admin.client; -import org.apache.ranger.plugin.model.RangerTaggedResource; -import org.apache.ranger.plugin.model.RangerTaggedResourceKey; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.ServicePolicies; -import org.apache.ranger.plugin.util.TagServiceResources; +import org.apache.ranger.plugin.util.ServiceTags; import java.util.List; @@ -38,15 +36,8 @@ public interface RangerAdminClient { void revokeAccess(GrantRevokeRequest request) throws Exception; - TagServiceResources getTaggedResources(Long lastTimestamp) throws Exception; + ServiceTags getServiceTagsIfUpdated(long lastKnownVersion) throws Exception; List<String> getTagNames(String tagNamePattern) throws Exception; - List<RangerTaggedResource> setTagsForResources(List<RangerTaggedResourceKey> keys, List<RangerTaggedResource.RangerResourceTag> tags) throws Exception; - - RangerTaggedResource setTagsForResource(RangerTaggedResourceKey key, List<RangerTaggedResource.RangerResourceTag> tags) throws Exception; - - RangerTaggedResource updateTagsForResource(RangerTaggedResourceKey key, List<RangerTaggedResource.RangerResourceTag> tagsToAdd, - List<RangerTaggedResource.RangerResourceTag> tagsToDelete) throws Exception; - } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index 8a3f9ba..3f0c5dd 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -31,8 +31,7 @@ import org.apache.hadoop.security.AccessControlException; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.plugin.model.RangerTaggedResource; -import org.apache.ranger.plugin.model.RangerTaggedResourceKey; +import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.util.*; import java.lang.reflect.ParameterizedType; @@ -198,30 +197,32 @@ public class RangerAdminRESTClient implements RangerAdminClient { } @Override - public TagServiceResources getTaggedResources(Long lastTimestamp) throws Exception { + public ServiceTags getServiceTagsIfUpdated(long lastKnownVersion) throws Exception { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getTaggedResources(" + lastTimestamp + "): "); + LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + "): "); } - TagServiceResources ret; + ServiceTags ret; + + WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED) + .queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName) + .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion)) + .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); - WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_GET_UPDATED_TAGGED_RESOURCES) - .queryParam(RangerRESTUtils.TAG_SERVICE_NAME_PARAM, serviceName) - .queryParam(RangerRESTUtils.TAG_TIMESTAMP_PARAM, Long.toString(lastTimestamp.longValue())); ClientResponse response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); if(response != null && response.getStatus() == 200) { - ret = response.getEntity(TagServiceResources.class); + ret = response.getEntity(ServiceTags.class); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("Error getting taggedResources. request=" + webResource.toString() + ", response=" + resp.toString() + ", serviceName=" + serviceName - + ", " + "lastTimestamp=" + lastTimestamp); + + ", " + "lastKnownVersion=" + lastKnownVersion); throw new Exception(resp.getMessage()); } if(LOG.isDebugEnabled()) { - LOG.debug("<==> RangerAdminRESTClient.getTaggedResources(" + lastTimestamp + "): "); + LOG.debug("<==> RangerAdminRESTClient.getTaggedResources(" + lastKnownVersion + "): "); } return ret; @@ -237,8 +238,8 @@ public class RangerAdminRESTClient implements RangerAdminClient { String emptyString = ""; WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES) - .queryParam(RangerRESTUtils.TAG_SERVICE_NAME_PARAM, serviceName) - .queryParam(RangerRESTUtils.TAG_PATTERN_PARAM, tagNamePattern); + .queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName) + .queryParam(RangerRESTUtils.PATTERN_PARAM, tagNamePattern); ClientResponse response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); @@ -259,88 +260,4 @@ public class RangerAdminRESTClient implements RangerAdminClient { return ret; } - @Override - public List<RangerTaggedResource> setTagsForResources(List<RangerTaggedResourceKey> keys, List<RangerTaggedResource.RangerResourceTag> tags) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.setTagsForResources()"); - } - - List<RangerTaggedResource> ret = null; - - WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SET_TAGGED_RESOURCES); - webResource.entity(keys).entity(tags); - - ClientResponse response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).put(ClientResponse.class); - - if(response != null && response.getStatus() == 200) { - ret = response.getEntity(getGenericType(new RangerTaggedResource())); - } else { - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("Error setting taggedResources. request=" + webResource.toString() - + ", response=" + resp.toString() + ", key=" + keys + ", tags=" + tags); - throw new Exception(resp.getMessage()); - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.setTagsForResources()"); - } - - return ret; - } - - @Override - public RangerTaggedResource setTagsForResource(RangerTaggedResourceKey key, List<RangerTaggedResource.RangerResourceTag> tags) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.setTagsForResource()"); - } - - RangerTaggedResource ret = null; - - WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SET_TAGGED_RESOURCE); - webResource.entity(key).entity(tags); - - ClientResponse response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).put(ClientResponse.class); - - if(response != null && response.getStatus() == 200) { - ret = response.getEntity(RangerTaggedResource.class); - } else { - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("Error setting taggedResource. request=" + webResource.toString() - + ", response=" + resp.toString() + ", key=" + key + ", tags=" + tags); - throw new Exception(resp.getMessage()); - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.setTagsForResource()"); - } - - return ret; - } - - @Override - public RangerTaggedResource updateTagsForResource(RangerTaggedResourceKey key, List<RangerTaggedResource.RangerResourceTag> tagsToAdd, - List<RangerTaggedResource.RangerResourceTag> tagsToDelete) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.updateTagsForResource()"); - } - - RangerTaggedResource ret = null; - - WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_UPDATE_TAGGED_RESOURCE); - webResource.entity(key).entity(tagsToAdd).entity(tagsToDelete); - - ClientResponse response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).put(ClientResponse.class); - - if(response != null && response.getStatus() == 200) { - ret = response.getEntity(RangerTaggedResource.class); - } else { - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("Error updating taggedResource. request=" + webResource.toString() - + ", response=" + resp.toString() + ", key=" + key + ", tagsToAdd=" + tagsToAdd + ", tagsToDelete=" + tagsToDelete); - throw new Exception(resp.getMessage()); - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.updateTagsForResource()"); - } - - return ret; - } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java index 9d7c16d..0153d27 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -29,7 +29,7 @@ import org.apache.ranger.audit.provider.AuditProviderFactory; import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; -import org.apache.ranger.plugin.model.RangerTaggedResource; +import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.policyengine.*; @@ -105,7 +105,10 @@ public class RangerDefaultAuditHandler implements RangerAccessResultProcessor { ret.setClientType(request.getClientType()); ret.setSessionId(request.getSessionId()); ret.setAclEnforcer(RangerModuleName); - ret.setTags(getTags(request)); + Set<String> tags = getTags(request); + if (tags != null) { + ret.setTags(tags); + } populateDefaults(ret); } @@ -205,14 +208,18 @@ public class RangerDefaultAuditHandler implements RangerAccessResultProcessor { protected final Set<String> getTags(RangerAccessRequest request) { Object contextObj = request.getContext().get(RangerPolicyEngine.KEY_CONTEXT_TAGS); - Set<String> tags = new HashSet<String>(); + Set<String> tags = null; if (contextObj != null) { + try { @SuppressWarnings("unchecked") - List<RangerTaggedResource.RangerResourceTag> resourceTags = (List<RangerTaggedResource.RangerResourceTag>) contextObj; + List<RangerTag> resourceTags = (List<RangerTag>) contextObj; + if (CollectionUtils.isNotEmpty(resourceTags)) { - for (RangerTaggedResource.RangerResourceTag resourceTag : resourceTags) { + tags = new HashSet<String>(); + + for (RangerTag resourceTag : resourceTags) { tags.add(resourceTag.getName()); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java index 6c77d80..6fe5262 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java @@ -23,7 +23,7 @@ import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.ranger.plugin.model.RangerTaggedResource; +import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; @@ -74,9 +74,9 @@ public final class RangerScriptExecutionContext { public final String getSessionId() { return accessRequest.getSessionId(); } - public final RangerTaggedResource.RangerResourceTag getCurrentTag() { + public final RangerTag getCurrentTag() { @SuppressWarnings("unchecked") - RangerTaggedResource.RangerResourceTag tagObject = (RangerTaggedResource.RangerResourceTag)getEvaluationContext() + RangerTag tagObject = (RangerTag)getEvaluationContext() .get(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT); if (tagObject == null) { if (LOG.isDebugEnabled()) { @@ -87,7 +87,7 @@ public final class RangerScriptExecutionContext { } public final String getCurrentTagName() { - RangerTaggedResource.RangerResourceTag tagObject = getCurrentTag(); + RangerTag tagObject = getCurrentTag(); return (tagObject != null) ? tagObject.getName() : null; } @@ -95,11 +95,11 @@ public final class RangerScriptExecutionContext { Set<String> allTagNames = null; - List<RangerTaggedResource.RangerResourceTag> tagObjectList = getAllTags(); + List<RangerTag> tagObjectList = getAllTags(); if (CollectionUtils.isNotEmpty(tagObjectList)) { - for (RangerTaggedResource.RangerResourceTag tag : tagObjectList) { + for (RangerTag tag : tagObjectList) { String tagName = tag.getName(); if (allTagNames == null) { allTagNames = new HashSet<String>(); @@ -117,13 +117,13 @@ public final class RangerScriptExecutionContext { if (StringUtils.isNotBlank(tagName)) { - List<RangerTaggedResource.RangerResourceTag> tagObjectList = getAllTags(); + List<RangerTag> tagObjectList = getAllTags(); // Assumption: There is exactly one tag with given tagName in the list of tags - may not be true ***TODO*** // This will get attributeValues of the first tagName that matches if (CollectionUtils.isNotEmpty(tagObjectList)) { - for (RangerTaggedResource.RangerResourceTag tag : tagObjectList) { + for (RangerTag tag : tagObjectList) { if (tag.getName().equals(tagName)) { ret = tag.getAttributeValues(); break; @@ -139,13 +139,12 @@ public final class RangerScriptExecutionContext { Set<String> ret = null; - if (StringUtils.isNotBlank(tagName)) { - Map<String, String> attributeValues = getTagAttributeValues(tagName); + Map<String, String> attributeValues = getTagAttributeValues(tagName); - if (attributeValues != null) { - ret = attributeValues.keySet(); - } + if (attributeValues != null) { + ret = attributeValues.keySet(); } + return ret; } @@ -169,7 +168,7 @@ public final class RangerScriptExecutionContext { String ret = null; if (StringUtils.isNotBlank(attributeName)) { - RangerTaggedResource.RangerResourceTag tag = getCurrentTag(); + RangerTag tag = getCurrentTag(); Map<String, String> attributeValues = null; if (tag != null) { attributeValues = tag.getAttributeValues(); @@ -286,10 +285,10 @@ public final class RangerScriptExecutionContext { return ret; } - private List<RangerTaggedResource.RangerResourceTag> getAllTags() { + private List<RangerTag> getAllTags() { @SuppressWarnings("unchecked") - List<RangerTaggedResource.RangerResourceTag> ret = (List<RangerTaggedResource.RangerResourceTag>)getEvaluationContext().get(RangerPolicyEngine.KEY_CONTEXT_TAGS); + List<RangerTag> ret = (List<RangerTag>)getEvaluationContext().get(RangerPolicyEngine.KEY_CONTEXT_TAGS); if (ret == null) { if (LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java index f66da35..987ed45 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java @@ -25,9 +25,8 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.admin.client.RangerAdminClient; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerTaggedResource; import org.apache.ranger.plugin.service.RangerBasePlugin; -import org.apache.ranger.plugin.util.TagServiceResources; +import org.apache.ranger.plugin.util.ServiceTags; import org.apache.ranger.services.tag.RangerServiceTag; import java.util.Date; @@ -44,26 +43,19 @@ public class RangerAdminTagRetriever extends RangerTagRefresher { private RangerTagReceiver receiver; private RangerAdminClient adminClient; - private Long lastTimestamp; + private long lastKnownVersion; public RangerAdminTagRetriever(final String serviceName, final RangerServiceDef serviceDef, final long pollingIntervalMs, final RangerTagReceiver enricher) { super(pollingIntervalMs); this.serviceName = serviceName; setReceiver(enricher); propertyPrefix = propertyPrefixPreamble + serviceDef.getName(); - this.lastTimestamp = 0L; + this.lastKnownVersion = -1L; } @Override public void init(Map<String, String> options) { - if (MapUtils.isNotEmpty(options)) { - String useTestTagProvider = options.get("useTestTagProvider"); - - if (useTestTagProvider != null && useTestTagProvider.equals("true")) { - adminClient = RangerServiceTag.createAdminClient(serviceName); - } - } if (adminClient == null) { adminClient = RangerBasePlugin.createAdminClient(serviceName, appId, propertyPrefix); } @@ -78,21 +70,25 @@ public class RangerAdminTagRetriever extends RangerTagRefresher { @Override public void retrieveTags() { if (adminClient != null) { - List<RangerTaggedResource> resources = null; - + ServiceTags serviceTags = null; + long savedLastKnownVersion = lastKnownVersion; try { - long before = new Date().getTime(); - TagServiceResources taggedResources = adminClient.getTaggedResources(lastTimestamp); - resources = taggedResources.getTaggedResources(); - lastTimestamp = before; + serviceTags = adminClient.getServiceTagsIfUpdated(lastKnownVersion); + lastKnownVersion = serviceTags.getTagVersion(); } catch (Exception exp) { LOG.error("RangerAdminTagRetriever.retrieveTags() - Error retrieving resources"); } - if (receiver != null && CollectionUtils.isNotEmpty(resources)) { - receiver.setRangerTaggedResources(resources); + if (receiver != null && serviceTags != null) { + if (serviceTags.getTagVersion() != null && serviceTags.getTagVersion().longValue() > savedLastKnownVersion) { + receiver.setServiceTags(serviceTags); + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerAdminTagRetriever.retrieveTags() - no updates to tags !!"); + } + } } else { - LOG.error("RangerAdminTagRetriever.retrieveTags() - No receiver to send resources to .. OR .. no updates to tagged resources!!"); + LOG.error("RangerAdminTagRetriever.retrieveTags() - No receiver to send resources to "); } } else { LOG.error("RangerAdminTagRetriever.retrieveTags() - No Tag Provider ..."); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java deleted file mode 100644 index 8f3a72f..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.contextenricher; - -import java.lang.reflect.Type; -import java.util.List; -import java.util.Map; -import java.util.Properties; - -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.google.gson.reflect.TypeToken; -import org.apache.commons.lang.StringUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.plugin.model.RangerTaggedResource; -import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; - - -public class RangerFileBasedTagProvider extends RangerAbstractContextEnricher { - private static final Log LOG = LogFactory.getLog(RangerFileBasedTagProvider.class); - - private Properties resourceTagsMap = null; - String dataFile = null; - private Gson gsonBuilder = null; - - @Override - public void init() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerFileBasedTagProvider.init()"); - } - - super.init(); - - dataFile = getOption("dataFile", "/etc/ranger/data/resourceTags.txt"); - - resourceTagsMap = readProperties(dataFile); - - gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") - .setPrettyPrinting() - .create(); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerFileBasedTagProvider.init()"); - } - } - - @Override - public void enrich(RangerAccessRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerFileBasedTagProvider.enrich(" + request + ")"); - } - - if(request != null && resourceTagsMap != null) { - Map<String, Object> context = request.getContext(); - /* - This needs to know about : - - componentServiceDef (to filter on component-type which is required for getting matchers), and - - serviceName (to filter on cluster-specific tags) - */ - // Provider is file-based. - // tags are a JSON strings - - String requestedResource = request.getResource().getAsString(); - - if(LOG.isDebugEnabled()) { - LOG.debug("RangerFileBasedTagProvider.enrich(): requestedResource = '"+ requestedResource +"'"); - } - String tagsJsonString = resourceTagsMap.getProperty(requestedResource); - - if(!StringUtils.isEmpty(tagsJsonString) && context != null) { - try { - Type listType = new TypeToken<List<RangerTaggedResource.RangerResourceTag>>() { - }.getType(); - List<RangerTaggedResource.RangerResourceTag> tagList = gsonBuilder.fromJson(tagsJsonString, listType); - - context.put(RangerPolicyEngine.KEY_CONTEXT_TAGS, tagList); - } catch (Exception e) { - LOG.error("RangerFileBasedTagProvider.enrich(): error parsing file " + this.dataFile + ", exception=" + e); - } - } else { - if(LOG.isDebugEnabled()) { - LOG.debug("RangerFileBasedTagProvider.enrich(): skipping due to unavailable context or tags. context=" + context + "; tags=" + tagsJsonString); - } - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerFileBasedTagProvider.enrich(" + request + ")"); - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java new file mode 100644 index 0000000..5c1ae64 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java @@ -0,0 +1,42 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.contextenricher; + +import org.apache.ranger.plugin.model.RangerServiceResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; + +public class RangerServiceResourceMatcher { + private final RangerServiceResource serviceResource; + private final RangerPolicyResourceMatcher policyResourceMatcher; + + public RangerServiceResourceMatcher(final RangerServiceResource serviceResource, RangerPolicyResourceMatcher policyResourceMatcher) { + this.serviceResource = serviceResource; + this.policyResourceMatcher = policyResourceMatcher; + } + + public RangerServiceResource getServiceResource() { return serviceResource; } + + public RangerPolicyResourceMatcher getPolicyResourceMatcher() { return policyResourceMatcher; } + + public boolean isMatch(RangerAccessResource requestedResource) { + return this.policyResourceMatcher.isExactHeadMatch(requestedResource); + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagFileStoreRetriever.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagFileStoreRetriever.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagFileStoreRetriever.java index 7d6193d..eda8d7c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagFileStoreRetriever.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagFileStoreRetriever.java @@ -22,10 +22,9 @@ package org.apache.ranger.plugin.contextenricher; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.ranger.plugin.model.RangerTaggedResource; import org.apache.ranger.plugin.store.TagStore; import org.apache.ranger.plugin.store.file.TagFileStore; -import org.apache.ranger.plugin.util.TagServiceResources; +import org.apache.ranger.plugin.util.ServiceTags; import java.util.Date; import java.util.List; @@ -38,12 +37,12 @@ public class RangerTagFileStoreRetriever extends RangerTagRefresher { private RangerTagReceiver receiver; private TagStore tagStore; - private Long lastTimestamp; + private long lastKnownVersion; public RangerTagFileStoreRetriever(final String serviceName, final long pollingIntervalMs, final RangerTagReceiver enricher) { super(pollingIntervalMs); this.serviceName = serviceName; - this.lastTimestamp = 0L; + this.lastKnownVersion = -1L; setReceiver(enricher); } @@ -60,19 +59,16 @@ public class RangerTagFileStoreRetriever extends RangerTagRefresher { @Override public void retrieveTags() { if (tagStore != null) { - List<RangerTaggedResource> resources = null; - + ServiceTags serviceTags = null; try { - long before = new Date().getTime(); - TagServiceResources tagServiceResources = tagStore.getResources(serviceName, lastTimestamp); - resources = tagServiceResources.getTaggedResources(); - lastTimestamp = before; + serviceTags = tagStore.getServiceTagsIfUpdated(serviceName, lastKnownVersion); + lastKnownVersion = serviceTags.getTagVersion(); } catch (Exception exp) { LOG.error("RangerTagFileStoreRetriever.retrieveTags() - Error retrieving resources"); } - if (receiver != null && CollectionUtils.isNotEmpty(resources)) { - receiver.setRangerTaggedResources(resources); + if (receiver != null && serviceTags != null) { + receiver.setServiceTags(serviceTags); } else { LOG.error("RangerAdminTagRetriever.retrieveTags() - No receiver to send resources to .. OR .. no updates to tagged resources!!"); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java index 8297121..f78515c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java @@ -20,14 +20,17 @@ package org.apache.ranger.plugin.contextenricher; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.ranger.plugin.model.RangerTaggedResource; +import org.apache.ranger.plugin.model.RangerServiceResource; +import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.util.ServiceTags; import java.util.ArrayList; import java.util.List; @@ -45,7 +48,8 @@ public class RangerTagProvider extends RangerAbstractContextEnricher implements protected TagProviderTypeEnum tagProviderType = TagProviderTypeEnum.INVALID_TAG_PROVIDER; protected RangerTagRefresher tagRefresher; - List<RangerTaggedResourceMatcher> taggedResourceMatchers; + ServiceTags serviceTags; + List<RangerServiceResourceMatcher> serviceResourceMatchers; @Override public void init() { @@ -90,9 +94,9 @@ public class RangerTagProvider extends RangerAbstractContextEnricher implements LOG.debug("==> RangerTagProvider.enrich(" + request + ")"); } - List<RangerTaggedResourceMatcher> taggedResourceMatchersCopy = taggedResourceMatchers; + List<RangerServiceResourceMatcher> serviceResourceMatchersCopy = serviceResourceMatchers; - List<RangerTaggedResource.RangerResourceTag> matchedTags = findMatchingTags(request.getResource(), taggedResourceMatchersCopy); + List<RangerTag> matchedTags = findMatchingTags(request.getResource(), serviceResourceMatchersCopy); if (CollectionUtils.isNotEmpty(matchedTags)) { request.getContext().put(RangerPolicyEngine.KEY_CONTEXT_TAGS, matchedTags); @@ -111,59 +115,63 @@ public class RangerTagProvider extends RangerAbstractContextEnricher implements } @Override - public void setRangerTaggedResources(final List<RangerTaggedResource> resources) { + public void setServiceTags(final ServiceTags serviceTags) { + this.serviceTags = serviceTags; - List<RangerTaggedResourceMatcher> resourceMatchers = new ArrayList<RangerTaggedResourceMatcher>(); + List<RangerServiceResourceMatcher> resourceMatchers = new ArrayList<RangerServiceResourceMatcher>(); - if (CollectionUtils.isNotEmpty(resources)) { + List<RangerServiceResource> serviceResources = this.serviceTags.getServiceResources(); - for (RangerTaggedResource taggedResource : resources) { + if (CollectionUtils.isNotEmpty(serviceResources)) { + + for (RangerServiceResource serviceResource : serviceResources) { RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher(); matcher.setServiceDef(this.serviceDef); - matcher.setPolicyResources(taggedResource.getKey().getResourceSpec()); + matcher.setPolicyResources(serviceResource.getResourceSpec()); if (LOG.isDebugEnabled()) { - LOG.debug("RangerTagProvider.setRangerTaggedResources() - Initializing matcher with (resource=" + taggedResource + LOG.debug("RangerTagProvider.setServiceTags() - Initializing matcher with (resource=" + serviceResource + ", serviceDef=" + this.serviceDef.getName() + ")" ); } matcher.init(); - RangerTaggedResourceMatcher taggedResourceMatcher = new RangerTaggedResourceMatcher(taggedResource, matcher); - resourceMatchers.add(taggedResourceMatcher); + RangerServiceResourceMatcher serviceResourceMatcher = new RangerServiceResourceMatcher(serviceResource, matcher); + resourceMatchers.add(serviceResourceMatcher); } } - taggedResourceMatchers = resourceMatchers; + serviceResourceMatchers = resourceMatchers; if (tagRefresher != null && !tagRefresher.getIsStarted()) { tagRefresher.startRetriever(); } } - static private List<RangerTaggedResource.RangerResourceTag> findMatchingTags(final RangerAccessResource resource, final List<RangerTaggedResourceMatcher> resourceMatchers) { + private List<RangerTag> findMatchingTags(final RangerAccessResource resource, final List<RangerServiceResourceMatcher> resourceMatchers) { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerTagProvider.findMatchingTags(" + resource + ")"); } - List<RangerTaggedResource.RangerResourceTag> ret = null; + List<RangerTag> ret = null; if (CollectionUtils.isNotEmpty(resourceMatchers)) { - for (RangerTaggedResourceMatcher resourceMatcher : resourceMatchers) { + for (RangerServiceResourceMatcher resourceMatcher : resourceMatchers) { - RangerTaggedResource taggedResource = resourceMatcher.getRangerTaggedResource(); + RangerServiceResource serviceResource = resourceMatcher.getServiceResource(); RangerPolicyResourceMatcher matcher = resourceMatcher.getPolicyResourceMatcher(); - boolean matchResult = matcher.isExactHeadMatch(resource); + boolean matchResult = matcher.isMatch(resource); if (matchResult) { if (ret == null) { - ret = new ArrayList<RangerTaggedResource.RangerResourceTag>(); + ret = new ArrayList<RangerTag>(); } - ret.addAll(taggedResource.getTags()); + // Find tags from serviceResource + ret.addAll(getTagsForServiceResource(serviceTags, serviceResource)); } } } @@ -182,4 +190,33 @@ public class RangerTagProvider extends RangerAbstractContextEnricher implements return ret; } + + static private List<RangerTag> getTagsForServiceResource(ServiceTags serviceTags, RangerServiceResource serviceResource) { + + List<RangerTag> ret = new ArrayList<RangerTag>(); + + Long resourceId = serviceResource.getId(); + + Map<Long, List<Long>> resourceToTagIds = serviceTags.getResourceToTagIds(); + Map<Long, RangerTag> tags = serviceTags.getTags(); + + if (resourceId != null && MapUtils.isNotEmpty(resourceToTagIds) && MapUtils.isNotEmpty(tags)) { + + List<Long> tagIds = resourceToTagIds.get(resourceId); + + if (CollectionUtils.isNotEmpty(tagIds)) { + + for (Long tagId : tagIds) { + + RangerTag tag = tags.get(tagId); + + if (tag != null) { + ret.add(tag); + } + } + } + } + + return ret; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagReceiver.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagReceiver.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagReceiver.java index e162f33..47db707 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagReceiver.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagReceiver.java @@ -19,10 +19,10 @@ package org.apache.ranger.plugin.contextenricher; -import org.apache.ranger.plugin.model.RangerTaggedResource; +import org.apache.ranger.plugin.util.ServiceTags; import java.util.List; public interface RangerTagReceiver { - void setRangerTaggedResources(final List<RangerTaggedResource> resources); + void setServiceTags(final ServiceTags serviceTags); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTaggedResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTaggedResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTaggedResourceMatcher.java deleted file mode 100644 index dee2915..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTaggedResourceMatcher.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.contextenricher; - -import org.apache.ranger.plugin.model.RangerTaggedResource; -import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; - -public class RangerTaggedResourceMatcher { - private final RangerTaggedResource rangerResource; - private final RangerPolicyResourceMatcher policyResourceMatcher; - - public RangerTaggedResourceMatcher(final RangerTaggedResource rangerResource, RangerPolicyResourceMatcher policyResourceMatcher) { - this.rangerResource = rangerResource; - this.policyResourceMatcher = policyResourceMatcher; - } - - public RangerTaggedResource getRangerTaggedResource() { return rangerResource; } - - public RangerPolicyResourceMatcher getPolicyResourceMatcher() { return policyResourceMatcher; } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java index 521453c..5b7cd11 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java @@ -48,10 +48,13 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri private Map<String, String> configs = null; private Long policyVersion = null; private Date policyUpdateTime = null; + private Long tagVersion = null; + private Date tagUpdateTime = null; + /** - * @param type + * @param */ public RangerService() { this(null, null, null, null, null); @@ -62,7 +65,7 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri * @param name * @param description * @param configs - * @param tagServiceName + * @param tagService */ public RangerService(String type, String name, String description, String tagService, Map<String, String> configs) { super(); @@ -137,7 +140,7 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri } /** - * @param tagServiceName the tagServiceName to set + * @param tagService the tagServiceName to set */ public void setTagService(String tagService) { this.tagService = tagService; @@ -199,6 +202,35 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri this.policyUpdateTime = policyUpdateTime; } + /** + * @return the tagVersion + */ + public Long getTagVersion() { + return tagVersion; + } + + /** + * @param tagVersion the tagVersion to set + */ + public void setTagVersion(Long tagVersion) { + this.tagVersion = tagVersion; + } + + + /** + * @return the tagUpdateTime + */ + public Date getTagUpdateTime() { + return tagUpdateTime; + } + + /** + * @param tagUpdateTime the policyUpdateTime to set + */ + public void setTagUpdateTime(Date tagUpdateTime) { + this.tagUpdateTime = tagUpdateTime; + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -228,6 +260,9 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri sb.append("policyVersion={").append(policyVersion).append("} "); sb.append("policyUpdateTime={").append(policyUpdateTime).append("} "); + sb.append("tagVersion={").append(tagVersion).append("} "); + sb.append("tagUpdateTime={").append(tagUpdateTime).append("} "); + sb.append("}"); return sb; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceResource.java new file mode 100644 index 0000000..3728f6d --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceResource.java @@ -0,0 +1,117 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.model; + +import org.codehaus.jackson.annotate.JsonAutoDetect; +import org.codehaus.jackson.annotate.JsonIgnoreProperties; +import org.codehaus.jackson.map.annotate.JsonSerialize; + +import javax.xml.bind.annotation.XmlAccessType; +import javax.xml.bind.annotation.XmlAccessorType; +import javax.xml.bind.annotation.XmlRootElement; +import java.util.HashMap; +import java.util.Map; + +@JsonAutoDetect(getterVisibility= JsonAutoDetect.Visibility.NONE, setterVisibility= JsonAutoDetect.Visibility.NONE, fieldVisibility= JsonAutoDetect.Visibility.ANY) +@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL ) +@JsonIgnoreProperties(ignoreUnknown=true) +@XmlRootElement +@XmlAccessorType(XmlAccessType.FIELD) + +public class RangerServiceResource extends RangerBaseModelObject { + private static final long serialVersionUID = 1L; + + private String serviceName = null; + private Map<String, RangerPolicy.RangerPolicyResource> resourceSpec = null; + private String resourceSignature = null; + + + public RangerServiceResource(String externalId, String serviceName, Map<String, RangerPolicy.RangerPolicyResource> resourceSpec, String resourceSignature) { + super(); + setGuid(externalId); + setServiceName(serviceName); + setResourceSpec(resourceSpec); + setResourceSignature(resourceSignature); + } + public RangerServiceResource(String externalId, String serviceName, Map<String, RangerPolicy.RangerPolicyResource> resourceSpec) { + this(externalId, serviceName, resourceSpec, null); + } + public RangerServiceResource(String serviceName, Map<String, RangerPolicy.RangerPolicyResource> resourceSpec) { + this(null, serviceName, resourceSpec, null); + } + + public RangerServiceResource() { + this(null, null, null, null); + } + + public String getServiceName() { return serviceName; } + + public Map<String, RangerPolicy.RangerPolicyResource> getResourceSpec() { return resourceSpec; } + + public String getResourceSignature() { + return resourceSignature; + } + + public void setServiceName(String serviceName) { + this.serviceName = serviceName; + } + + public void setResourceSpec(Map<String, RangerPolicy.RangerPolicyResource> resourceSpec) { + this.resourceSpec = resourceSpec == null ? new HashMap<String, RangerPolicy.RangerPolicyResource>() : resourceSpec; + } + + public void setResourceSignature(String resourceSignature) { + this.resourceSignature = resourceSignature; + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public StringBuilder toString(StringBuilder sb) { + + sb.append("{ "); + + sb.append("externalId={").append(getGuid()).append("} "); + sb.append("serviceName={").append(serviceName).append("} "); + + sb.append("resourceSpec={"); + if(resourceSpec != null) { + for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : resourceSpec.entrySet()) { + sb.append(e.getKey()).append("={"); + e.getValue().toString(sb); + sb.append("} "); + } + } + sb.append("} "); + + sb.append("resourceSignature={").append(resourceSignature).append("} "); + + sb.append(" }"); + + return sb; + } +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTag.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTag.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTag.java new file mode 100644 index 0000000..25dc24d --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTag.java @@ -0,0 +1,106 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.model; + +import org.codehaus.jackson.annotate.JsonAutoDetect; +import org.codehaus.jackson.annotate.JsonIgnoreProperties; +import org.codehaus.jackson.map.annotate.JsonSerialize; + +import javax.xml.bind.annotation.XmlAccessType; +import javax.xml.bind.annotation.XmlAccessorType; +import javax.xml.bind.annotation.XmlRootElement; +import java.util.HashMap; +import java.util.Map; + +@JsonAutoDetect(getterVisibility= JsonAutoDetect.Visibility.NONE, setterVisibility= JsonAutoDetect.Visibility.NONE, fieldVisibility= JsonAutoDetect.Visibility.ANY) +@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL ) +@JsonIgnoreProperties(ignoreUnknown=true) +@XmlRootElement +@XmlAccessorType(XmlAccessType.FIELD) + +public class RangerTag extends RangerBaseModelObject { + private static final long serialVersionUID = 1L; + + private String name; + private Map<String, String> attributeValues; + + public RangerTag(String guid, String name, Map<String, String> attributeValues) { + super(); + setGuid(guid); + setName(name); + setAttributeValues(attributeValues); + } + + public RangerTag(String name, Map<String, String> attributeValues) { + this(null, name, attributeValues); + } + + public RangerTag() { + this(null, null, null); + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public Map<String, String> getAttributeValues() { + return attributeValues; + } + + public void setAttributeValues(Map<String, String> attributeValues) { + this.attributeValues = attributeValues == null ? new HashMap<String, String>() : attributeValues; + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public StringBuilder toString(StringBuilder sb) { + + sb.append("{ "); + + sb.append("guid={").append(getGuid()).append("} "); + sb.append("name={").append(name).append("} "); + + sb.append("attributeValues={"); + if (attributeValues != null) { + for (Map.Entry<String, String> e : attributeValues.entrySet()) { + sb.append(e.getKey()).append("={"); + sb.append(e.getValue()); + sb.append("} "); + } + } + sb.append("} "); + + sb.append(" }"); + + return sb; + } +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagResourceMap.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagResourceMap.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagResourceMap.java new file mode 100644 index 0000000..8fca4c7 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagResourceMap.java @@ -0,0 +1,82 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.model; + +import org.codehaus.jackson.annotate.JsonAutoDetect; +import org.codehaus.jackson.annotate.JsonIgnoreProperties; +import org.codehaus.jackson.map.annotate.JsonSerialize; + +import javax.xml.bind.annotation.XmlAccessType; +import javax.xml.bind.annotation.XmlAccessorType; +import javax.xml.bind.annotation.XmlRootElement; + +@JsonAutoDetect(getterVisibility= JsonAutoDetect.Visibility.NONE, setterVisibility= JsonAutoDetect.Visibility.NONE, fieldVisibility= JsonAutoDetect.Visibility.ANY) +@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL ) +@JsonIgnoreProperties(ignoreUnknown=true) +@XmlRootElement +@XmlAccessorType(XmlAccessType.FIELD) + +public class RangerTagResourceMap extends RangerBaseModelObject { + private static final long serialVersionUID = 1L; + + private Long resourceId; + private Long tagId; + + public RangerTagResourceMap() { + } + + public Long getResourceId() { + return resourceId; + } + + public Long getTagId() { + return tagId; + } + + public void setTagId(Long tagId) { + this.tagId = tagId; + } + + public void setResourceId(Long resourceId) { + this.resourceId = resourceId; + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public StringBuilder toString(StringBuilder sb) { + + sb.append("{ "); + + sb.append("resourceId={").append(resourceId).append("} "); + + sb.append("tagId=").append(tagId).append("} "); + + sb.append(" }"); + + return sb; + }} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTaggedResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTaggedResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTaggedResource.java deleted file mode 100644 index afcaa08..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTaggedResource.java +++ /dev/null @@ -1,207 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.model; - -import org.codehaus.jackson.annotate.JsonAutoDetect; -import org.codehaus.jackson.annotate.JsonIgnoreProperties; -import org.codehaus.jackson.map.annotate.JsonSerialize; - -import javax.xml.bind.annotation.XmlAccessType; -import javax.xml.bind.annotation.XmlAccessorType; -import javax.xml.bind.annotation.XmlRootElement; -import java.util.*; - -/** - * This class represents a RangerTaggedResource including the service-type (such as hdfs, hive, etc.) in which it is supported. - * This implies that there is one-to-one mapping between service-type and the resource-type which is a valid assumption. - * Service-type must be one of service-types supported by Ranger. - * - * This class also contains a list of (tag-name, JSON-string-representing-tagattribute-tagattributevalue-pairs) - * - */ - -@JsonAutoDetect(getterVisibility= JsonAutoDetect.Visibility.NONE, setterVisibility= JsonAutoDetect.Visibility.NONE, fieldVisibility= JsonAutoDetect.Visibility.ANY) -@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL ) -@JsonIgnoreProperties(ignoreUnknown=true) -@XmlRootElement -@XmlAccessorType(XmlAccessType.FIELD) - -public class RangerTaggedResource extends RangerBaseModelObject { - private static final long serialVersionUID = 1L; - - private String externalId; - private RangerTaggedResourceKey key; - private List<RangerResourceTag> tags; - - public RangerTaggedResource(String externalId, RangerTaggedResourceKey key, List<RangerResourceTag> tags) { - super(); - setExternalId(externalId); - setKey(key); - setTags(tags); - } - - public RangerTaggedResource(RangerTaggedResourceKey key, List<RangerResourceTag> tags) { - this(null, key, tags); - } - - public RangerTaggedResource() { - this(null, null, null); - } - - public String getExternalId() { return externalId; } - - public RangerTaggedResourceKey getKey() { return key; } - - public List<RangerResourceTag> getTags() { - return tags; - } - - // And corresponding set methods - - public void setExternalId(String externalId) { - this.externalId = externalId; - } - - public void setKey(RangerTaggedResourceKey key) { - this.key = key == null ? new RangerTaggedResourceKey() : key; - } - - public void setTags(List<RangerResourceTag> tags) { - this.tags = tags == null ? new ArrayList<RangerResourceTag>() : tags; - } - - @Override - public String toString( ) { - StringBuilder sb = new StringBuilder(); - - toString(sb); - - return sb.toString(); - } - - public StringBuilder toString(StringBuilder sb) { - - sb.append("{ "); - - sb.append("externalId={").append(externalId).append("} "); - sb.append("key={"); - if (key != null) { - key.toString(sb); - } - sb.append("} "); - - sb.append("Tags={"); - if (tags != null) { - for (RangerResourceTag tag : tags) { - sb.append("{"); - tag.toString(sb); - sb.append("} "); - } - } - sb.append("} "); - - sb.append(" }"); - - return sb; - } - /** - * Represents a tag and its attribute-values for a resource. - */ - - @JsonAutoDetect(getterVisibility= JsonAutoDetect.Visibility.NONE, setterVisibility= JsonAutoDetect.Visibility.NONE, fieldVisibility= JsonAutoDetect.Visibility.ANY) - @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL ) - @JsonIgnoreProperties(ignoreUnknown=true) - @XmlRootElement - @XmlAccessorType(XmlAccessType.FIELD) - - public static class RangerResourceTag implements java.io.Serializable { - private static final long serialVersionUID = 1L; - - private String externalId = null; - private String name = null; - private Map<String, String> attributeValues = null; - - public RangerResourceTag(String externalId, String name, Map<String, String> attributeValues) { - super(); - setExternalId(externalId); - setName(name); - setAttributeValues(attributeValues); - } - - public RangerResourceTag(String name, Map<String, String> attributeValues) { - this(null, name, attributeValues); - } - - public RangerResourceTag() { - this(null, null, null); - } - - public String getExternalId() { - return externalId; - } - - public void setExternalId(String externalId) { this.externalId = externalId; } - - public String getName() { - return name; - } - - public void setName(String name) { this.name = name; } - - public Map<String, String> getAttributeValues() { - return attributeValues; - } - - public void setAttributeValues(Map<String, String> attributeValues) { - this.attributeValues = attributeValues == null ? new HashMap<String, String>() : attributeValues; - } - - @Override - public String toString( ) { - StringBuilder sb = new StringBuilder(); - - toString(sb); - - return sb.toString(); - } - - public StringBuilder toString(StringBuilder sb) { - - sb.append("{ "); - - sb.append("externalId={").append(externalId).append("} "); - sb.append("name={").append(name).append("} "); - - sb.append("attributeValues={"); - if(attributeValues != null) { - for(Map.Entry<String, String> e : attributeValues.entrySet()) { - sb.append(e.getKey()).append("={"); - sb.append(e.getValue()); - sb.append("} "); - } - } - sb.append("} "); - - sb.append(" }"); - - return sb; - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTaggedResourceKey.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTaggedResourceKey.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTaggedResourceKey.java deleted file mode 100644 index b98219b..0000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTaggedResourceKey.java +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.model; - -import java.util.HashMap; -import java.util.Map; - -public class RangerTaggedResourceKey implements java.io.Serializable { - private static final long serialVersionUID = 1L; - - private String serviceName = null; - private Map<String, RangerPolicy.RangerPolicyResource> resourceSpec = null; - - public RangerTaggedResourceKey() { this(null, null); } - - public RangerTaggedResourceKey(String serviceName, Map<String, RangerPolicy.RangerPolicyResource> resourceSpec) { - super(); - - setServiceName(serviceName); - setResourceSpec(resourceSpec); - } - - public String getServiceName() { return serviceName; } - - public Map<String, RangerPolicy.RangerPolicyResource> getResourceSpec() { return resourceSpec; } - - public void setServiceName(String serviceName) { - this.serviceName = serviceName; - } - - public void setResourceSpec(Map<String, RangerPolicy.RangerPolicyResource> resourceSpec) { - this.resourceSpec = resourceSpec == null ? new HashMap<String, RangerPolicy.RangerPolicyResource>() : resourceSpec; - } - - @Override - public String toString( ) { - StringBuilder sb = new StringBuilder(); - - toString(sb); - - return sb.toString(); - } - - public StringBuilder toString(StringBuilder sb) { - - sb.append("{ "); - - sb.append("tagServiceName={").append(serviceName).append("} "); - - sb.append("resourceSpec={"); - if(resourceSpec != null) { - for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : resourceSpec.entrySet()) { - sb.append(e.getKey()).append("={"); - e.getValue().toString(sb); - sb.append("} "); - } - } - sb.append("} "); - - sb.append(" }"); - - return sb; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index cab3ff0..c763da4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -25,7 +25,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerTaggedResource; +import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; @@ -368,11 +368,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (context != null && (contextObj = context.get(KEY_CONTEXT_TAGS)) != null) { @SuppressWarnings("unchecked") - List<RangerTaggedResource.RangerResourceTag> resourceTags = (List<RangerTaggedResource.RangerResourceTag>) contextObj; + List<RangerTag> resourceTags = (List<RangerTag>) contextObj; - List<RangerPolicyEvaluator> evaluators; + List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(); - if (!CollectionUtils.isEmpty(evaluators = tagPolicyRepository.getPolicyEvaluators())) { + if (CollectionUtils.isNotEmpty(evaluators)) { boolean someTagAllowedAudit = false; @@ -380,7 +380,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>(); - for (RangerTaggedResource.RangerResourceTag resourceTag : resourceTags) { + for (RangerTag resourceTag : resourceTags) { if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + resourceTag.getName() + ")"); @@ -459,7 +459,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerMutableResource mutable = (RangerMutableResource) resource; mutable.setServiceDef(getServiceDef()); } else { - LOG.debug("RangerPolicyEngineImpl.setResourceServiceDef(): Cannot set ServiceDef in RangerTaggedResource."); + LOG.debug("RangerPolicyEngineImpl.setResourceServiceDef(): Cannot set ServiceDef in RangerTagResourceMap."); } } } @@ -495,7 +495,7 @@ class RangerTagResource extends RangerAccessResourceImpl { } class RangerTagAccessRequest extends RangerAccessRequestImpl { - public RangerTagAccessRequest(RangerTaggedResource.RangerResourceTag resourceTag, RangerServiceDef tagServiceDef, RangerAccessRequest request) { + public RangerTagAccessRequest(RangerTag resourceTag, RangerServiceDef tagServiceDef, RangerAccessRequest request) { super.setResource(new RangerTagResource(resourceTag.getName(), tagServiceDef)); super.setUser(request.getUser()); super.setUserGroups(request.getUserGroups()); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java index 837fce8..e9aae60 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java @@ -139,7 +139,9 @@ public abstract class AbstractServiceStore implements ServiceStore { protected void preCreate(RangerBaseModelObject obj) throws Exception { obj.setId(0L); - obj.setGuid(UUID.randomUUID().toString()); + if(obj.getGuid() == null) { + obj.setGuid(UUID.randomUUID().toString()); + } obj.setCreateTime(new Date()); obj.setUpdateTime(obj.getCreateTime()); obj.setVersion(1L); @@ -150,6 +152,9 @@ public abstract class AbstractServiceStore implements ServiceStore { service.setPolicyVersion(0L); service.setPolicyUpdateTime(service.getCreateTime()); + + service.setTagVersion(0L); + service.setTagUpdateTime(service.getCreateTime()); } protected void postCreate(RangerBaseModelObject obj) throws Exception { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/83cb21e0/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java index 64972ba..43d25a7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java @@ -19,16 +19,20 @@ package org.apache.ranger.plugin.store; -import org.apache.ranger.plugin.model.RangerBaseModelObject; -import org.apache.ranger.plugin.model.RangerTaggedResource; -import org.apache.ranger.plugin.model.RangerTagDef; +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.*; import org.apache.ranger.plugin.util.SearchFilter; +import org.apache.ranger.plugin.util.ServiceTags; -import java.util.Date; -import java.util.List; -import java.util.UUID; +import java.util.*; public abstract class AbstractTagStore implements TagStore { + private static final Log LOG = LogFactory.getLog(AbstractTagStore.class); + protected ServiceStore svcStore; @@ -44,7 +48,9 @@ public abstract class AbstractTagStore implements TagStore { protected void preCreate(RangerBaseModelObject obj) throws Exception { obj.setId(0L); - obj.setGuid(UUID.randomUUID().toString()); + if(obj.getGuid() == null) { + obj.setGuid(UUID.randomUUID().toString()); + } obj.setCreateTime(new Date()); obj.setUpdateTime(obj.getCreateTime()); obj.setVersion(1L); @@ -109,11 +115,313 @@ public abstract class AbstractTagStore implements TagStore { (long)list.size(), list.size(), filter.getSortType(), filter.getSortBy()); } - public PList<RangerTaggedResource> getPaginatedResources(SearchFilter filter) throws Exception { - List<RangerTaggedResource> list = getResources(filter); + @Override + public PList<RangerTagResourceMap> getPaginatedTagResourceMaps(SearchFilter filter) throws Exception { + List<RangerTagResourceMap> list = getTagResourceMaps(filter); - return new PList<RangerTaggedResource>(list, 0, list.size(), + return new PList<RangerTagResourceMap>(list, 0, list.size(), (long)list.size(), list.size(), filter.getSortType(), filter.getSortBy()); } + + @Override + public List<RangerTagDef> getTagDefsByExternalId(String externalId) throws Exception { + + List<RangerTagDef> ret; + + if (StringUtils.isNotBlank(externalId)) { + SearchFilter filter = new SearchFilter(SearchFilter.TAG_DEF_EXTERNAL_ID, externalId); + + ret = getTagDefs(filter); + + } else { + ret = null; + } + + return ret; + } + + @Override + public RangerTag getTagById(Long id) throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("==> AbstractTagStore.getTagById(" + id + ")"); + } + + RangerTag ret = null; + + if (id != null) { + SearchFilter filter = new SearchFilter(SearchFilter.TAG_ID, id.toString()); + + List<RangerTag> tags = getTags(filter); + + if (CollectionUtils.isNotEmpty(tags) && CollectionUtils.size(tags) == 1) { + ret = tags.get(0); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== AbstractTagStore.getTagDefById(" + id + "): " + ret); + } + + return ret; + } + + @Override + public List<RangerTag> getTagsByName(String name) throws Exception { + SearchFilter filter = new SearchFilter(SearchFilter.TAG_NAME, name); + + return getTags(filter); + } + + @Override + public List<RangerTag> getTagsByExternalId(String externalId) throws Exception { + SearchFilter filter = new SearchFilter(SearchFilter.TAG_EXTERNAL_ID, externalId); + + return getTags(filter); + } + + + @Override + public RangerServiceResource getServiceResourceById(Long id) throws Exception { + SearchFilter filter = new SearchFilter(SearchFilter.TAG_RESOURCE_ID, id.toString()); + + List<RangerServiceResource> resources = getServiceResources(filter); + if (CollectionUtils.isEmpty(resources) || resources.size() > 1) { + throw new Exception("Not exactly one resource found with id=" + id); + } + + return resources.get(0); + } + + @Override + public List<RangerServiceResource> getServiceResourcesByExternalId(String externalId) throws Exception { + SearchFilter filter = new SearchFilter(SearchFilter.TAG_RESOURCE_EXTERNAL_ID, externalId); + + return getServiceResources(filter); + } + + @Override + public List<RangerServiceResource> getServiceResourcesByServiceAndResourceSpec(String serviceName, Map<String, RangerPolicy.RangerPolicyResource> resourceSpec) throws Exception { + List<RangerServiceResource> ret = null; + + RangerService service; + try { + service = svcStore.getServiceByName(serviceName); + } catch (Exception excp) { + LOG.error("AbstractTagStore.getTaggedResource - failed to get service " + serviceName); + throw new Exception("Invalid service: " + serviceName); + } + + if (MapUtils.isNotEmpty(resourceSpec)) { + + RangerServiceResource resource = new RangerServiceResource(serviceName, resourceSpec); + ret = getServiceResources(resource); + } + + return ret; + } + + private List<RangerServiceResource> getServiceResources(RangerServiceResource resource) throws Exception { + + List<RangerServiceResource> ret = null; + + RangerServiceResourceSignature serializer = new RangerServiceResourceSignature(resource); + String signature = serializer.getSignature(); + + SearchFilter filter = new SearchFilter(SearchFilter.TAG_RESOURCE_SIGNATURE, signature); + + ret = getServiceResources(filter); + + return ret; + } + + @Override + public List<RangerTagResourceMap> getTagResourceMap(String externalResourceId, String externalTagId) throws Exception { + List<RangerTagResourceMap> ret = null; + + SearchFilter serviceResourceFilter = new SearchFilter(); + SearchFilter tagFilter = new SearchFilter(); + + serviceResourceFilter.setParam(SearchFilter.TAG_RESOURCE_EXTERNAL_ID, externalResourceId); + List<RangerServiceResource> serviceResources = getServiceResources(serviceResourceFilter); + + tagFilter.setParam(SearchFilter.TAG_EXTERNAL_ID, externalTagId); + List<RangerTag> tags = getTags(tagFilter); + + if (CollectionUtils.isNotEmpty(serviceResources) && CollectionUtils.isNotEmpty(tags)) { + + for (RangerServiceResource serviceResource : serviceResources) { + + Long resourceId = serviceResource.getId(); + + for (RangerTag tag : tags) { + + Long tagId = tag.getId(); + + SearchFilter mapFilter = new SearchFilter(); + + mapFilter.setParam(SearchFilter.TAG_MAP_TAG_ID, tagId.toString()); + + mapFilter.setParam(SearchFilter.TAG_MAP_RESOURCE_ID, resourceId.toString()); + + ret = getTagResourceMaps(mapFilter); + + if (CollectionUtils.isNotEmpty(ret)) { + break; + } + } + } + } + + return ret; + } + + @Override + public RangerTagResourceMap getTagResourceMapById(Long id) throws Exception { + SearchFilter filter = new SearchFilter(); + + filter.setParam(SearchFilter.TAG_MAP_ID, id.toString()); + + List<RangerTagResourceMap> list = getTagResourceMaps(filter); + + if (CollectionUtils.isEmpty(list) || CollectionUtils.size(list) != 1) { + throw new Exception("Cannot find unique tagResourceMap object with id=" + id); + } + return list.get(0); + } + + @Override + public ServiceTags getServiceTagsIfUpdated(String serviceName, Long lastKnownVersion) throws Exception { + + ServiceTags ret = new ServiceTags(); + + boolean tagsChanged = true; + + RangerService service = null; + + try { + service = svcStore.getServiceByName(serviceName); + ret.setServiceName(serviceName); + } catch (Exception exception) { + LOG.error("Cannot find service for serviceName=" + serviceName); + tagsChanged = false; + } + + if (lastKnownVersion != null + && service != null && service.getTagVersion() != null + && lastKnownVersion.compareTo(service.getTagVersion()) >= 0 ) { + tagsChanged = false; + } + + if (tagsChanged) { + SearchFilter filter = new SearchFilter(); + + filter.setParam(SearchFilter.TAG_RESOURCE_SERVICE_NAME, serviceName); + + List<RangerServiceResource> serviceResources = getServiceResources(filter); + + Map<Long, RangerTag> tagsMap = new HashMap<Long, RangerTag>(); + Map<Long, List<Long>> resourceToTagIdsMap = new HashMap<Long, List<Long>>(); + + for (RangerServiceResource serviceResource : serviceResources) { + List<RangerTag> tagList = getTagsForServiceResourceObject(serviceResource); + + if (CollectionUtils.isNotEmpty(tagList)) { + List<Long> tagIdList = new ArrayList<Long>(); + for (RangerTag tag : tagList) { + tagsMap.put(tag.getId(), tag); + tagIdList.add(tag.getId()); + } + resourceToTagIdsMap.put(serviceResource.getId(), tagIdList); + } + } + + if (MapUtils.isEmpty(resourceToTagIdsMap)) { + serviceResources.clear(); + } + + ret.setServiceResources(serviceResources); + ret.setResourceToTagIds(resourceToTagIdsMap); + ret.setTags(tagsMap); + + if (service != null && service.getTagVersion() != null) { + ret.setTagVersion(service.getTagVersion()); + } + if (service != null && service.getTagUpdateTime() != null) { + ret.setTagUpdateTime(service.getTagUpdateTime()); + } + if (LOG.isDebugEnabled()) { + LOG.debug("Changes to tagVersion detected, tagVersion in service=" + (service == null ? null : service.getTagVersion()) + + ", Plugin-provided lastKnownVersion=" + lastKnownVersion); + } + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("No changes to tagVersion detected, tagVersion in service=" + (service == null ? null : service.getTagVersion()) + + ", Plugin-provided lastKnownVersion=" + lastKnownVersion); + } + ret.setTagVersion(lastKnownVersion); + } + + return ret; + + } + + @Override + public List<RangerTag> getTagsForServiceResource(Long resourceId) throws Exception { + RangerServiceResource serviceResource = getServiceResourceById(resourceId); + + List<RangerTag> tagList = getTagsForServiceResourceObject(serviceResource); + + return tagList; + } + + @Override + public List<RangerTag> getTagsForServiceResourceByExtId(String resourceExtId) throws Exception { + List<RangerTag> tagList = new ArrayList<RangerTag>(); + + List<RangerServiceResource> serviceResources = getServiceResourcesByExternalId(resourceExtId); + for (RangerServiceResource serviceResource : serviceResources) { + List<RangerTag> tmp = getTagsForServiceResourceObject(serviceResource); + tagList.addAll(tmp); + } + return tagList; + } + + private List<RangerTag> getTagsForServiceResourceObject(RangerServiceResource serviceResource) throws Exception { + + List<RangerTag> tagList = new ArrayList<RangerTag>(); + + if (serviceResource != null) { + SearchFilter mapFilter = new SearchFilter(); + mapFilter.setParam(SearchFilter.TAG_MAP_RESOURCE_ID, serviceResource.getId().toString()); + + List<RangerTagResourceMap> associations = getTagResourceMaps(mapFilter); + if (CollectionUtils.isNotEmpty(associations)) { + + for (RangerTagResourceMap association : associations) { + RangerTag tag = getTagById(association.getTagId()); + if (tag != null) { + tagList.add(tag); + } + } + } + } + return tagList; + } + + @Override + public List<RangerTagResourceMap> getTagResourceMapsByResourceId(Long tagId) throws Exception { + SearchFilter filter = new SearchFilter(SearchFilter.TAG_MAP_RESOURCE_ID, tagId.toString()); + List<RangerTagResourceMap> associations = getTagResourceMaps(filter); + return associations; + } + + @Override + public List<RangerTagResourceMap> getTagResourceMapsByTagId(Long tagId) throws Exception { + SearchFilter filter = new SearchFilter(SearchFilter.TAG_MAP_TAG_ID, tagId.toString()); + List<RangerTagResourceMap> associations = getTagResourceMaps(filter); + return associations; + } } + +
