Repository: incubator-ranger Updated Branches: refs/heads/tag-policy 92c96502a -> d3ba14925
RANGER-274: fix excessive log on receiving no-tag-change from Ranger admin; removed @SuppressWarnings; misc log message fixes Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d3ba1492 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d3ba1492 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d3ba1492 Branch: refs/heads/tag-policy Commit: d3ba1492546da44f288bcaa52e7ded7260010fc2 Parents: 92c9650 Author: Madhan Neethiraj <[email protected]> Authored: Tue Sep 1 19:35:15 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Sep 1 20:57:28 2015 -0700 ---------------------------------------------------------------------- .../admin/client/RangerAdminRESTClient.java | 6 +- .../plugin/audit/RangerDefaultAuditHandler.java | 26 +-- .../RangerContextAttributeValueInCondition.java | 76 ++++++++ ...rHiveResourcesAccessedTogetherCondition.java | 183 +++++++++++++++++++ ...veResourcesNotAccessedTogetherCondition.java | 11 +- .../RangerScriptExecutionContext.java | 145 +++++++-------- .../RangerScriptTemplateConditionEvaluator.java | 10 +- .../contextenricher/RangerTagProvider.java | 6 +- .../plugin/policyengine/RangerPolicyEngine.java | 5 - .../policyengine/RangerPolicyEngineImpl.java | 51 ++---- .../RangerDefaultPolicyItemEvaluator.java | 11 ++ .../plugin/util/RangerAccessRequestUtil.java | 104 +++++++++++ .../plugin/util/RangerRequestedResources.java | 1 - .../plugin/policyengine/TestPolicyEngine.java | 33 ++-- .../policyengine/test_policyengine_hdfs.json | 2 +- .../hive/authorizer/RangerHiveAuthorizer.java | 5 +- .../java/org/apache/ranger/rest/TagREST.java | 20 +- 17 files changed, 524 insertions(+), 171 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index 7420830..34b9f98 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -24,14 +24,12 @@ import com.sun.jersey.api.client.ClientResponse; import com.sun.jersey.api.client.GenericType; import com.sun.jersey.api.client.WebResource; -import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.AccessControlException; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.util.*; import java.lang.reflect.ParameterizedType; @@ -202,7 +200,7 @@ public class RangerAdminRESTClient implements RangerAdminClient { LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + "): "); } - ServiceTags ret; + ServiceTags ret = null; WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion)) @@ -212,6 +210,8 @@ public class RangerAdminRESTClient implements RangerAdminClient { if(response != null && response.getStatus() == 200) { ret = response.getEntity(ServiceTags.class); + } else if(response != null && response.getStatus() == 304) { + // no change } else { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("Error getting taggedResources. request=" + webResource.toString() http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java index 35d0731..bfb9126 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -31,6 +31,7 @@ import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.policyengine.*; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; public class RangerDefaultAuditHandler implements RangerAccessResultProcessor { @@ -207,26 +208,17 @@ public class RangerDefaultAuditHandler implements RangerAccessResultProcessor { } protected final Set<String> getTags(RangerAccessRequest request) { - Object contextObj = request.getContext().get(RangerPolicyEngine.KEY_CONTEXT_TAGS); - Set<String> tags = null; + Set<String> ret = null; + List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); - if (contextObj != null) { + if (CollectionUtils.isNotEmpty(tags)) { + ret = new HashSet<String>(); - try { - @SuppressWarnings("unchecked") - List<RangerTag> resourceTags = (List<RangerTag>) contextObj; - - if (CollectionUtils.isNotEmpty(resourceTags)) { - tags = new HashSet<String>(); - - for (RangerTag resourceTag : resourceTags) { - tags.add(resourceTag.getType()); - } - } - } catch (Throwable t) { - LOG.error("RangerDefaultAuditHandler.getTags(), exception when getting tags from context, exception=" + t); + for (RangerTag tag : tags) { + ret.add(tag.getType()); } } - return tags; + + return ret; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueInCondition.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueInCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueInCondition.java new file mode 100644 index 0000000..316cdb5 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueInCondition.java @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.conditionevaluator; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; + +import java.util.Map; + +public class RangerContextAttributeValueInCondition extends RangerAbstractConditionEvaluator { + private static final Log LOG = LogFactory.getLog(RangerContextAttributeValueInCondition.class); + + protected String attributeName; + + @Override + public void init() { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerContextAttributeValueInCondition.init(" + condition + ")"); + } + + super.init(); + + Map<String, String> evalOptions = conditionDef. getEvaluatorOptions(); + + if (MapUtils.isNotEmpty(evalOptions)) { + attributeName = evalOptions.get("attributeName"); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerContextAttributeValueInCondition.init(" + condition + ")"); + } + } + + @Override + public boolean isMatched(RangerAccessRequest request) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerContextAttributeValueInCondition.isMatched(" + condition + ")"); + } + + boolean ret = true; + + if(attributeName != null && condition != null && CollectionUtils.isNotEmpty(condition.getValues())) { + Object val = request.getContext().get(attributeName); + + if(val != null) { + ret = condition.getValues().contains(val); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerContextAttributeValueInCondition.isMatched(" + condition + "): " + ret); + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java new file mode 100644 index 0000000..fc9842e --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java @@ -0,0 +1,183 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.conditionevaluator; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; +import org.apache.ranger.plugin.util.RangerRequestedResources; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +public class RangerHiveResourcesAccessedTogetherCondition extends RangerAbstractConditionEvaluator { + private static final Log LOG = LogFactory.getLog(RangerHiveResourcesAccessedTogetherCondition.class); + + private List<RangerPolicyResourceMatcher> matchers = new ArrayList<>(); + private boolean isInitialized = false; + + @Override + public void init() { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.init(" + condition + ")"); + } + + super.init(); + + if (serviceDef != null) { + doInitialize(); + } else { + LOG.error("RangerHiveResourcesAccessedTogetherCondition.init() - ServiceDef not set ... ERROR .."); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.init(" + condition + ")"); + } + } + + @Override + public boolean isMatched(final RangerAccessRequest request) { + boolean ret = true; + + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.isMatched(" + request + ")"); + } + + if (isInitialized && CollectionUtils.isNotEmpty(matchers)) { + RangerRequestedResources resources = RangerAccessRequestUtil.getRequestedResourcesFromContext(request.getContext()); + + ret = resources == null ? false : !resources.isMutuallyExcluded(matchers); + } else { + LOG.error("RangerHiveResourcesAccessedTogetherCondition.isMatched() - condition is not initialized correctly and will NOT be enforced"); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.isMatched(" + request + ")" + ", result=" + ret); + } + + return ret; + } + + private void doInitialize() { + List<String> mutuallyExclusiveResources = condition.getValues(); + + if (CollectionUtils.isNotEmpty(mutuallyExclusiveResources)) { + initializeMatchers(mutuallyExclusiveResources); + + if (CollectionUtils.isEmpty(matchers)) { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerHiveResourcesAccessedTogetherCondition.doInitialize() - Cannot create matchers from values in MutualExclustionEnforcer"); + } + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerHiveResourcesAccessedTogetherCondition.doInitialize() - Created " + matchers.size() + " matchers from values in MutualExclustionEnforcer"); + } + } + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerHiveResourcesAccessedTogetherCondition.doInitialize() - No values in MutualExclustionEnforcer"); + } + } + + isInitialized = true; + } + + private void initializeMatchers(List<String> mutuallyExclusiveResources) { + + for (String s : mutuallyExclusiveResources) { + + String policyResourceSpec = s.trim(); + + RangerPolicyResourceMatcher matcher = buildMatcher(policyResourceSpec); + + if (matcher != null) { + matchers.add(matcher); + } + } + } + + private RangerPolicyResourceMatcher buildMatcher(String policyResourceSpec) { + + RangerPolicyResourceMatcher matcher = null; + + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.buildMatcher(" + policyResourceSpec + ")"); + } + + // Works only for Hive serviceDef for now + if (serviceDef != null && serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME)) { + + //Parse policyResourceSpec + char separator = '.'; + String any = "*"; + + Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>(); + + String[] elements = StringUtils.split(policyResourceSpec, separator); + + RangerPolicy.RangerPolicyResource policyResource; + + if (elements.length > 0 && elements.length < 4) { + if (elements.length == 3) { + policyResource = new RangerPolicy.RangerPolicyResource(elements[2]); + } else { + policyResource = new RangerPolicy.RangerPolicyResource(any); + } + policyResources.put("column", policyResource); + + if (elements.length >= 2) { + policyResource = new RangerPolicy.RangerPolicyResource(elements[1]); + } else { + policyResource = new RangerPolicy.RangerPolicyResource(any); + } + policyResources.put("table", policyResource); + + policyResource = new RangerPolicy.RangerPolicyResource(elements[0]); + policyResources.put("database", policyResource); + + matcher = new RangerDefaultPolicyResourceMatcher(); + matcher.setPolicyResources(policyResources); + matcher.setServiceDef(serviceDef); + matcher.init(); + + } else { + LOG.error("RangerHiveResourcesAccessedTogetherCondition.buildMatcher() - Incorrect elements in the hierarchy specified (" + + elements.length + ")"); + } + } else { + LOG.error("RangerHiveResourcesAccessedTogetherCondition.buildMatcher() - ServiceDef not set or ServiceDef is not for Hive"); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.buildMatcher(" + policyResourceSpec + ")" + ", matcher=" + matcher); + } + + return matcher; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java index 0f44bba..3b8e009 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java @@ -24,12 +24,11 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.RangerRequestedResources; import java.util.ArrayList; @@ -70,10 +69,10 @@ public class RangerHiveResourcesNotAccessedTogetherCondition extends RangerAbstr LOG.debug("==> RangerHiveResourcesNotAccessedTogetherCondition.isMatched(" + request + ")"); } - if (isInitialized) { - @SuppressWarnings("unchecked") - RangerRequestedResources requestedResources = (RangerRequestedResources) request.getContext().get(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES); - ret = requestedResources == null ? true : requestedResources.isMutuallyExcluded(matchers); + if (isInitialized && CollectionUtils.isNotEmpty(matchers)) { + RangerRequestedResources resources = RangerAccessRequestUtil.getRequestedResourcesFromContext(request.getContext()); + + ret = resources == null ? true : resources.isMutuallyExcluded(matchers); } else { LOG.error("RangerHiveResourcesNotAccessedTogetherCondition.isMatched() - Enforcer is not initialized correctly, Mutual Exclusion will NOT be enforced"); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java index 418021c..449cf55 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java @@ -27,9 +27,8 @@ import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; -import java.text.ParsePosition; import java.text.SimpleDateFormat; import java.util.*; @@ -45,17 +44,38 @@ public final class RangerScriptExecutionContext { } public final String getResource() { + String ret = null; + Object val = getRequestContext().get(RangerAccessRequestUtil.KEY_CONTEXT_RESOURCE); - @SuppressWarnings("unchecked") - RangerAccessResource resource = (RangerAccessResource)getEvaluationContext().get(RangerPolicyEngine.KEY_CONTEXT_RESOURCE); + if(val != null) { + if(val instanceof RangerAccessResource) { + ret = ((RangerAccessResource)val).getAsString(); + } else { + ret = val.toString(); + } + } - return resource != null ? resource.getAsString() : null; + return ret; } - public final Map<String, Object> getEvaluationContext() { + public final Map<String, Object> getRequestContext() { return accessRequest.getContext(); } + public final String getRequestContextAttribute(String attributeName) { + String ret = null; + + if (StringUtils.isNotBlank(attributeName)) { + Object val = getRequestContext().get(attributeName); + + if(val != null) { + ret = val.toString(); + } + } + + return ret; + } + public final boolean isAccessTypeAny() { return accessRequest.isAccessTypeAny(); } public final boolean isAccessTypeDelegatedAdmin() { return accessRequest.isAccessTypeDelegatedAdmin(); } @@ -77,15 +97,17 @@ public final class RangerScriptExecutionContext { public final String getSessionId() { return accessRequest.getSessionId(); } public final RangerTag getCurrentTag() { - @SuppressWarnings("unchecked") - RangerTag tagObject = (RangerTag)getEvaluationContext() - .get(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT); - if (tagObject == null) { + RangerTag ret = null; + Object val = getRequestContext().get(RangerAccessRequestUtil.KEY_CONTEXT_TAG_OBJECT); + + if(val != null && val instanceof RangerTag) { + ret = (RangerTag)val; + } else { if (LOG.isDebugEnabled()) { LOG.debug("getCurrentTag() - No current TAG object. Script execution must be for resource-based policy."); } } - return tagObject; + return ret; } public final String getCurrentTagType() { @@ -94,13 +116,10 @@ public final class RangerScriptExecutionContext { } public final Set<String> getAllTagTypes() { - - Set<String> allTagTypes = null; - + Set<String> allTagTypes = null; List<RangerTag> tagObjectList = getAllTags(); if (CollectionUtils.isNotEmpty(tagObjectList)) { - for (RangerTag tag : tagObjectList) { String tagType = tag.getType(); if (allTagTypes == null) { @@ -114,16 +133,13 @@ public final class RangerScriptExecutionContext { } public final Map<String, String> getTagAttributes(final String tagType) { - Map<String, String> ret = null; if (StringUtils.isNotBlank(tagType)) { - List<RangerTag> tagObjectList = getAllTags(); // Assumption: There is exactly one tag with given tagType in the list of tags - may not be true ***TODO*** // This will get attributes of the first tagType that matches - if (CollectionUtils.isNotEmpty(tagObjectList)) { for (RangerTag tag : tagObjectList) { if (tag.getType().equals(tagType)) { @@ -138,9 +154,7 @@ public final class RangerScriptExecutionContext { } public final Set<String> getAttributeNames(final String tagType) { - - Set<String> ret = null; - + Set<String> ret = null; Map<String, String> attributes = getTagAttributes(tagType); if (attributes != null) { @@ -151,12 +165,10 @@ public final class RangerScriptExecutionContext { } public final String getAttributeValue(final String tagType, final String attributeName) { - String ret = null; - Map<String, String> attributes; if (StringUtils.isNotBlank(tagType) || StringUtils.isNotBlank(attributeName)) { - attributes = getTagAttributes(tagType); + Map<String, String> attributes = getTagAttributes(tagType); if (attributes != null) { ret = attributes.get(attributeName); @@ -166,7 +178,6 @@ public final class RangerScriptExecutionContext { } public final String getAttributeValue(final String attributeName) { - String ret = null; if (StringUtils.isNotBlank(attributeName)) { @@ -179,6 +190,7 @@ public final class RangerScriptExecutionContext { ret = attributes.get(attributeName); } } + return ret; } @@ -194,7 +206,6 @@ public final class RangerScriptExecutionContext { // Utilities - TODO public final Date getAsDate(String value) { - Date ret = null; if (StringUtils.isNotBlank(value)) { @@ -215,30 +226,15 @@ public final class RangerScriptExecutionContext { } public final Date getTagAttributeAsDate(String tagType, String attributeName) { - // sample JavaScript to demonstrate use of this helper method - - /* - - importPackage(java.util); - var expiryDate = ctx.getTagAttributeAsDate('PII', 'expiryDate') - var now = new Date(); - now.getTime() < expiryDate.getTime());" - - */ - String attrValue = getAttributeValue(tagType, attributeName); return getAsDate(attrValue); - } public final boolean isAccessedAfter(String tagType, String attributeName) { - - boolean ret = false; - - Date accessDate = getAccessTime(); - - Date expiryDate = getTagAttributeAsDate(tagType, attributeName); + boolean ret = false; + Date accessDate = getAccessTime(); + Date expiryDate = getTagAttributeAsDate(tagType, attributeName); if (expiryDate == null || accessDate.after(expiryDate) || accessDate.equals(expiryDate)) { ret = true; @@ -248,12 +244,9 @@ public final class RangerScriptExecutionContext { } public final boolean isAccessedAfter(String attributeName) { - - boolean ret = false; - - Date accessDate = getAccessTime(); - - Date expiryDate = getAsDate(getAttributeValue(attributeName)); + boolean ret = false; + Date accessDate = getAccessTime(); + Date expiryDate = getAsDate(getAttributeValue(attributeName)); if (expiryDate == null || accessDate.after(expiryDate) || accessDate.equals(expiryDate)) { ret = true; @@ -263,12 +256,9 @@ public final class RangerScriptExecutionContext { } public final boolean isAccessedBefore(String tagType, String attributeName) { - - boolean ret = true; - - Date accessDate = getAccessTime(); - - Date expiryDate = getTagAttributeAsDate(tagType, attributeName); + boolean ret = true; + Date accessDate = getAccessTime(); + Date expiryDate = getTagAttributeAsDate(tagType, attributeName); if (expiryDate == null || accessDate.after(expiryDate)) { ret = false; @@ -278,12 +268,9 @@ public final class RangerScriptExecutionContext { } public final boolean isAccessedBefore(String attributeName) { - - boolean ret = true; - - Date accessDate = getAccessTime(); - - Date expiryDate = getAsDate(getAttributeValue(attributeName)); + boolean ret = true; + Date accessDate = getAccessTime(); + Date expiryDate = getAsDate(getAttributeValue(attributeName)); if (expiryDate == null || accessDate.after(expiryDate)) { ret = false; @@ -293,26 +280,36 @@ public final class RangerScriptExecutionContext { } private List<RangerTag> getAllTags() { - - @SuppressWarnings("unchecked") - List<RangerTag> ret = (List<RangerTag>)getEvaluationContext().get(RangerPolicyEngine.KEY_CONTEXT_TAGS); - - if (ret == null) { + List<RangerTag> ret = RangerAccessRequestUtil.getRequestTagsFromContext(accessRequest.getContext()); + + if(ret == null) { if (LOG.isDebugEnabled()) { String resource = accessRequest.getResource().getAsString(); - LOG.debug("getAllTags() - No current TAGS. No TAGS for the RangerAccessResource=" + resource); + LOG.debug("getAllTags() - No TAGS. No TAGS for the RangerAccessResource=" + resource); } } + return ret; } - public final String getGeolocation(String attributeName) { - String ret = null; + public void logDebug(String msg) { + LOG.debug(msg); + } - if (StringUtils.isNotBlank(attributeName)) { - ret = (String) getEvaluationContext().get(attributeName); - } - return ret; + public void logInfo(String msg) { + LOG.info(msg); + } + + public void logWarn(String msg) { + LOG.warn(msg); + } + + public void logError(String msg) { + LOG.error(msg); + } + + public void logFatal(String msg) { + LOG.fatal(msg); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java index a4fd129..03f96b8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java @@ -24,8 +24,6 @@ import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; -import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import java.util.List; import java.util.Map; @@ -40,7 +38,7 @@ public class RangerScriptTemplateConditionEvaluator extends RangerScriptConditio public void init() { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerExpiryEnforcer.init(" + condition + ")"); + LOG.debug("==> RangerScriptTemplateConditionEvaluator.init(" + condition + ")"); } super.init(); @@ -54,7 +52,7 @@ public class RangerScriptTemplateConditionEvaluator extends RangerScriptConditio script = formatScript(); if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerExpiryEnforcer.init(" + condition + ")"); + LOG.debug("<== RangerScriptTemplateConditionEvaluator.init(" + condition + ")"); } } @@ -68,7 +66,7 @@ public class RangerScriptTemplateConditionEvaluator extends RangerScriptConditio String ret = null; if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerExpiryEnforcer.formatScript()"); + LOG.debug("==> RangerScriptTemplateConditionEvaluator.formatScript()"); } List<String> values = condition.getValues(); @@ -89,7 +87,7 @@ public class RangerScriptTemplateConditionEvaluator extends RangerScriptConditio } if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerExpiryEnforcer.formatScript(), ret=" + ret); + LOG.debug("<== RangerScriptTemplateConditionEvaluator.formatScript(), ret=" + ret); } return ret; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java index ccb78f6..86630d3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java @@ -27,9 +27,8 @@ import org.apache.ranger.plugin.model.RangerServiceResource; import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; -import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.ServiceTags; import java.util.ArrayList; @@ -99,7 +98,8 @@ public class RangerTagProvider extends RangerAbstractContextEnricher implements List<RangerTag> matchedTags = findMatchingTags(request.getResource(), serviceResourceMatchersCopy); if (CollectionUtils.isNotEmpty(matchedTags)) { - request.getContext().put(RangerPolicyEngine.KEY_CONTEXT_TAGS, matchedTags); + RangerAccessRequestUtil.setRequestTagsInContext(request.getContext(), matchedTags); + if (LOG.isDebugEnabled()) { LOG.debug("RangerTagProvider.enrich(" + request + ") - " + matchedTags.size() + " tags found by enricher."); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index dfc07db..055a2db 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -33,11 +33,6 @@ public interface RangerPolicyEngine { String ANY_ACCESS = "_any"; String ADMIN_ACCESS = "_admin"; - String KEY_CONTEXT_TAGS = "TAGS"; - String KEY_CONTEXT_TAG_OBJECT = "TAG_OBJECT"; - - String KEY_CONTEXT_RESOURCE = "RESOURCE"; - String getServiceName(); RangerServiceDef getServiceDef(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 63ae385..8251878 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -29,6 +29,7 @@ import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.ServicePolicies; import java.util.*; @@ -355,48 +356,35 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } protected RangerAccessResult isAccessAllowedForTagPolicies(final RangerAccessRequest request) { - if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")"); } - RangerAccessResult result = createAccessResult(request); - - Map<String, Object> context = request.getContext(); - Object contextObj; - - if (context != null && (contextObj = context.get(KEY_CONTEXT_TAGS)) != null) { - - @SuppressWarnings("unchecked") - List<RangerTag> resourceTags = (List<RangerTag>) contextObj; - - List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(); - - if (CollectionUtils.isNotEmpty(evaluators)) { - - boolean someTagAllowedAudit = false; + RangerAccessResult result = createAccessResult(request); + List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(); - RangerAccessResult savedAccessResult = createAccessResult(request); + if (CollectionUtils.isNotEmpty(evaluators)) { + List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); - List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>(); - - for (RangerTag resourceTag : resourceTags) { + if(CollectionUtils.isNotEmpty(tags)) { + boolean someTagAllowedAudit = false; + RangerAccessResult savedAccessResult = createAccessResult(request); + List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>(); + for (RangerTag tag : tags) { if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + resourceTag.getType() + ")"); + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + tag.getType() + ")"); } - RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(resourceTag, tagPolicyRepository.getServiceDef(), request); - - RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest); + RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); + RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest); for (RangerPolicyEvaluator evaluator : evaluators) { - evaluator.evaluate(tagEvalRequest, tagEvalResult); if (tagEvalResult.getIsAccessDetermined() && tagEvalResult.getIsAuditedDetermined()) { if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + resourceTag.getType() + ") with authorization=" + tagEvalResult.getIsAllowed()); + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + tag.getType() + ") with authorization=" + tagEvalResult.getIsAllowed()); } break; // Break out of policy-evaluation loop for this tag } @@ -406,18 +394,17 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { someTagAllowedAudit = true; // And generate an audit event if (tagEvalResult.getIsAccessDetermined()) { - RangerTagAuditEvent event = new RangerTagAuditEvent(resourceTag.getType(), tagEvalResult); + RangerTagAuditEvent event = new RangerTagAuditEvent(tag.getType(), tagEvalResult); tagAuditEvents.add(event); } } if (tagEvalResult.getIsAccessDetermined()) { - savedAccessResult.setAccessResultFrom(tagEvalResult); if (!tagEvalResult.getIsAllowed()) { if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag-policies as tag (" + resourceTag.getType() + "), tag-policy-id=" + tagEvalResult.getPolicyId() + " denied access."); + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag-policies as tag (" + tag.getType() + "), tag-policy-id=" + tagEvalResult.getPolicyId() + " denied access."); } break; // Break out of tags evaluation loop altogether } @@ -438,12 +425,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { // Set processed list into result // result.setAuxilaryAuditInfo(tagAuditEvents); } + if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : result=" + result); LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : auditEventList=" + tagAuditEvents); } } } + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + result + ")" ); } @@ -506,8 +495,8 @@ class RangerTagAccessRequest extends RangerAccessRequestImpl { Map<String, Object> requestContext = request.getContext(); - requestContext.put(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT, resourceTag); - requestContext.put(RangerPolicyEngine.KEY_CONTEXT_RESOURCE, request.getResource()); + RangerAccessRequestUtil.setCurrentTagInContext(request.getContext(), resourceTag); + RangerAccessRequestUtil.setCurrentResourceInContext(request.getContext(), request.getResource()); super.setContext(requestContext); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java index a617e70..6f8faff 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java @@ -210,8 +210,19 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv boolean ret = true; if (CollectionUtils.isNotEmpty(conditionEvaluators)) { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerDefaultPolicyItemEvaluator.matchCustomConditions(): conditionCount=" + conditionEvaluators.size()); + } for(RangerConditionEvaluator conditionEvaluator : conditionEvaluators) { + if(LOG.isDebugEnabled()) { + LOG.debug("evaluating condition: " + conditionEvaluator); + } + if(!conditionEvaluator.isMatched(request)) { + if(LOG.isDebugEnabled()) { + LOG.debug(conditionEvaluator + " returned false"); + } + ret = false; break; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java new file mode 100644 index 0000000..92a87d0 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -0,0 +1,104 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.util; + +import java.util.List; +import java.util.Map; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerTag; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; + +public class RangerAccessRequestUtil { + private static final Log LOG = LogFactory.getLog(RangerAccessRequestUtil.class); + + public static final String KEY_CONTEXT_TAGS = "TAGS"; + public static final String KEY_CONTEXT_TAG_OBJECT = "TAG_OBJECT"; + public static final String KEY_CONTEXT_RESOURCE = "RESOURCE"; + public static final String KEY_CONTEXT_REQUESTED_RESOURCES = "REQUESTED_RESOURCES"; + + public static void setRequestTagsInContext(Map<String, Object> context, List<RangerTag> tags) { + context.put(KEY_CONTEXT_TAGS, tags); + } + + public static List<RangerTag> getRequestTagsFromContext(Map<String, Object> context) { + List<RangerTag> ret = null; + Object val = context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS); + + if (val != null && val instanceof List<?>) { + try { + @SuppressWarnings("unchecked") + List<RangerTag> tags = (List<RangerTag>) val; + + ret = tags; + } catch (Throwable t) { + LOG.error("getRequestTags(): failed to get tags from context", t); + } + } + + return ret; + } + + public static void setCurrentTagInContext(Map<String, Object> context, RangerTag tag) { + context.put(KEY_CONTEXT_TAG_OBJECT, tag); + } + + public static RangerTag getCurrentTagFromContext(Map<String, Object> context) { + RangerTag ret = null; + Object val = context.get(KEY_CONTEXT_TAGS); + + if(val != null && val instanceof RangerTag) { + ret = (RangerTag)val; + } + + return ret; + } + + public static void setRequestedResourcesInContext(Map<String, Object> context, RangerRequestedResources resources) { + context.put(KEY_CONTEXT_REQUESTED_RESOURCES, resources); + } + + public static RangerRequestedResources getRequestedResourcesFromContext(Map<String, Object> context) { + RangerRequestedResources ret = null; + Object val = context.get(KEY_CONTEXT_REQUESTED_RESOURCES); + + if(val != null && val instanceof RangerRequestedResources) { + ret = (RangerRequestedResources)val; + } + + return ret; + } + + public static void setCurrentResourceInContext(Map<String, Object> context, RangerAccessResource resource) { + context.put(KEY_CONTEXT_RESOURCE, resource); + } + + public static RangerAccessResource getCurrentResourceFromContext(Map<String, Object> context) { + RangerAccessResource ret = null; + Object val = context.get(KEY_CONTEXT_RESOURCE); + + if(val != null && val instanceof RangerAccessResource) { + ret = (RangerAccessResource)val; + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java index 19456c5..0f10deb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java @@ -40,7 +40,6 @@ import java.util.List; public class RangerRequestedResources { private List<RangerAccessResource> requestedResources = new ArrayList<RangerAccessResource>(); - public static final String KEY_CONTEXT_REQUESTED_RESOURCES = "REQUESTED_RESOURCES"; public RangerRequestedResources() { } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 969e7d7..a6d0812 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -21,19 +21,16 @@ package org.apache.ranger.plugin.policyengine; import com.google.gson.*; import com.google.gson.reflect.TypeToken; + import org.apache.commons.lang.StringUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.FSDataOutputStream; -import org.apache.hadoop.fs.FileSystem; -import org.apache.hadoop.fs.Path; import org.apache.ranger.audit.provider.AuditHandler; import org.apache.ranger.audit.provider.AuditProviderFactory; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerTag; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.RangerRequestedResources; import org.apache.ranger.plugin.util.ServicePolicies; import org.junit.AfterClass; @@ -42,9 +39,6 @@ import org.junit.Test; import java.io.*; import java.lang.reflect.Type; -import java.nio.file.Files; -import java.nio.file.LinkOption; -import java.nio.file.StandardCopyOption; import java.util.List; import java.util.Map; import java.util.Properties; @@ -213,11 +207,8 @@ public class TestPolicyEngine { servicePolicies.setTagPolicies(tagPolicies); } - String componentName = testCase.serviceDef.getName(); - RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); - // Uncomment next line for testing tag-policy evaluation policyEngineOptions.disableTagPolicyEvaluation = false; policyEngine = new RangerPolicyEngineImpl(servicePolicies, policyEngineOptions); @@ -226,8 +217,8 @@ public class TestPolicyEngine { for(TestData test : testCase.tests) { - if (test.request.getContext().containsKey(RangerPolicyEngine.KEY_CONTEXT_TAGS) || - test.request.getContext().containsKey(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES)) { + if (test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) || + test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) { // Create a new AccessRequest RangerAccessRequestImpl newRequest = new RangerAccessRequestImpl(test.request.getResource(), test.request.getAccessType(), @@ -241,8 +232,8 @@ public class TestPolicyEngine { newRequest.setSessionId(test.request.getSessionId()); Map<String, Object> context = test.request.getContext(); - String tagsJsonString = (String) context.get(RangerPolicyEngine.KEY_CONTEXT_TAGS); - context.remove(RangerPolicyEngine.KEY_CONTEXT_TAGS); + String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS); + context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS); if(!StringUtils.isEmpty(tagsJsonString)) { try { @@ -250,14 +241,14 @@ public class TestPolicyEngine { }.getType(); List<RangerTag> tagList = gsonBuilder.fromJson(tagsJsonString, listType); - context.put(RangerPolicyEngine.KEY_CONTEXT_TAGS, tagList); + context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tagList); } catch (Exception e) { System.err.println("TestPolicyEngine.runTests(): error parsing TAGS JSON string in file " + testName + ", tagsJsonString=" + tagsJsonString + ", exception=" + e); } - } else if (test.request.getContext().containsKey(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES)) { - String resourcesJsonString = (String) context.get(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES); - context.remove(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES); + } else if (test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) { + String resourcesJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES); + context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES); if (!StringUtils.isEmpty(resourcesJsonString)) { try { /* @@ -269,7 +260,7 @@ public class TestPolicyEngine { }.getType(); RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, myType); - context.put(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES, resources); + context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources); } catch (Exception e) { System.err.println("TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" + resourcesJsonString + ", exception=" + e); @@ -290,7 +281,7 @@ public class TestPolicyEngine { request = newRequest; } else - if (test.request.getContext().containsKey(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES)) { + if (test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) { } else { request = test.request; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json index d5df5e2..db92668 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -57,7 +57,7 @@ {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false, "conditions":[{ "type":"ScriptConditionEvaluator", - "values":["var country_code = ctx.getGeolocation('LOCATION_TEST_COUNTRY_CODE'); ctx.result = !!country_code;"] + "values":["var country_code = ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result = !!country_code;"] }]} ] } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 47bf2a0..5bbbb16 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -57,7 +57,10 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.service.RangerBasePlugin; import org.apache.ranger.plugin.util.GrantRevokeRequest; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; + import com.google.common.collect.Sets; + import org.apache.ranger.plugin.util.RangerRequestedResources; public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { @@ -909,7 +912,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { for (RangerHiveAccessRequest request : requests) { // Build list of all things requested and put it in the context of each request - request.getContext().put(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES, requestedResources); + RangerAccessRequestUtil.setRequestedResourcesInContext(request.getContext(), requestedResources); RangerHiveResource resource = (RangerHiveResource) request.getResource(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java index c0241b2..520c1be 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java @@ -982,16 +982,32 @@ public class TagREST { LOG.debug("==> TagREST.getServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + pluginId + ")"); } - ServiceTags ret = null; + ServiceTags ret = null; + int httpCode = HttpServletResponse.SC_OK; + String logMsg = null; try { ret = tagStore.getServiceTagsIfUpdated(serviceName, lastKnownVersion); + + if(ret == null) { + httpCode = HttpServletResponse.SC_NOT_MODIFIED; + logMsg = "No change since last update"; + } else { + httpCode = HttpServletResponse.SC_OK; + logMsg = "Returning " + (ret.getTags() != null ? ret.getTags().size() : 0) + " tags. Tag version=" + ret.getTagVersion(); + } } catch(Exception excp) { LOG.error("getServiceTagsIfUpdated(" + serviceName + ") failed", excp); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = excp.getMessage(); } + if(httpCode != HttpServletResponse.SC_OK) { + boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; + throw restErrorUtil.createRESTException(httpCode, logMsg, logError); + } + if(LOG.isDebugEnabled()) { LOG.debug("<==> TagREST.getServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + pluginId + ")"); }
