Repository: incubator-ranger Updated Branches: refs/heads/tag-policy d3ba14925 -> 7f8e0605a
RANGER-606: Updated policy model to specify 'exception' policy items (currently labeled in UI as 'Abstain?'). Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7f8e0605 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7f8e0605 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7f8e0605 Branch: refs/heads/tag-policy Commit: 7f8e0605af68f92177b4aa54e0cc429dc809a457 Parents: d3ba149 Author: Madhan Neethiraj <[email protected]> Authored: Thu Sep 3 00:02:38 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Sep 3 13:24:26 2015 -0700 ---------------------------------------------------------------------- ...ngerContextAttributeValueNotInCondition.java | 76 ++++++++++++++++++ .../ranger/plugin/model/RangerPolicy.java | 33 ++++++-- .../RangerAbstractPolicyItemEvaluator.java | 82 ++++++++++++++++++++ .../RangerDefaultPolicyEvaluator.java | 12 ++- .../RangerOptimizedPolicyEvaluator.java | 3 - .../RangerPolicyItemEvaluator.java | 7 +- .../service-defs/ranger-servicedef-tag.json | 2 +- ...test_policyengine_hive_mutex_conditions.json | 36 ++++++--- .../test_policyengine_tag_hdfs.json | 39 ++++++++-- .../test_policyengine_tag_hive.json | 37 ++++----- .../016-updated-schema-for-tag-based-policy.sql | 1 + .../org/apache/ranger/biz/ServiceDBStore.java | 3 +- .../org/apache/ranger/entity/XXPolicyItem.java | 38 ++++++++- .../ranger/service/RangerPolicyServiceBase.java | 1 + .../scripts/modules/globalize/message/en.js | 2 +- .../src/main/webapp/scripts/utils/XAEnums.js | 3 +- .../src/main/webapp/scripts/utils/XAUtils.js | 1 + .../scripts/views/policies/PermissionList.js | 21 ++++- .../scripts/views/policies/RangerPolicyForm.js | 3 + .../scripts/views/policies/RangerPolicyRO.js | 3 +- .../views/policies/RangerPolicyTableLayout.js | 2 +- .../views/reports/PlugableServiceDiffDetail.js | 6 +- .../scripts/views/reports/UserAccessLayout.js | 2 +- .../templates/policies/PermissionItem.html | 3 + .../templates/policies/RangerPolicyRO_tmpl.html | 5 +- .../PlugableServicePolicyDeleteDiff_tmpl.html | 3 +- .../reports/PlugableServicePolicyDiff_tmpl.html | 1 + .../PlugableServicePolicyUpdateDiff_tmpl.html | 2 + 28 files changed, 350 insertions(+), 77 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueNotInCondition.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueNotInCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueNotInCondition.java new file mode 100644 index 0000000..7df73df --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueNotInCondition.java @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.conditionevaluator; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; + +import java.util.Map; + +public class RangerContextAttributeValueNotInCondition extends RangerAbstractConditionEvaluator { + private static final Log LOG = LogFactory.getLog(RangerContextAttributeValueNotInCondition.class); + + protected String attributeName; + + @Override + public void init() { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerContextAttributeValueNotInCondition.init(" + condition + ")"); + } + + super.init(); + + Map<String, String> evalOptions = conditionDef. getEvaluatorOptions(); + + if (MapUtils.isNotEmpty(evalOptions)) { + attributeName = evalOptions.get("attributeName"); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerContextAttributeValueNotInCondition.init(" + condition + ")"); + } + } + + @Override + public boolean isMatched(RangerAccessRequest request) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerContextAttributeValueNotInCondition.isMatched(" + condition + ")"); + } + + boolean ret = true; + + if(attributeName != null && condition != null && CollectionUtils.isNotEmpty(condition.getValues())) { + Object val = request.getContext().get(attributeName); + + if(val != null) { + ret = !condition.getValues().contains(val); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerContextAttributeValueNotInCondition.isMatched(" + condition + "): " + ret); + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index e0aee6b..19c2b50 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -47,8 +47,8 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria public static final int POLICY_TYPE_ALLOW = 0; public static final int POLICY_TYPE_DENY = 1; - public static final int POLICY_TYPE_EXCLUSIVE_ALLOW = 2; - + public static final int POLICY_ITEM_TYPE_DEFAULT = 0; + public static final int POLICY_ITEM_TYPE_ABSTAIN = 1; private String service = null; private String name = null; @@ -257,12 +257,6 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria return ret; } - final public boolean isPolicyTypeExclusiveAllow() { - boolean ret = this.policyType != null && this.policyType == POLICY_TYPE_EXCLUSIVE_ALLOW; - - return ret; - } - @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -484,6 +478,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria private List<String> groups = null; private List<RangerPolicyItemCondition> conditions = null; private Boolean delegateAdmin = null; + private Integer itemType = POLICY_ITEM_TYPE_DEFAULT; public RangerPolicyItem() { this(null, null, null, null, null); @@ -495,6 +490,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria setGroups(groups); setConditions(conditions); setDelegateAdmin(delegateAdmin); + setItemType(null); } /** @@ -608,6 +604,20 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria this.delegateAdmin = delegateAdmin == null ? Boolean.FALSE : delegateAdmin; } + /** + * @return the itemType + */ + public Integer getItemType() { + return itemType; + } + + /** + * @param itemType the itemType to set + */ + public void setItemType(Integer itemType) { + this.itemType = itemType == null ? POLICY_ITEM_TYPE_DEFAULT : itemType; + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -661,6 +671,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria sb.append("} "); sb.append("delegateAdmin={").append(delegateAdmin).append("} "); + sb.append("itemType={").append(itemType).append("} "); sb.append("}"); return sb; @@ -679,6 +690,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria result = prime * result + ((groups == null) ? 0 : groups.hashCode()); result = prime * result + ((users == null) ? 0 : users.hashCode()); + result = prime * result + ((itemType == null) ? 0 : itemType.hashCode()); return result; } @@ -706,6 +718,11 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria return false; } else if (!delegateAdmin.equals(other.delegateAdmin)) return false; + if (itemType == null) { + if (other.itemType != null) + return false; + } else if (!itemType.equals(other.itemType)) + return false; if (groups == null) { if (other.groups != null) return false; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java index 9696e03..45fce94 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java @@ -22,18 +22,33 @@ package org.apache.ranger.plugin.policyevaluator; import java.util.Collections; import java.util.List; +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyItemEvaluator { + private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyItemEvaluator.class); + + private static final int RANGER_POLICY_ITEM_EVAL_ORDER_DEFAULT = 1000; + private static final int RANGER_POLICY_ITEM_EVAL_ORDER_DISCOUNT_ABSTAIN = 500; + + private static final int RANGER_POLICY_ITEM_EVAL_ORDER_MAX_DISCOUNT_USERSGROUPS = 25; + private static final int RANGER_POLICY_ITEM_EVAL_ORDER_MAX_DISCOUNT_ACCESS_TYPES = 25; + private static final int RANGER_POLICY_ITEM_EVAL_ORDER_MAX_DISCOUNT_CUSTOM_CONDITIONS = 25; + private static final int RANGER_POLICY_ITEM_EVAL_ORDER_CUSTOM_CONDITION_PENALTY = 5; + final RangerPolicyEngineOptions options; final RangerServiceDef serviceDef; final RangerPolicyItem policyItem; final long policyId; + final int evalOrder; List<RangerConditionEvaluator> conditionEvaluators = Collections.<RangerConditionEvaluator>emptyList(); @@ -42,6 +57,7 @@ public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyI this.policyItem = policyItem; this.options = options; this.policyId = policy != null && policy.getId() != null ? policy.getId() : -1; + this.evalOrder = computeEvalOrder(); } @Override @@ -49,6 +65,31 @@ public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyI return conditionEvaluators; } + @Override + public int getEvalOrder() { + return evalOrder; + } + + @Override + public RangerPolicyItem getPolicyItem() { + return policyItem; + } + + @Override + public int compareTo(RangerPolicyItemEvaluator other) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAbstractPolicyItemEvaluator.compareTo()"); + } + + int result = Integer.compare(getEvalOrder(), other.getEvalOrder()); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAbstractPolicyItemEvaluator.compareTo(), result:" + result); + } + + return result; + } + protected String getServiceType() { return serviceDef != null ? serviceDef.getName() : null; } @@ -56,4 +97,45 @@ public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyI protected boolean getConditionsDisabledOption() { return options != null ? options.disableCustomConditions : false; } + + private int computeEvalOrder() { + int evalOrder = RANGER_POLICY_ITEM_EVAL_ORDER_DEFAULT; + + if(policyItem != null) { + if(policyItem.getItemType() == RangerPolicy.POLICY_ITEM_TYPE_ABSTAIN) { + evalOrder -= RANGER_POLICY_ITEM_EVAL_ORDER_DISCOUNT_ABSTAIN; + } + + if(CollectionUtils.isNotEmpty(policyItem.getGroups()) && policyItem.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC)) { + evalOrder -= RANGER_POLICY_ITEM_EVAL_ORDER_MAX_DISCOUNT_USERSGROUPS; + } else { + int userGroupCount = 0; + + if(! CollectionUtils.isEmpty(policyItem.getUsers())) { + userGroupCount += policyItem.getUsers().size(); + } + + if(! CollectionUtils.isEmpty(policyItem.getGroups())) { + userGroupCount += policyItem.getGroups().size(); + } + + evalOrder -= Math.min(RANGER_POLICY_ITEM_EVAL_ORDER_MAX_DISCOUNT_USERSGROUPS, userGroupCount); + } + + if(CollectionUtils.isNotEmpty(policyItem.getAccesses())) { + evalOrder -= Math.round(((float)RANGER_POLICY_ITEM_EVAL_ORDER_MAX_DISCOUNT_ACCESS_TYPES * policyItem.getAccesses().size()) / serviceDef.getAccessTypes().size()); + } + + int customConditionsPenalty = 0; + if(CollectionUtils.isNotEmpty(policyItem.getConditions())) { + customConditionsPenalty = RANGER_POLICY_ITEM_EVAL_ORDER_CUSTOM_CONDITION_PENALTY * policyItem.getConditions().size(); + } + int customConditionsDiscount = RANGER_POLICY_ITEM_EVAL_ORDER_MAX_DISCOUNT_CUSTOM_CONDITIONS - customConditionsPenalty; + if(customConditionsDiscount > 0) { + evalOrder -= customConditionsDiscount; + } + } + + return evalOrder; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 57d1be9..9c63089 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -92,6 +92,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator policyItemEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList(); } + Collections.sort(policyItemEvaluators); + if(LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyEvaluator.init()"); } @@ -164,13 +166,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator result.setIsAllowed(true); result.setPolicyId(policy.getId()); } - } else { - if(policy.isPolicyTypeExclusiveAllow()) { - if(isResourceMatch) { - result.setIsAllowed(false); - result.setPolicyId(policy.getId()); - } - } } } } @@ -193,6 +188,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator ret = policyItemEvaluator.isMatch(request); if(ret) { + if(policyItemEvaluator.getPolicyItem().getItemType() == RangerPolicy.POLICY_ITEM_TYPE_ABSTAIN) { + ret = false; + } break; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java index 7bd1208..9fa20cd 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java @@ -49,7 +49,6 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator private static final int RANGER_POLICY_EVAL_SCORE_DEFAULT = 10000; private static final int RANGER_POLICY_EVAL_SCORE_DISCOUNT_DENY_POLICY = 4000; - private static final int RANGER_POLICY_EVAL_SCORE_DISCOUNT_EXCLUSIVE_ALLOW_POLICY = 2000; private static final int RANGER_POLICY_EVAL_SCORE_MAX_DISCOUNT_RESOURCE = 100; private static final int RANGER_POLICY_EVAL_SCORE_MAX_DISCOUNT_USERSGROUPS = 25; @@ -206,8 +205,6 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator if (policy.isPolicyTypeDeny()) { evalOrder -= RANGER_POLICY_EVAL_SCORE_DISCOUNT_DENY_POLICY; - } else if (policy.isPolicyTypeExclusiveAllow()) { - evalOrder -= RANGER_POLICY_EVAL_SCORE_DISCOUNT_EXCLUSIVE_ALLOW_POLICY; } if(LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java index 96312fe..e91d5d1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java @@ -22,14 +22,19 @@ import java.util.List; import java.util.Set; import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -public interface RangerPolicyItemEvaluator { +public interface RangerPolicyItemEvaluator extends Comparable<RangerPolicyItemEvaluator> { void init(); + RangerPolicyItem getPolicyItem(); + List<RangerConditionEvaluator> getConditionEvaluators(); + int getEvalOrder(); + boolean isMatch(RangerAccessRequest request); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json index 0b827e4..e27feb2 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json @@ -111,7 +111,7 @@ "itemId":2, "name":"enforce-expiry", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", - "evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedBefore('expiry_date');" }, + "evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedAfter('expiry_date');" }, "label":"Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)" } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json index b9bcad4..9c29cfd 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json @@ -23,22 +23,34 @@ "policyConditions":[ { "itemId":1, - "name":"not-accessed-together", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesNotAccessedTogetherCondition", + "name":"accessed-together", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesAccessedTogetherCondition", "evaluatorOptions" : {"ui.isMultiline":"false" }, - "label":"Not Accessed Together?", + "label":"Accessed Together?", "description": "List of Hive resources" } ] }, "policies":[ - {"id":1,"name":"db=default; allow_exclusive select with mutual exclusion of col* for user1","isEnabled":true,"isAuditEnabled":true,"policyType":2, - "resources":{"database":{"values":["d*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + {"id":1,"name":"db=default; deny select with mutual exclusion of col* for everyone except user2, admin","isEnabled":true,"isAuditEnabled":true,"policyType":1, + "resources":{"database":{"values":["default"]},"table":{"values":["testTable"]},"column":{"values":["col*"]}}, "policyItems":[ - {"accesses":[{"type":"select"}],"users":["user1"],"groups":[],"delegateAdmin":false, "conditions":[{"type":"not-accessed-together","values":["default.testTable.col*"]}]}, - {"accesses":[{"type":"select"}],"users":["user2"],"groups":[],"delegateAdmin":false, "conditions":[{"type":"not-accessed-together","values":["default.testTable.col1", "default.testTable.name"]}]}, - {"accesses":[{"type":"select"}],"users":["admin"],"groups":["admin"],"delegateAdmin":false} + {"accesses":[{"type":"select"}],"users":[],"groups":["public"],"delegateAdmin":false,"conditions":[{"type":"accessed-together","values":["default.testTable.col*"]}]}, + {"accesses":[{"type":"select"}],"users":["user2","admin"],"groups":["admin"],"delegateAdmin":false,"itemType":1} + ] + }, + {"id":2,"name":"db=default; deny select with mutual exclusion of col1, name for everone except admin","isEnabled":true,"isAuditEnabled":true,"policyType":1, + "resources":{"database":{"values":["default"]},"table":{"values":["testTable"]},"column":{"values":["col1"]}}, + "policyItems":[ + {"accesses":[{"type":"select"}],"users":[],"groups":["public"],"delegateAdmin":false,"conditions":[{"type":"accessed-together","values":["default.testTable.col1", "default.testTable.name"]}]}, + {"accesses":[{"type":"select"}],"users":["admin"],"groups":["admin"],"delegateAdmin":false,"itemType":1} + ] + }, + {"id":3,"name":"db=default; allow default.testTable.* for user1, user2, admin","isEnabled":true,"isAuditEnabled":true,"policyType":0, + "resources":{"database":{"values":["default"]},"table":{"values":["testTable"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select"}],"users":["user1", "user2", "admin"],"groups":[],"delegateAdmin":false} ] } ], @@ -92,7 +104,7 @@ "result": { "isAudited": true, "isAllowed": false, - "policyId": 1 + "policyId": 2 } } , @@ -118,7 +130,7 @@ "result": { "isAudited": true, "isAllowed": true, - "policyId": 1 + "policyId": 3 } } ,{ @@ -144,7 +156,7 @@ "result": { "isAudited": true, "isAllowed": true, - "policyId": 1 + "policyId": 3 } } ,{ @@ -170,7 +182,7 @@ "result": { "isAudited": true, "isAllowed": true, - "policyId": 1 + "policyId": 3 } } ] http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json index 16dcf6f..585ef95 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json @@ -120,15 +120,38 @@ ] }, "tagPolicies":[ - {"id":101,"name":"test_policy","isEnabled":true,"isAuditEnabled":true,"policyType":2, + {"id":101,"name":"test_policy","isEnabled":true,"isAuditEnabled":true,"policyType":1, "resources":{"tag":{"values":["PII"],"isRecursive":false}}, "policyItems":[ - {"accesses":[{"type":"hdfs:read", "isAllowed":true}, {"type":"hive:grant", "isAllowed":true}, {"type":"delete", "isAllowed":true}, {"type":":write", "isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false, - "conditions" : [{"type":"ScriptConditionEvaluator", "values": [ - "ctx.result = true;", - "importPackage(java.util); var accessDate = ctx.getAsDate(ctx.accessTime); var expiryDate =ctx.getTagAttributeAsDate('pii','expiry'); expiryDate.getTime() < accessDate.getTime();" - ] - }] + { + "accesses":[ + {"type":"hdfs:read", "isAllowed":true}, + {"type":"hive:grant", "isAllowed":true}, + {"type":"delete", "isAllowed":true}, + {"type":":write", "isAllowed":true} + ], + "users":[""], + "groups":["public"], + "delegateAdmin":false, + "itemType":0, + "conditions" : [ + {"type":"ScriptConditionEvaluator", "values": [ + "ctx.result = true; importPackage(java.util); var accessDate = ctx.getAsDate(ctx.accessTime); var expiryDate =ctx.getTagAttributeAsDate('pii','expiry'); expiryDate.getTime() < accessDate.getTime();" + ]} + ] + }, + { + "accesses":[ + {"type":"hdfs:read", "isAllowed":true}, + {"type":"hive:grant", "isAllowed":true}, + {"type":"delete", "isAllowed":true}, + {"type":":write", "isAllowed":true} + ], + "users":["user1"], + "groups":["finance"], + "delegateAdmin":false, + "itemType":1, + "conditions" : [] } ] } @@ -141,7 +164,7 @@ "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db", "context": {"TAGS":"[{\"type\":\"PII\"}]"} }, - "result":{"isAudited":true,"isAllowed":true,"policyId":101} + "result":{"isAudited":true,"isAllowed":true,"policyId":3} } ] } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json index 6507809..f55c0a4 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json @@ -146,7 +146,7 @@ "itemId":2, "name":"enforce-expiry", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", - "evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedBefore('expiry_date');" }, + "evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedAfter('expiry_date');" }, "label":"Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)" } @@ -171,17 +171,18 @@ {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false} ] }, - {"id":3,"name":"PII_TAG_POLICY-FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":2, + {"id":3,"name":"PII_TAG_POLICY-FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":1, "resources":{"tag":{"values":["PII-FINAL"],"isRecursive":false}}, "policyItems":[ - {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false} + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":[""],"groups":["public"],"delegateAdmin":false}, + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false,"itemType":1} ] }, - {"id":4,"name":"RESTRICTED_TAG_POLICY_FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":2, + {"id":4,"name":"RESTRICTED_TAG_POLICY_FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":1, "resources":{"tag":{"values":["RESTRICTED-FINAL"],"isRecursive":false}}, "policyItems":[ - { - "accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false, + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}, + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,"itemType":1, "conditions":[{ "type":"ScriptConditionEvaluator", "values":["if ( ctx.isAccessedBefore('expiry') ) ctx.result = true;"] @@ -189,23 +190,13 @@ } ] }, - {"id":5,"name":"EXPIRES_ON","isEnabled":true,"isAuditEnabled":true,"policyType":2, + {"id":5,"name":"EXPIRES_ON","isEnabled":true,"isAuditEnabled":true,"policyType":1, "resources":{"tag":{"values":["EXPIRES_ON"],"isRecursive":false}}, "policyItems":[ - { - "accesses":[{"type":"hive:select","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false, - "conditions":[{ - "type":"enforce-expiry", - "values":["yes"] - }] + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false, + "conditions":[{"type":"enforce-expiry","values":["yes"]}] }, - { - "accesses":[{"type":"hive:select","isAllowed":true}],"users":["dataloader"],"groups":[],"delegateAdmin":false, - "conditions":[{ - "type":"enforce-expiry", - "values":["no"] - }] - } + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["dataloader"],"groups":[],"delegateAdmin":false,"itemType":1} ] } ] @@ -219,7 +210,7 @@ "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2026/06/15\"}}]"} }, - "result":{"isAudited":true,"isAllowed":true,"policyId":5} + "result":{"isAudited":true,"isAllowed":true,"policyId":101} }, {"name":"DENY 'select ssn from employee.personal;' for user1 using EXPIRES_ON tag", "request":{ @@ -244,7 +235,7 @@ "accessType":"select","user":"dataloader","userGroups":[],"requestData":"select ssn from employee.personal;' for dataloader", "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2015/08/10\"}}]"} }, - "result":{"isAudited":true,"isAllowed":true,"policyId":5} + "result":{"isAudited":true,"isAllowed":true,"policyId":101} }, {"name":"ALLOW 'select ssn from employee.personal;' for user1", "request":{ @@ -309,7 +300,7 @@ "accessType":"","user":"hive","userGroups":[],"requestData":"use default", "context": {"TAGS":"[{\"type\":\"PII-FINAL\", \"attributes\":{\"expiry\":\"2026/06/15\"}}]"} }, - "result":{"isAudited":true,"isAllowed":true,"policyId":3} + "result":{"isAudited":true,"isAllowed":true,"policyId":101} }, {"name":"DENY 'use default;' for user1", "request":{ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql b/security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql index 79699ce..d3a19b1 100644 --- a/security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql +++ b/security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql @@ -322,6 +322,7 @@ ENGINE = InnoDB; -- ranger database add column in x_service_def and x_service table -- ---------------------------------------------------------------- alter table x_service_def add column `options` VARCHAR(1024) DEFAULT NULL NULL; +alter table x_policy_item add column `item_type` INT DEFAULT 0 NOT NULL; alter table x_service add column `tag_service` BIGINT DEFAULT NULL NULL, add column `tag_version` BIGINT DEFAULT 0 NOT NULL, add column `tag_update_time` DATETIME DEFAULT NULL NULL; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index e9454f9..cccea3e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1831,7 +1831,7 @@ public class ServiceDBStore extends AbstractServiceStore { policy.setService(createdService.getName()); policy.setDescription(tagType + " Policy for TAG Service: " + createdService.getName()); policy.setIsAuditEnabled(true); - policy.setPolicyType(RangerPolicy.POLICY_TYPE_EXCLUSIVE_ALLOW); + policy.setPolicyType(RangerPolicy.POLICY_TYPE_DENY); Map<String, RangerPolicyResource> resourceMap = new HashMap<String, RangerPolicyResource>(); @@ -2034,6 +2034,7 @@ public class ServiceDBStore extends AbstractServiceStore { xPolicyItem = (XXPolicyItem) rangerAuditFields.populateAuditFields( xPolicyItem, xPolicy); xPolicyItem.setDelegateAdmin(policyItem.getDelegateAdmin()); + xPolicyItem.setItemType(policyItem.getItemType()); xPolicyItem.setPolicyId(policy.getId()); xPolicyItem.setOrder(itemOrder); xPolicyItem = daoMgr.getXXPolicyItem().create(xPolicyItem); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItem.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItem.java b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItem.java index 0c70e73..be8507e 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItem.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItem.java @@ -68,6 +68,15 @@ public class XXPolicyItem extends XXDBBase implements java.io.Serializable { protected Boolean delegateAdmin; /** + * item_type of the XXPolicyItem + * <ul> + * </ul> + * + */ + @Column(name = "item_type") + protected Integer itemType; + + /** * order of the XXPolicyItem * <ul> * </ul> @@ -152,6 +161,26 @@ public class XXPolicyItem extends XXDBBase implements java.io.Serializable { } /** + * This method sets the value to the member attribute <b> itemType</b> . You + * cannot set null to the attribute. + * + * @param itemType + * Value to set member attribute <b> itemType</b> + */ + public void setItemType(Integer itemType) { + this.itemType = itemType; + } + + /** + * Returns the value for the member attribute <b>itemType</b> + * + * @return Integer - value of member attribute <b>itemType</b> . + */ + public Integer getItemType() { + return this.itemType; + } + + /** * This method sets the value to the member attribute <b> order</b> . You * cannot set null to the attribute. * @@ -222,6 +251,13 @@ public class XXPolicyItem extends XXDBBase implements java.io.Serializable { } else if (!policyId.equals(other.policyId)) { return false; } + if (itemType == null) { + if (other.itemType != null) { + return false; + } + } else if (!itemType.equals(other.itemType)) { + return false; + } return true; } @@ -234,7 +270,7 @@ public class XXPolicyItem extends XXDBBase implements java.io.Serializable { public String toString() { return "XXPolicyItem [" + super.toString() + " id=" + id + ", guid=" + GUID + ", policyId=" + policyId - + ", delegateAdmin=" + delegateAdmin + ", order=" + order + "]"; + + ", delegateAdmin=" + delegateAdmin + ", itemType=" + itemType + ", order=" + order + "]"; } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java index 1f73504..b76a0ed 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java @@ -203,6 +203,7 @@ public abstract class RangerPolicyServiceBase<T extends XXPolicyBase, V extends rangerPolItem.setGroups(grpList); rangerPolItem.setDelegateAdmin(xPolItem.getDelegateAdmin()); + rangerPolItem.setItemType(xPolItem.getItemType()); return rangerPolItem; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js index a5474c9..ba986f9 100644 --- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js +++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js @@ -213,6 +213,7 @@ define(function(require) { ipAddress : 'IP Address', isVisible : 'Visible', delegatedAdmin : 'Delegate Admin', + itemType : 'Abstain?', policyId : 'Policy ID', moduleName : 'Module Name', keyManagement : 'Key Management', @@ -230,7 +231,6 @@ define(function(require) { serviceName : 'Service Name', PolicyType_ALLOW : 'Allow', PolicyType_DENY : 'Deny', - PolicyType_EXCLUSIVE_ALLOW : 'Exclusive Allow', componentPermissions : 'Component Permissions' }, btn : { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/utils/XAEnums.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/utils/XAEnums.js b/security-admin/src/main/webapp/scripts/utils/XAEnums.js index 183d201..cb10f08 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAEnums.js +++ b/security-admin/src/main/webapp/scripts/utils/XAEnums.js @@ -102,8 +102,7 @@ define(function(require) { XAEnums.PolicyType = mergeParams(XAEnums.PolicyType, { POLICY_TYPE_ALLOW:{value:0, label:'Allow', rbkey:'xa.enum.PolicyType.POLICY_TYPE_ALLOW', tt: 'lbl.PolicyType_ALLOW'}, - POLICY_TYPE_DENY:{value:1, label:'Deny', rbkey:'xa.enum.PolicyType.POLICY_TYPE_DENY', tt: 'lbl.PolicyType_DENY'}, - POLICY_TYPE_EXCLUSIVE_ALLOW:{value:2, label:'Exclusive Allow', rbkey:'xa.enum.PolicyType.POLICY_TYPE_EXCLUSIVE_ALLOW', tt: 'lbl.PolicyType_EXCLUSIVE_ALLOW'} + POLICY_TYPE_DENY:{value:1, label:'Deny', rbkey:'xa.enum.PolicyType.POLICY_TYPE_DENY', tt: 'lbl.PolicyType_DENY'} }); XAEnums.AssetType = mergeParams(XAEnums.AssetType, { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/utils/XAUtils.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js index d3530e7..d0d62a2 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js +++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js @@ -598,6 +598,7 @@ define(function(require) { accesses : obj.accesses, conditions : obj.conditions, delegateAdmin : obj.delegateAdmin, + itemType : obj.itemType, editMode : true, }); formInputColl.add(m); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js index 6be0329..efc5377 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js +++ b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js @@ -55,12 +55,14 @@ define(function(require) { addPerms : 'a[data-js="permissions"]', conditionsTags : '[class=tags1]', delegatedAdmin : 'input[data-js="delegatedAdmin"]', + itemType : 'input[data-js="itemType"]', addPermissionsSpan : '.add-permissions', addConditionsSpan : '.add-conditions', }, events : { 'click [data-action="delete"]' : 'evDelete', - 'click td' : 'evClickTD', + 'click [data-js="delegatedAdmin"]' : 'evClickTD', + 'click [data-js="itemType"]' : 'evItemTypeClick', 'change [data-js="selectGroups"]': 'evSelectGroup', 'change [data-js="selectUsers"]': 'evSelectUser', 'change input[class="policy-conditions"]' : 'policyCondtionChange' @@ -118,6 +120,10 @@ define(function(require) { if(!_.isUndefined(this.model.get('delegateAdmin')) && this.model.get('delegateAdmin')){ this.ui.delegatedAdmin.attr('checked', 'checked'); } + + if(!_.isUndefined(this.model.get('itemType')) && this.model.get('itemType') == 1){ + this.ui.itemType.attr('checked', 'checked'); + } } }, setupPermissionsAndConditions : function() { @@ -497,10 +503,20 @@ define(function(require) { XAUtil.checkDirtyFieldForToggle($el); //Set Delegated Admin value if(!_.isUndefined($el.find('input').data('js'))){ - this.model.set('delegateAdmin',$el.find('input').is(':checked')) + this.model.set('delegateAdmin',$el.is(':checked')); return; } }, + evItemTypeClick : function(e){ + var $el = $(e.currentTarget); + XAUtil.checkDirtyFieldForToggle($el); + //Set ItemType value + if(!_.isUndefined($el.find('input').data('js'))){ + this.model.set('itemType',($el.is(':checked') == false) ? 0 : 1); + return; + } + }, + checkDirtyFieldForCheckBox : function(perms){ var permList = []; if(!_.isUndefined(this.model.get('_vPermList'))) @@ -623,6 +639,7 @@ define(function(require) { }, getPermHeaders : function(){ var permList = []; + permList.unshift(localization.tt('lbl.itemType')); if(this.rangerServiceDefModel.get('name') != XAEnums.ServiceType.SERVICE_TAG.label){ permList.unshift(localization.tt('lbl.delegatedAdmin')); permList.unshift(localization.tt('lbl.permissions')); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js index b0c910f..d969c37 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js @@ -283,6 +283,9 @@ define(function(require){ if(!_.isUndefined(m.get('delegateAdmin'))){ policyItem.set("delegateAdmin",m.get("delegateAdmin")); } + if(!_.isUndefined(m.get('itemType'))){ + policyItem.set("itemType",m.get("itemType")); + } var RangerPolicyItemAccessList = Backbone.Collection.extend(); var rangerPlcItemAccessList = new RangerPolicyItemAccessList(m.get('accesses')); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js index a9ee1b5..6d7f3d7 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js @@ -125,6 +125,7 @@ define(function(require) { getPermHeaders : function(){ var permList = [], policyCondition = false; + permList.unshift(localization.tt('lbl.itemType')); permList.unshift(localization.tt('lbl.delegatedAdmin')); permList.unshift(localization.tt('lbl.permissions')); if(!_.isEmpty(this.serviceDef.get('policyConditions'))){ @@ -184,4 +185,4 @@ define(function(require) { }); return RangerPolicyRO; -}); \ No newline at end of file +}); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js index f3f233d..eaaf273 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js @@ -174,7 +174,7 @@ define(function(require){ label : localization.tt("lbl.policyType"), formatter: _.extend({}, Backgrid.CellFormatter.prototype, { fromRaw: function (rawValue) { - return rawValue === 0 ? '<label label-success">Allow</label>' : rawValue === 1 ? '<label label-important">Deny</label>' : '<label label-success">Exclusive Allow</label>'; + return rawValue === 0 ? '<label label-success">Allow</label>' : rawValue === 1 ? '<label label-important">Deny</label>' : '<label label-success">Unknown</label>'; } }), editable: false, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js b/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js index 40db4cb..3979ea2 100644 --- a/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js +++ b/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js @@ -223,11 +223,11 @@ define(function(require){ if(!_.isUndefined(policyType)){ if(!_.isEmpty(policyType.get('previousValue'))){ var tmp = this.collection.get(policyType.id); - tmp.set("previousValue", policyType.get('previousValue') === "0" ? 'Allow' : policyType.get('previousValue') === "1" ? 'Deny' : "Exclusive Allow"); + tmp.set("previousValue", policyType.get('previousValue') === "0" ? 'Allow' : policyType.get('previousValue') === "1" ? 'Deny' : "Unknown"); } if(!_.isEmpty(policyType.get('newValue'))){ var tmp = this.collection.get(policyType.id); - tmp.set("newValue", policyType.get('newValue') === "0" ? 'Allow' : policyType.get('newValue') === "1" ? 'Deny' : "Exclusive Allow"); + tmp.set("newValue", policyType.get('newValue') === "0" ? 'Allow' : policyType.get('newValue') === "1" ? 'Deny' : "Unknown"); } } }, @@ -295,6 +295,7 @@ define(function(require){ var permissions = _.map(_.where(obj.accesses,{'isAllowed':true}), function(t) { return t.type; }); obj['permissions'] = permissions; obj['delegateAdmin'] = obj.delegateAdmin ? 'enabled' : 'disabled'; + obj['itemType'] = obj.itemType == 1 ? 'enabled' : 'disabled'; } }); } @@ -305,6 +306,7 @@ define(function(require){ var permissions = _.map(_.where(obj.accesses,{'isAllowed':true}), function(t) { return t.type; }); obj['permissions'] = permissions; obj['delegateAdmin'] = obj.delegateAdmin ? 'enabled' : 'disabled'; + obj['itemType'] = obj.itemType == 1? 'enabled' : 'disabled'; } }); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js b/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js index 5c5309d..9c4fb3f 100644 --- a/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js +++ b/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js @@ -214,7 +214,7 @@ define(function(require) {'use strict'; label : localization.tt("lbl.policyType"), formatter: _.extend({}, Backgrid.CellFormatter.prototype, { fromRaw: function (rawValue) { - return rawValue === 0 ? '<label label-success">Allow</label>' : rawValue === 1 ? '<label label-important">Deny</label>' : '<label label-success">Exclusive Allow</label>'; + return rawValue === 0 ? '<label label-success">Allow</label>' : rawValue === 1 ? '<label label-important">Deny</label>' : '<label label-success">Unknown</label>'; } }), editable: false, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/templates/policies/PermissionItem.html ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/templates/policies/PermissionItem.html b/security-admin/src/main/webapp/templates/policies/PermissionItem.html index 99c20fa..63375c9 100644 --- a/security-admin/src/main/webapp/templates/policies/PermissionItem.html +++ b/security-admin/src/main/webapp/templates/policies/PermissionItem.html @@ -35,6 +35,9 @@ <td style=" width: 12%; "> <input data-js="delegatedAdmin" type="checkbox"> </td> +<td style=" width: 12%; "> + <input data-js="itemType" type="checkbox"> +</td> <td> <button type="button" class="btn btn-small btn-danger " data-action="delete"> <i class="icon-remove"></i> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html index 77f7605..1185980 100644 --- a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html +++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html @@ -118,6 +118,9 @@ <td> <input type="checkbox" {{#if this.delegateAdmin}}checked{{/if}} disabled="disabled"> </td> + <td> + <input type="checkbox" {{#if this.itemType}}checked{{/if}} disabled="disabled"> + </td> </tr> {{/each}} </tbody> @@ -140,4 +143,4 @@ <strong>{{tt 'lbl.createdOn'}} :</strong> {{PolicyDetails.createTime}} </p> </div> -</div> \ No newline at end of file +</div> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html index 0d632a4..ad7a07d 100644 --- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html +++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html @@ -82,10 +82,11 @@ </li> {{/if}} <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> + <li class="change-row"><i>Is Abstain?</i>: {{this.itemType}}</li> </ol><br/> {{/each}} </div> </div> {{/if}} -</div> \ No newline at end of file +</div> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html index 353baa9..fc697db 100644 --- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html +++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html @@ -78,6 +78,7 @@ </li> {{/if}} <li class="change-row">Delegate Admin:{{this.delegateAdmin}}</li> + <li class="change-row">Is Abstain?:{{this.itemType}}</li> </ol><br/> {{/each}} </div> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7f8e0605/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html index f61e91f..1a43c98 100644 --- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html +++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html @@ -107,6 +107,7 @@ </li> {{/if}} <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> + <li class="change-row"><i>Is Abstain?</i>: {{this.itemType}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> {{/if}} @@ -150,6 +151,7 @@ </li> {{/if}} <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> + <li class="change-row"><i>Is Abstain?</i>: {{this.itemType}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> {{/if}}
