Repository: incubator-ranger Updated Branches: refs/heads/master 6dbd2b8f1 -> dddc4d420
RANGER-699: API for deny/allow from external tool. Commented out extracting users and groups from appliedPolicy, truncated processing of allow and deny exceptions Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5423ee4f Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/5423ee4f Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/5423ee4f Branch: refs/heads/master Commit: 5423ee4f6074f3a4a01991431fd7d03e8712ddf1 Parents: 6dbd2b8 Author: Abhay Kulkarni <[email protected]> Authored: Tue Jan 19 23:32:30 2016 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Sun Mar 6 22:08:07 2016 -0800 ---------------------------------------------------------------------- .../org/apache/ranger/rest/PublicAPIsv2.java | 8 +- .../org/apache/ranger/rest/ServiceREST.java | 372 +++------ .../org/apache/ranger/rest/ServiceRESTUtil.java | 750 +++++++++++++++++++ .../org/apache/ranger/rest/TestServiceREST.java | 333 ++++++++ 4 files changed, 1181 insertions(+), 282 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5423ee4f/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java index 2c30daa..8601b95 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java @@ -322,6 +322,13 @@ public class PublicAPIsv2 { return serviceREST.createPolicy(policy); } + @POST + @Path("/api/policy/apply/") + @Produces({ "application/json", "application/xml" }) + public RangerPolicy applyPolicy(RangerPolicy policy) { // new API + return serviceREST.applyPolicy(policy); + } + @PUT @Path("/api/policy/{id}") @Produces({ "application/json", "application/xml" }) @@ -336,7 +343,6 @@ public class PublicAPIsv2 { return serviceREST.updatePolicy(policy); } - @PUT @Path("/api/service/{servicename}/policy/{policyname}") @Produces({ "application/json", "application/xml" }) http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5423ee4f/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index a28eca1..5e5d626 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -55,7 +55,6 @@ import org.apache.ranger.biz.XUserMgr; import org.apache.ranger.common.GUIDUtil; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; -import org.apache.ranger.common.RangerConfigUtil; import org.apache.ranger.common.RangerSearchUtil; import org.apache.ranger.common.RangerValidatorFactory; import org.apache.ranger.common.ServiceUtil; @@ -67,6 +66,7 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerPolicyResourceSignature; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.validation.RangerPolicyValidator; @@ -127,10 +127,7 @@ public class ServiceREST { @Autowired ServiceUtil serviceUtil; - - @Autowired - RangerConfigUtil configUtil; - + @Autowired RangerPolicyService policyService; @@ -851,69 +848,16 @@ public class ServiceREST { } RangerPolicy policy = getExactMatchPolicyForResource(policyEngine, resource); - + if(policy != null) { boolean policyUpdated = false; - - // replace all existing privileges for users and groups - if(grantRequest.getReplaceExistingPermissions()) { - policyUpdated = removeUsersAndGroupsFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups()); - } - - for(String user : grantRequest.getUsers()) { - RangerPolicyItem policyItem = getPolicyItemForUser(policy, user); - - if(policyItem != null) { - if(addAccesses(policyItem, grantRequest.getAccessTypes())) { - policyUpdated = true; - } - } else { - policyItem = new RangerPolicyItem(); - - policyItem.getUsers().add(user); - addAccesses(policyItem, grantRequest.getAccessTypes()); - policy.getPolicyItems().add(policyItem); - - policyUpdated = true; - } - - if(grantRequest.getDelegateAdmin()) { - if(!policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.TRUE); - - policyUpdated = true; - } - } - } - - for(String group : grantRequest.getGroups()) { - RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group); - - if(policyItem != null) { - if(addAccesses(policyItem, grantRequest.getAccessTypes())) { - policyUpdated = true; - } - } else { - policyItem = new RangerPolicyItem(); - - policyItem.getGroups().add(group); - addAccesses(policyItem, grantRequest.getAccessTypes()); - policy.getPolicyItems().add(policyItem); - - policyUpdated = true; - } - - if(grantRequest.getDelegateAdmin()) { - if(!policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.TRUE); - - policyUpdated = true; - } - } - } - + policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest); + if(policyUpdated) { svcStore.updatePolicy(policy); + } else { + LOG.error("processGrantRequest processing failed"); + throw new Exception("processGrantRequest processing failed"); } } else { policy = new RangerPolicy(); @@ -935,29 +879,19 @@ public class ServiceREST { } } policy.setResources(policyResources); - - for(String user : grantRequest.getUsers()) { - RangerPolicyItem policyItem = new RangerPolicyItem(); - - policyItem.getUsers().add(user); - for(String accessType : grantRequest.getAccessTypes()) { - policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); - } - policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); - policy.getPolicyItems().add(policyItem); - } - - for(String group : grantRequest.getGroups()) { - RangerPolicyItem policyItem = new RangerPolicyItem(); - - policyItem.getGroups().add(group); - for(String accessType : grantRequest.getAccessTypes()) { - policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); - } - policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); - policy.getPolicyItems().add(policyItem); + + RangerPolicyItem policyItem = new RangerPolicyItem(); + + policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); + policyItem.getUsers().addAll(grantRequest.getUsers()); + policyItem.getGroups().addAll(grantRequest.getGroups()); + + for(String accessType : grantRequest.getAccessTypes()) { + policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); } - + + policy.getPolicyItems().add(policyItem); + svcStore.createPolicy(policy); } } catch(WebApplicationException excp) { @@ -1013,53 +947,13 @@ public class ServiceREST { if(policy != null) { boolean policyUpdated = false; + policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); - // remove all existing privileges for users and groups - if(revokeRequest.getReplaceExistingPermissions()) { - policyUpdated = removeUsersAndGroupsFromPolicy(policy, revokeRequest.getUsers(), revokeRequest.getGroups()); - } else { - for(String user : revokeRequest.getUsers()) { - RangerPolicyItem policyItem = getPolicyItemForUser(policy, user); - - if (policyItem != null) { - if (removeAccesses(policyItem, revokeRequest.getAccessTypes())) { - policyUpdated = true; - } - - if (revokeRequest.getDelegateAdmin()) { // remove delegate? - if (policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.FALSE); - policyUpdated = true; - } - - } - } - } - - for(String group : revokeRequest.getGroups()) { - RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group); - - if(policyItem != null) { - if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) { - policyUpdated = true; - } - - if(revokeRequest.getDelegateAdmin()) { // remove delegate? - if(policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.FALSE); - policyUpdated = true; - } - } - } - } - - if(compactPolicy(policy)) { - policyUpdated = true; - } - } - if(policyUpdated) { svcStore.updatePolicy(policy); + } else { + LOG.error("processRevokeRequest processing failed"); + throw new Exception("processRevokeRequest processing failed"); } } else { // nothing to revoke! @@ -1139,6 +1033,72 @@ public class ServiceREST { return ret; } + /* + The verb for applyPolicy is POST as it could be partial update or a create + */ + + @POST + @Path("/policies/apply") + @Produces({ "application/json", "application/xml" }) + public RangerPolicy applyPolicy(RangerPolicy policy) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceREST.applyPolicy(" + policy + ")"); + } + + RangerPolicy ret = null; + + if (policy != null && StringUtils.isNotBlank(policy.getService())) { + + try { + RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy); + + List<RangerPolicy> existingPolicies = svcStore.getPoliciesByResourceSignature(policy.getService(), resourceSignature.getSignature(), true); + + if (CollectionUtils.isEmpty(existingPolicies)) { + + ret = createPolicy(policy); + + } else if (existingPolicies.size() == 1) { + + // Check if applied policy contains any conditions + if (ServiceRESTUtil.containsRangerCondition(policy)) { + LOG.error("Applied policy contains condition(s); not supported:" + policy); + throw new Exception("Applied policy contains condition(s); not supported:" + policy); + } + RangerPolicy existingPolicy = existingPolicies.get(0); + + // If existing policy-items contains conditions, then we add/remove specified accesses to + // existing policy-items as specified in applied policy, ignoring those conditions. + // New policy-items will have no conditions. + + boolean applyResult = ServiceRESTUtil.processApplyPolicy(existingPolicy, policy); + + if (applyResult) { + ret = updatePolicy(existingPolicy); + } else { + LOG.error("applyPolicy processing failed"); + throw new Exception("applyPolicy processing failed"); + } + + } else { + // there should be only one policy for the given resources + throw new Exception("Invalid state: multiple policies exists for resource " + policy.getResources()); + } + } catch (Exception exception) { + LOG.error("Failed to apply policy:", exception); + throw restErrorUtil.createRESTException(exception.getMessage()); + } + } else { + throw restErrorUtil.createRESTException("Non-existing service specified:" + policy == null ? null : policy.getService()); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceREST.applyPolicy(" + policy + ") : " + ret); + } + + return ret; + } + @PUT @Path("/policies/{id}") @Produces({ "application/json", "application/xml" }) @@ -1603,156 +1563,6 @@ public class ServiceREST { return ret; } - private boolean compactPolicy(RangerPolicy policy) { - boolean ret = false; - - List<?>[] policyItemsList = new List<?>[] { policy.getPolicyItems(), - policy.getDenyPolicyItems(), - policy.getAllowExceptions(), - policy.getDenyExceptions() - }; - - for(List<?> policyItemsObj : policyItemsList) { - @SuppressWarnings("unchecked") - List<RangerPolicyItem> policyItems = (List<RangerPolicyItem>)policyItemsObj; - - int numOfItems = policyItems.size(); - - for(int i = 0; i < numOfItems; i++) { - RangerPolicyItem policyItem = policyItems.get(i); - - // remove the policy item if 1) there are no users and groups OR 2) if there are no accessTypes and not a delegate-admin - if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) || - (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) { - policyItems.remove(i); - numOfItems--; - i--; - - ret = true; - } - } - } - - return ret; - } - - private RangerPolicyItem getPolicyItemForUser(RangerPolicy policy, String userName) { - RangerPolicyItem ret = null; - - for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - if(policyItem.getUsers().size() != 1) { - continue; - } - - if(policyItem.getUsers().contains(userName)) { - ret = policyItem; - break; - } - } - - return ret; - } - - private RangerPolicyItem getPolicyItemForGroup(RangerPolicy policy, String groupName) { - RangerPolicyItem ret = null; - - for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - if(policyItem.getGroups().size() != 1) { - continue; - } - - if(policyItem.getGroups().contains(groupName)) { - ret = policyItem; - break; - } - } - - return ret; - } - - private boolean addAccesses(RangerPolicyItem policyItem, Set<String> accessTypes) { - boolean ret = false; - - for(String accessType : accessTypes) { - RangerPolicyItemAccess policyItemAccess = null; - - for(RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) { - if(StringUtils.equals(itemAccess.getType(), accessType)) { - policyItemAccess = itemAccess; - break; - } - } - - if(policyItemAccess != null) { - if(!policyItemAccess.getIsAllowed()) { - policyItemAccess.setIsAllowed(Boolean.TRUE); - ret = true; - } - } else { - policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); - ret = true; - } - } - - return ret; - } - - private boolean removeAccesses(RangerPolicyItem policyItem, Set<String> accessTypes) { - boolean ret = false; - - for(String accessType : accessTypes) { - int numOfItems = policyItem.getAccesses().size(); - - for(int i = 0; i < numOfItems; i++) { - RangerPolicyItemAccess itemAccess = policyItem.getAccesses().get(i); - - if(StringUtils.equals(itemAccess.getType(), accessType)) { - policyItem.getAccesses().remove(i); - numOfItems--; - i--; - - ret = true; - } - } - } - - return ret; - } - - private boolean removeUsersAndGroupsFromPolicy(RangerPolicy policy, Set<String> users, Set<String> groups) { - boolean policyUpdated = false; - - List<RangerPolicyItem> policyItems = policy.getPolicyItems(); - - int numOfItems = policyItems.size(); - - for(int i = 0; i < numOfItems; i++) { - RangerPolicyItem policyItem = policyItems.get(i); - - if(CollectionUtils.containsAny(policyItem.getUsers(), users)) { - policyItem.getUsers().removeAll(users); - - policyUpdated = true; - } - - if(CollectionUtils.containsAny(policyItem.getGroups(), groups)) { - policyItem.getGroups().removeAll(groups); - - policyUpdated = true; - } - - if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) { - policyItems.remove(i); - numOfItems--; - i--; - - policyUpdated = true; - } - } - - return policyUpdated; - } - @GET @Path("/policies/eventTime") @Produces({ "application/json", "application/xml" }) @@ -1969,7 +1779,7 @@ public class ServiceREST { options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true); options.evaluateDelegateAdminOnly = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.evaluate.delegateadmin.only", true); - RangerPolicyEngineCache.getInstance().setPolicyEngineOptions(options);; + RangerPolicyEngineCache.getInstance().setPolicyEngineOptions(options); } RangerPolicyEngine ret = RangerPolicyEngineCache.getInstance().getPolicyEngine(serviceName, svcStore); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5423ee4f/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java new file mode 100644 index 0000000..7518363 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java @@ -0,0 +1,750 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.rest; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.util.GrantRevokeRequest; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.TreeSet; + +public class ServiceRESTUtil { + private static final Log LOG = LogFactory.getLog(ServiceRESTUtil.class); + + private enum POLICYITEM_TYPE { + ALLOW, DENY, ALLOW_EXCEPTIONS, DENY_EXCEPTIONS + } + + static public boolean processGrantRequest(RangerPolicy policy, GrantRevokeRequest grantRequest) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.processGrantRequest()"); + } + + boolean policyUpdated = false; + + // replace all existing privileges for users and groups + if (grantRequest.getReplaceExistingPermissions()) { + policyUpdated = removeUsersAndGroupsFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups()); + } + + //Build a policy and set up policyItem in it to mimic grant request + RangerPolicy appliedPolicy = new RangerPolicy(); + + RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); + + policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); + policyItem.getUsers().addAll(grantRequest.getUsers()); + policyItem.getGroups().addAll(grantRequest.getGroups()); + + List<RangerPolicy.RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); + + Set<String> accessTypes = grantRequest.getAccessTypes(); + for (String accessType : accessTypes) { + accesses.add(new RangerPolicy.RangerPolicyItemAccess(accessType, true)); + } + + policyItem.setAccesses(accesses); + + appliedPolicy.getPolicyItems().add(policyItem); + + policyUpdated = processApplyPolicy(policy, appliedPolicy) || policyUpdated; + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.processGrantRequest() : " + policyUpdated); + } + + return policyUpdated; + } + + static public boolean processRevokeRequest(RangerPolicy policy, GrantRevokeRequest revokeRequest) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.processRevokeRequest()"); + } + + boolean policyUpdated = false; + + // remove all existing privileges for users and groups + if (revokeRequest.getReplaceExistingPermissions()) { + policyUpdated = removeUsersAndGroupsFromPolicy(policy, revokeRequest.getUsers(), revokeRequest.getGroups()); + } else { + //Build a policy and set up policyItem in it to mimic revoke request + RangerPolicy appliedPolicy = new RangerPolicy(); + + RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); + + policyItem.setDelegateAdmin(revokeRequest.getDelegateAdmin()); + policyItem.getUsers().addAll(revokeRequest.getUsers()); + policyItem.getGroups().addAll(revokeRequest.getGroups()); + + List<RangerPolicy.RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); + + Set<String> accessTypes = revokeRequest.getAccessTypes(); + for (String accessType : accessTypes) { + accesses.add(new RangerPolicy.RangerPolicyItemAccess(accessType, true)); + } + + policyItem.setAccesses(accesses); + + appliedPolicy.getDenyPolicyItems().add(policyItem); + + policyUpdated = processApplyPolicy(policy, appliedPolicy); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.processRevokeRequest() : " + policyUpdated); + } + + return policyUpdated; + } + + static public boolean processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.processApplyPolicy()"); + } + + boolean ret = false; + + ret = processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); + ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); + ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); + ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS); + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.processApplyPolicy()"); + } + + return ret; + } + + static public boolean processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()"); + } + + boolean ret = false; + + List<RangerPolicy.RangerPolicyItem> appliedPolicyItems = null; + + switch (policyItemType) { + case ALLOW: + appliedPolicyItems = appliedPolicy.getPolicyItems(); + break; + case DENY: + appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); + break; + case ALLOW_EXCEPTIONS: + appliedPolicyItems = appliedPolicy.getAllowExceptions(); + break; + case DENY_EXCEPTIONS: + appliedPolicyItems = appliedPolicy.getDenyExceptions(); + break; + default: + LOG.warn("Should not have come here.."); + return false; + } + + if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { + + Set<String> users = new HashSet<String>(); + Set<String> groups = new HashSet<String>(); + + Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>(); + Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>(); + + // Extract users and groups specified in appliedPolicy items + extractUsersAndGroups(appliedPolicyItems, users, groups); + + // Split existing policyItems for users and groups extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems + splitExistingPolicyItems(existingPolicy, users, userPolicyItems, groups, groupPolicyItems); + + // Apply policyItems of given type in appliedPolicy to policyItems extracted from existingPolicy + applyPolicyItems(appliedPolicyItems, policyItemType, userPolicyItems, groupPolicyItems); + + // Add modified/new policyItems back to existing policy + mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems); + + ret = compactPolicy(existingPolicy); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.processApplyPolicyForItemType()"); + } + + return ret; + } + + static private void extractUsersAndGroups(List<RangerPolicy.RangerPolicyItem> policyItems, Set<String> users, Set<String> groups) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.extractUsersAndGroups()"); + } + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { + if (CollectionUtils.isNotEmpty(policyItem.getUsers())) { + users.addAll(policyItem.getUsers()); + } + if (CollectionUtils.isNotEmpty(policyItem.getGroups())) { + groups.addAll(policyItem.getGroups()); + } + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.extractUsersAndGroups()"); + } + } + + static private void splitExistingPolicyItems(RangerPolicy existingPolicy, + Set<String> users, Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems, Set<String> groups, + Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems) { + + if (existingPolicy == null + || users == null || userPolicyItems == null + || groups == null || groupPolicyItems == null) { + return; + } + + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.splitExistingPolicyItems()"); + } + + List<RangerPolicy.RangerPolicyItem> allowItems = existingPolicy.getPolicyItems(); + List<RangerPolicy.RangerPolicyItem> denyItems = existingPolicy.getDenyPolicyItems(); + List<RangerPolicy.RangerPolicyItem> allowExceptionItems = existingPolicy.getAllowExceptions(); + List<RangerPolicy.RangerPolicyItem> denyExceptionItems = existingPolicy.getDenyExceptions(); + + for (String user : users) { + RangerPolicy.RangerPolicyItem value[] = userPolicyItems.get(user); + if (value == null) { + value = new RangerPolicy.RangerPolicyItem[4]; + userPolicyItems.put(user, value); + } + + RangerPolicy.RangerPolicyItem policyItem = null; + + policyItem = splitAndGetConsolidatedPolicyItemForUser(allowItems, user); + value[POLICYITEM_TYPE.ALLOW.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForUser(denyItems, user); + value[POLICYITEM_TYPE.DENY.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForUser(allowExceptionItems, user); + value[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForUser(denyExceptionItems, user); + value[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] = policyItem; + } + + for (String group : groups) { + RangerPolicy.RangerPolicyItem value[] = groupPolicyItems.get(group); + if (value == null) { + value = new RangerPolicy.RangerPolicyItem[4]; + groupPolicyItems.put(group, value); + } + + RangerPolicy.RangerPolicyItem policyItem = null; + + policyItem = splitAndGetConsolidatedPolicyItemForGroup(allowItems, group); + value[POLICYITEM_TYPE.ALLOW.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForGroup(denyItems, group); + value[POLICYITEM_TYPE.DENY.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForGroup(allowExceptionItems, group); + value[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForGroup(denyExceptionItems, group); + value[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] = policyItem; + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.splitExistingPolicyItems()"); + } + } + + static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List<RangerPolicy.RangerPolicyItem> userPolicyItems, String user) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); + } + + RangerPolicy.RangerPolicyItem ret = null; + + if (CollectionUtils.isNotEmpty(userPolicyItems)) { + + for (RangerPolicy.RangerPolicyItem policyItem : userPolicyItems) { + List<String> users = policyItem.getUsers(); + if (users.contains(user)) { + if (ret == null) { + ret = new RangerPolicy.RangerPolicyItem(); + } + ret.getUsers().add(user); + if (policyItem.getDelegateAdmin()) { + ret.setDelegateAdmin(Boolean.TRUE); + } + addAccesses(ret, policyItem.getAccesses()); + + // Remove this user/group from existingPolicyItem + users.remove(user); + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); + } + + return ret; + } + + static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List<RangerPolicy.RangerPolicyItem> groupPolicyItems, String group) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); + } + + RangerPolicy.RangerPolicyItem ret = null; + + if (CollectionUtils.isNotEmpty(groupPolicyItems)) { + + for (RangerPolicy.RangerPolicyItem policyItem : groupPolicyItems) { + List<String> groups = policyItem.getGroups(); + if (groups.contains(group)) { + if (ret == null) { + ret = new RangerPolicy.RangerPolicyItem(); + } + ret.getGroups().add(group); + if (policyItem.getDelegateAdmin()) { + ret.setDelegateAdmin(Boolean.TRUE); + } + addAccesses(ret, policyItem.getAccesses()); + + // Remove this user/group from existingPolicyItem + groups.remove(group); + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); + } + + return ret; + } + + static private void applyPolicyItems(List<RangerPolicy.RangerPolicyItem> appliedPolicyItems, POLICYITEM_TYPE policyItemType, Map<String, RangerPolicy.RangerPolicyItem[]> existingUserPolicyItems, + Map<String, RangerPolicy.RangerPolicyItem[]> existingGroupPolicyItems) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.applyPolicyItems()"); + } + + for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { + List<String> users = policyItem.getUsers(); + for (String user : users) { + RangerPolicy.RangerPolicyItem[] items = existingUserPolicyItems.get(user); + + if (items == null) { + // Should not get here + LOG.warn("Should not have come here.."); + items = new RangerPolicy.RangerPolicyItem[4]; + existingUserPolicyItems.put(user, items); + } + + addPolicyItemForUser(items, policyItemType.ordinal(), user, policyItem); + + switch (policyItemType) { + case ALLOW: + removeAccesses(items[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); + removeAccesses(items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + addPolicyItemForUser(items, POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal(), user, policyItem); + break; + case DENY: + removeAccesses(items[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); + addPolicyItemForUser(items, POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal(), user, policyItem); + removeAccesses(items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + break; + case ALLOW_EXCEPTIONS: + removeAccesses(items[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); + break; + case DENY_EXCEPTIONS: + break; + default: + LOG.warn("Should not have come here.."); + break; + } + } + } + + for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { + List<String> groups = policyItem.getGroups(); + for (String group : groups) { + RangerPolicy.RangerPolicyItem[] items = existingGroupPolicyItems.get(group); + + if (items == null) { + // Should not get here + items = new RangerPolicy.RangerPolicyItem[4]; + existingGroupPolicyItems.put(group, items); + } + + addPolicyItemForGroup(items, policyItemType.ordinal(), group, policyItem); + + switch (policyItemType) { + case ALLOW: + removeAccesses(items[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); + removeAccesses(items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + addPolicyItemForGroup(items, POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal(), group, policyItem); + break; + case DENY: + removeAccesses(items[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); + addPolicyItemForGroup(items, POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal(), group, policyItem); + removeAccesses(items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + break; + case ALLOW_EXCEPTIONS: + removeAccesses(items[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); + break; + case DENY_EXCEPTIONS: + break; + default: + break; + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.applyPolicyItems()"); + } + } + + static private void mergeProcessedPolicyItems(RangerPolicy existingPolicy, Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems, + Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.mergeProcessedPolicyItems()"); + } + + for (Map.Entry<String, RangerPolicy.RangerPolicyItem[]> entry : userPolicyItems.entrySet()) { + RangerPolicy.RangerPolicyItem[] items = entry.getValue(); + + RangerPolicy.RangerPolicyItem item = null; + + item = items[POLICYITEM_TYPE.ALLOW.ordinal()]; + if (item != null) { + existingPolicy.getPolicyItems().add(item); + } + + item = items[POLICYITEM_TYPE.DENY.ordinal()]; + if (item != null) { + existingPolicy.getDenyPolicyItems().add(item); + } + + item = items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.getAllowExceptions().add(item); + } + + item = items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.getDenyExceptions().add(item); + } + } + + for (Map.Entry<String, RangerPolicy.RangerPolicyItem[]> entry : groupPolicyItems.entrySet()) { + RangerPolicy.RangerPolicyItem[] items = entry.getValue(); + + RangerPolicy.RangerPolicyItem item = null; + + item = items[POLICYITEM_TYPE.ALLOW.ordinal()]; + if (item != null) { + existingPolicy.getPolicyItems().add(item); + } + + item = items[POLICYITEM_TYPE.DENY.ordinal()]; + if (item != null) { + existingPolicy.getDenyPolicyItems().add(item); + } + + item = items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.getAllowExceptions().add(item); + } + + item = items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.getDenyExceptions().add(item); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.mergeProcessedPolicyItems()"); + } + } + + static private boolean addAccesses(RangerPolicy.RangerPolicyItem policyItem, List<RangerPolicy.RangerPolicyItemAccess> accesses) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.addAccesses()"); + } + + boolean ret = false; + + for (RangerPolicy.RangerPolicyItemAccess access : accesses) { + RangerPolicy.RangerPolicyItemAccess policyItemAccess = null; + String accessType = access.getType(); + + for (RangerPolicy.RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) { + if (StringUtils.equals(itemAccess.getType(), accessType)) { + policyItemAccess = itemAccess; + break; + } + } + + if (policyItemAccess != null) { + if (!policyItemAccess.getIsAllowed()) { + policyItemAccess.setIsAllowed(Boolean.TRUE); + ret = true; + } + } else { + policyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(accessType, Boolean.TRUE)); + ret = true; + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.addAccesses() " + ret); + } + return ret; + } + + static private boolean removeAccesses(RangerPolicy.RangerPolicyItem policyItem, List<RangerPolicy.RangerPolicyItemAccess> accesses) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.removeAccesses()"); + } + + boolean ret = false; + + if (policyItem != null) { + for (RangerPolicy.RangerPolicyItemAccess access : accesses) { + String accessType = access.getType(); + + int numOfItems = policyItem.getAccesses().size(); + + for (int i = 0; i < numOfItems; i++) { + RangerPolicy.RangerPolicyItemAccess itemAccess = policyItem.getAccesses().get(i); + + if (StringUtils.equals(itemAccess.getType(), accessType)) { + policyItem.getAccesses().remove(i); + numOfItems--; + i--; + + ret = true; + } + } + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.removeAccesses() " + ret); + } + return ret; + } + + static private boolean compactPolicy(RangerPolicy policy) { + boolean ret = true; // Always true for now + + List<?>[] policyItemsList = new List<?>[] { policy.getPolicyItems(), + policy.getDenyPolicyItems(), + policy.getAllowExceptions(), + policy.getDenyExceptions() + }; + + for(List<?> policyItemsObj : policyItemsList) { + @SuppressWarnings("unchecked") + List<RangerPolicy.RangerPolicyItem> policyItems = (List<RangerPolicy.RangerPolicyItem>)policyItemsObj; + + int numOfItems = policyItems.size(); + + for(int i = 0; i < numOfItems; i++) { + RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i); + + // remove the policy item if 1) there are no users and groups OR 2) if there are no accessTypes and not a delegate-admin + if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) || + (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) { + policyItems.remove(i); + numOfItems--; + i--; + + ret = true; + } + } + } + + policy.setPolicyItems(mergePolicyItems(policy.getPolicyItems())); + policy.setDenyPolicyItems(mergePolicyItems(policy.getDenyPolicyItems())); + policy.setAllowExceptions(mergePolicyItems(policy.getAllowExceptions())); + policy.setDenyExceptions(mergePolicyItems(policy.getDenyExceptions())); + + return ret; + } + + static private List<RangerPolicy.RangerPolicyItem> mergePolicyItems(List<RangerPolicy.RangerPolicyItem> policyItems) { + List<RangerPolicy.RangerPolicyItem> ret = new ArrayList<RangerPolicy.RangerPolicyItem>(); + + if (CollectionUtils.isNotEmpty(policyItems)) { + Map<String, RangerPolicy.RangerPolicyItem> matchedPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem>(); + + for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { + if (policyItem.getConditions().size() > 1) { + ret.add(policyItem); + continue; + } + TreeSet<String> accesses = new TreeSet<String>(); + + for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) { + accesses.add(access.getType()); + } + if (policyItem.getDelegateAdmin()) { + accesses.add("delegateAdmin"); + } + + StringBuilder allAccessesString = new StringBuilder(); + + for (String access = accesses.first(); access != null; access = accesses.higher(access)) { + allAccessesString.append(access); + } + + RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString.toString()); + + if (matchingPolicyItem != null) { + addDistinctItems(policyItem.getUsers(), matchingPolicyItem.getUsers()); + addDistinctItems(policyItem.getGroups(), matchingPolicyItem.getGroups()); + } else { + matchedPolicyItems.put(allAccessesString.toString(), policyItem); + } + } + + for (Map.Entry<String, RangerPolicy.RangerPolicyItem> entry : matchedPolicyItems.entrySet()) { + ret.add(entry.getValue()); + } + } + + return ret; + } + + static void addPolicyItemForUser(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String user, RangerPolicy.RangerPolicyItem policyItem) { + + if (items[typeOfItems] == null) { + RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem(); + newItem.getUsers().add(user); + + items[typeOfItems] = newItem; + } + + addAccesses(items[typeOfItems], policyItem.getAccesses()); + + if (policyItem.getDelegateAdmin()) { + items[typeOfItems].setDelegateAdmin(Boolean.TRUE); + } + } + + static void addPolicyItemForGroup(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String group, RangerPolicy.RangerPolicyItem policyItem) { + + if (items[typeOfItems] == null) { + RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem(); + newItem.getGroups().add(group); + + items[typeOfItems] = newItem; + } + + addAccesses(items[typeOfItems], policyItem.getAccesses()); + + if (policyItem.getDelegateAdmin()) { + items[typeOfItems].setDelegateAdmin(Boolean.TRUE); + } + } + + static private void addDistinctItems(List<String> fromItems, List<String> toItems) { + for (String fromItem : fromItems) { + if (! toItems.contains(fromItem)) { + toItems.add(fromItem); + } + } + } + + static private boolean removeUsersAndGroupsFromPolicy(RangerPolicy policy, Set<String> users, Set<String> groups) { + boolean policyUpdated = false; + + List<RangerPolicy.RangerPolicyItem> policyItems = policy.getPolicyItems(); + + int numOfItems = policyItems.size(); + + for(int i = 0; i < numOfItems; i++) { + RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i); + + if(CollectionUtils.containsAny(policyItem.getUsers(), users)) { + policyItem.getUsers().removeAll(users); + + policyUpdated = true; + } + + if(CollectionUtils.containsAny(policyItem.getGroups(), groups)) { + policyItem.getGroups().removeAll(groups); + + policyUpdated = true; + } + + if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) { + policyItems.remove(i); + numOfItems--; + i--; + + policyUpdated = true; + } + } + + return policyUpdated; + } + + static boolean containsRangerCondition(RangerPolicy policy) { + boolean ret = false; + + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceRESTUtil.containsRangerCondition(" + policy +")"); + } + + if (policy != null) { + List<RangerPolicy.RangerPolicyItem> allItems = new ArrayList<RangerPolicy.RangerPolicyItem>(); + + allItems.addAll(policy.getPolicyItems()); + allItems.addAll(policy.getDenyPolicyItems()); + allItems.addAll(policy.getAllowExceptions()); + allItems.addAll(policy.getDenyExceptions()); + + for (RangerPolicy.RangerPolicyItem policyItem : allItems) { + if (policyItem.getConditions().size() > 0) { + ret = true; + break; + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceRESTUtil.containsRangerCondition(" + policy +"): " + ret); + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5423ee4f/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 881eed9..2be9441 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -1088,4 +1088,337 @@ public class TestServiceREST { Assert.assertNotNull(dbVXResponse); Mockito.verify(serviceMgr).validateConfig(rangerService, svcStore); } + + @Test + public void test40applyPolicy() { + RangerPolicy existingPolicy = rangerPolicy(); + RangerPolicy appliedPolicy = rangerPolicy(); + + existingPolicy.setPolicyItems(null); + appliedPolicy.setPolicyItems(null); + + Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); + RangerPolicyResource rangerPolicyResource = new RangerPolicyResource("/tmp"); + rangerPolicyResource.setIsExcludes(true); + rangerPolicyResource.setIsRecursive(true); + policyResources.put("path", rangerPolicyResource); + + existingPolicy.setResources(policyResources); + appliedPolicy.setResources(policyResources); + + RangerPolicyItem rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true)); + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(true); + + existingPolicy.getPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getGroups().add("public"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.getUsers().add("finance"); + rangerPolicyItem.setDelegateAdmin(false); + + appliedPolicy.getPolicyItems().add(rangerPolicyItem); + + String existingPolicyStr = existingPolicy.toString(); + System.out.println("existingPolicy=" + existingPolicyStr); + + ServiceRESTUtil.processApplyPolicy(existingPolicy, appliedPolicy); + + String resultPolicyStr = existingPolicy.toString(); + System.out.println("resultPolicy=" + resultPolicyStr); + + assert(true); + } + + @Test + public void test41applyPolicy() { + RangerPolicy existingPolicy = rangerPolicy(); + RangerPolicy appliedPolicy = rangerPolicy(); + + existingPolicy.setPolicyItems(null); + appliedPolicy.setPolicyItems(null); + + Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); + RangerPolicyResource rangerPolicyResource = new RangerPolicyResource("/tmp"); + rangerPolicyResource.setIsExcludes(true); + rangerPolicyResource.setIsRecursive(true); + policyResources.put("path", rangerPolicyResource); + + existingPolicy.setResources(policyResources); + appliedPolicy.setResources(policyResources); + + RangerPolicyItem rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(true); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group3"); + rangerPolicyItem.getUsers().add("user3"); + rangerPolicyItem.setDelegateAdmin(true); + + existingPolicy.getPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getAllowExceptions().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getDenyPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("index", true)); + rangerPolicyItem.getGroups().add("public"); + rangerPolicyItem.getUsers().add("user"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getDenyPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("index", true)); + + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.setDelegateAdmin(false); + + appliedPolicy.getPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + + rangerPolicyItem.getGroups().add("public"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.setDelegateAdmin(false); + + appliedPolicy.getDenyPolicyItems().add(rangerPolicyItem); + + String existingPolicyStr = existingPolicy.toString(); + System.out.println("existingPolicy=" + existingPolicyStr); + + ServiceRESTUtil.processApplyPolicy(existingPolicy, appliedPolicy); + + String resultPolicyStr = existingPolicy.toString(); + System.out.println("resultPolicy=" + resultPolicyStr); + + assert(true); + } + + @Test + public void test42grant() { + RangerPolicy existingPolicy = rangerPolicy(); + + existingPolicy.setPolicyItems(null); + + Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); + RangerPolicyResource rangerPolicyResource = new RangerPolicyResource("/tmp"); + rangerPolicyResource.setIsExcludes(true); + rangerPolicyResource.setIsRecursive(true); + policyResources.put("path", rangerPolicyResource); + + existingPolicy.setResources(policyResources); + + RangerPolicyItem rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(true); + + existingPolicy.getPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group3"); + rangerPolicyItem.getUsers().add("user3"); + rangerPolicyItem.setDelegateAdmin(true); + + existingPolicy.getPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getAllowExceptions().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getDenyPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("index", true)); + rangerPolicyItem.getGroups().add("public"); + rangerPolicyItem.getUsers().add("user"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getDenyPolicyItems().add(rangerPolicyItem); + + GrantRevokeRequest grantRequestObj = new GrantRevokeRequest(); + Map<String, String> resource = new HashMap<String, String>(); + resource.put("path", "/tmp"); + grantRequestObj.setResource(resource); + + grantRequestObj.getUsers().add("user1"); + grantRequestObj.getGroups().add("group1"); + + grantRequestObj.getAccessTypes().add("delete"); + grantRequestObj.getAccessTypes().add("index"); + + grantRequestObj.setDelegateAdmin(true); + + grantRequestObj.setEnableAudit(true); + grantRequestObj.setIsRecursive(true); + + grantRequestObj.setGrantor("test42Grant"); + + String existingPolicyStr = existingPolicy.toString(); + System.out.println("existingPolicy=" + existingPolicyStr); + + ServiceRESTUtil.processGrantRequest(existingPolicy, grantRequestObj); + + String resultPolicyStr = existingPolicy.toString(); + System.out.println("resultPolicy=" + resultPolicyStr); + + assert(true); + } + + @Test + public void test43revoke() { + RangerPolicy existingPolicy = rangerPolicy(); + + existingPolicy.setPolicyItems(null); + + Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); + RangerPolicyResource rangerPolicyResource = new RangerPolicyResource("/tmp"); + rangerPolicyResource.setIsExcludes(true); + rangerPolicyResource.setIsRecursive(true); + policyResources.put("path", rangerPolicyResource); + + existingPolicy.setResources(policyResources); + + RangerPolicyItem rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(true); + + existingPolicy.getPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group3"); + rangerPolicyItem.getUsers().add("user3"); + rangerPolicyItem.setDelegateAdmin(true); + + existingPolicy.getPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true)); + rangerPolicyItem.getGroups().add("group1"); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user1"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getAllowExceptions().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true)); + rangerPolicyItem.getGroups().add("group2"); + rangerPolicyItem.getUsers().add("user2"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getDenyPolicyItems().add(rangerPolicyItem); + + rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("index", true)); + rangerPolicyItem.getGroups().add("public"); + rangerPolicyItem.getUsers().add("user"); + rangerPolicyItem.setDelegateAdmin(false); + + existingPolicy.getDenyPolicyItems().add(rangerPolicyItem); + + GrantRevokeRequest revokeRequestObj = new GrantRevokeRequest(); + Map<String, String> resource = new HashMap<String, String>(); + resource.put("path", "/tmp"); + revokeRequestObj.setResource(resource); + + revokeRequestObj.getUsers().add("user1"); + revokeRequestObj.getGroups().add("group1"); + + revokeRequestObj.getAccessTypes().add("delete"); + revokeRequestObj.getAccessTypes().add("index"); + + revokeRequestObj.setDelegateAdmin(true); + + revokeRequestObj.setEnableAudit(true); + revokeRequestObj.setIsRecursive(true); + + revokeRequestObj.setGrantor("test43Revoke"); + + String existingPolicyStr = existingPolicy.toString(); + System.out.println("existingPolicy=" + existingPolicyStr); + + ServiceRESTUtil.processRevokeRequest(existingPolicy, revokeRequestObj); + + String resultPolicyStr = existingPolicy.toString(); + System.out.println("resultPolicy=" + resultPolicyStr); + + assert(true); + } }
