RANGER-699: updates per review comments and fixes
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/dddc4d42 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/dddc4d42 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/dddc4d42 Branch: refs/heads/master Commit: dddc4d42011adf28062853317908259e894964da Parents: 5423ee4 Author: Madhan Neethiraj <[email protected]> Authored: Fri Mar 4 02:22:48 2016 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Mar 7 17:26:30 2016 -0800 ---------------------------------------------------------------------- .../plugin/policyengine/RangerPolicyEngine.java | 4 +- .../policyengine/RangerPolicyEngineImpl.java | 41 +++++- .../RangerDefaultPolicyEvaluator.java | 27 +++- .../policyevaluator/RangerPolicyEvaluator.java | 4 +- .../RangerDefaultPolicyResourceMatcher.java | 20 +-- .../RangerPolicyResourceMatcher.java | 4 +- .../RangerAbstractResourceMatcher.java | 6 +- .../resourcematcher/RangerResourceMatcher.java | 2 +- .../org/apache/ranger/rest/ServiceREST.java | 132 +++++++++++-------- .../org/apache/ranger/rest/ServiceRESTUtil.java | 106 +++++---------- 10 files changed, 189 insertions(+), 157 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 29080b7..02ad9e9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -54,7 +54,9 @@ public interface RangerPolicyEngine { boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); - RangerPolicy getExactMatchPolicy(RangerAccessResource resource); + List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource); + + List<RangerPolicy> getExactMatchPolicies(Map<String, RangerPolicyResource> resources); List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 1dd1e7b..92481f6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -338,23 +338,50 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override - public RangerPolicy getExactMatchPolicy(RangerAccessResource resource) { + public List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource) { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + ")"); + LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + resource + ")"); } - RangerPolicy ret = null; + List<RangerPolicy> ret = null; for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { - if (evaluator.isSingleAndExactMatch(resource)) { - ret = evaluator.getPolicy(); + if (evaluator.isCompleteMatch(resource)) { + if(ret == null) { + ret = new ArrayList<RangerPolicy>(); + } - break; + ret.add(evaluator.getPolicy()); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + resource + "): " + ret); + } + + return ret; + } + + @Override + public List<RangerPolicy> getExactMatchPolicies(Map<String, RangerPolicyResource> resources) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + resources + ")"); + } + + List<RangerPolicy> ret = null; + + for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + if (evaluator.isCompleteMatch(resources)) { + if(ret == null) { + ret = new ArrayList<RangerPolicy>(); + } + + ret.add(evaluator.getPolicy()); } } if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + "): " + ret); + LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + resources + "): " + ret); } return ret; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 6171015..9394341 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -283,19 +283,38 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } @Override - public boolean isSingleAndExactMatch(RangerAccessResource resource) { + public boolean isCompleteMatch(RangerAccessResource resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.isSingleAndExactMatch(" + resource + ")"); + LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + resource + ")"); } boolean ret = false; if(resourceMatcher != null) { - ret = resourceMatcher.isSingleAndExactMatch(resource); + ret = resourceMatcher.isCompleteMatch(resource); } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.isSingleAndExactMatch(" + resource + "): " + ret); + LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + resource + "): " + ret); + } + + return ret; + } + + @Override + public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + resources + ")"); + } + + boolean ret = false; + + if(resourceMatcher != null) { + ret = resourceMatcher.isCompleteMatch(resources); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + resources + "): " + ret); } return ret; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 9cb90f4..3f76755 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -56,7 +56,9 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> boolean isMatch(RangerAccessResource resource); - boolean isSingleAndExactMatch(RangerAccessResource resource); + boolean isCompleteMatch(RangerAccessResource resource); + + boolean isCompleteMatch(Map<String, RangerPolicyResource> resources); boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java index 7c547f6..4742850 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java @@ -267,9 +267,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } @Override - public boolean isSingleAndExactMatch(RangerAccessResource resource) { + public boolean isCompleteMatch(RangerAccessResource resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyResourceMatcher.isSingleAndExactMatch(" + resource + ")"); + LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ")"); } boolean ret = false; @@ -291,9 +291,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM RangerResourceMatcher matcher = matchers == null ? null : matchers.get(resourceName); if(StringUtils.isEmpty(resourceValue)) { - ret = matcher == null || matcher.isSingleAndExactMatch(resourceValue); + ret = matcher == null || matcher.isCompleteMatch(resourceValue); } else { - ret = matcher != null && matcher.isSingleAndExactMatch(resourceValue); + ret = matcher != null && matcher.isCompleteMatch(resourceValue); } if(! ret) { @@ -302,13 +302,13 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } } else { if(LOG.isDebugEnabled()) { - LOG.debug("isSingleAndExactMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys); + LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys); } } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyResourceMatcher.isSingleAndExactMatch(" + resource + "): " + ret); + LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + "): " + ret); } return ret; @@ -500,9 +500,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } @Override - public boolean isExactMatch(Map<String, RangerPolicyResource> resources) { + public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyResourceMatcher.isExactMatch(" + resources + ")"); + LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ")"); } boolean ret = false; @@ -535,13 +535,13 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } } else { if(LOG.isDebugEnabled()) { - LOG.debug("isExactMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys); + LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys); } } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyResourceMatcher.isExactMatch(" + resources + "): " + ret); + LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + "): " + ret); } return ret; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java index bf46748..f743d55 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java @@ -36,13 +36,13 @@ public interface RangerPolicyResourceMatcher { boolean isMatch(Map<String, RangerPolicyResource> resources); - boolean isSingleAndExactMatch(RangerAccessResource resource); + boolean isCompleteMatch(RangerAccessResource resource); boolean isHeadMatch(RangerAccessResource resource); boolean isExactHeadMatch(RangerAccessResource resource); - boolean isExactMatch(Map<String, RangerPolicyResource> resources); + boolean isCompleteMatch(Map<String, RangerPolicyResource> resources); StringBuilder toString(StringBuilder sb); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java index b97659f..5063eea 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java @@ -101,9 +101,9 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat } @Override - public boolean isSingleAndExactMatch(String resource) { + public boolean isCompleteMatch(String resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerAbstractResourceMatcher.isSingleAndExactMatch(" + resource + ")"); + LOG.debug("==> RangerAbstractResourceMatcher.isCompleteMatch(" + resource + ")"); } boolean ret = false; @@ -125,7 +125,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerAbstractResourceMatcher.isSingleAndExactMatch(" + resource + "): " + ret); + LOG.debug("<== RangerAbstractResourceMatcher.isCompleteMatch(" + resource + "): " + ret); } return ret; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java index 609d59d..e4d3ce5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java @@ -31,5 +31,5 @@ public interface RangerResourceMatcher { boolean isMatch(String resource); - boolean isSingleAndExactMatch(String resource); + boolean isCompleteMatch(String resource); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 5e5d626..e1aef0b 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -66,18 +66,13 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; -import org.apache.ranger.plugin.model.RangerPolicyResourceSignature; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.validation.RangerPolicyValidator; import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator; import org.apache.ranger.plugin.model.validation.RangerServiceValidator; import org.apache.ranger.plugin.model.validation.RangerValidator.Action; -import org.apache.ranger.plugin.policyengine.RangerAccessResource; -import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.*; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.plugin.store.PList; @@ -839,15 +834,14 @@ public class ServiceREST { String userName = grantRequest.getGrantor(); Set<String> userGroups = userMgr.getGroupsForUser(userName); RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource()); - RangerPolicyEngine policyEngine = getPolicyEngine(serviceName); - - boolean isAdmin = hasAdminAccess(policyEngine, userName, userGroups, resource); + + boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); if(!isAdmin) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); } - RangerPolicy policy = getExactMatchPolicyForResource(policyEngine, resource); + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); if(policy != null) { boolean policyUpdated = false; @@ -932,18 +926,17 @@ public class ServiceREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")"); } - String userName = revokeRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); - RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource()); - RangerPolicyEngine policyEngine = getPolicyEngine(serviceName); + String userName = revokeRequest.getGrantor(); + Set<String> userGroups = userMgr.getGroupsForUser(userName); + RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource()); - boolean isAdmin = hasAdminAccess(policyEngine, userName, userGroups, resource); + boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); if(!isAdmin) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); } - RangerPolicy policy = getExactMatchPolicyForResource(policyEngine, resource); + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); if(policy != null) { boolean policyUpdated = false; @@ -1048,42 +1041,24 @@ public class ServiceREST { RangerPolicy ret = null; if (policy != null && StringUtils.isNotBlank(policy.getService())) { - try { - RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy); - - List<RangerPolicy> existingPolicies = svcStore.getPoliciesByResourceSignature(policy.getService(), resourceSignature.getSignature(), true); + // Check if applied policy contains any conditions + if (ServiceRESTUtil.containsRangerCondition(policy)) { + LOG.error("Applied policy contains condition(s); not supported:" + policy); + throw new Exception("Applied policy contains condition(s); not supported:" + policy); + } - if (CollectionUtils.isEmpty(existingPolicies)) { + RangerPolicy existingPolicy = getExactMatchPolicyForResource(policy.getService(), policy.getResources()); + if (existingPolicy == null) { ret = createPolicy(policy); - - } else if (existingPolicies.size() == 1) { - - // Check if applied policy contains any conditions - if (ServiceRESTUtil.containsRangerCondition(policy)) { - LOG.error("Applied policy contains condition(s); not supported:" + policy); - throw new Exception("Applied policy contains condition(s); not supported:" + policy); - } - RangerPolicy existingPolicy = existingPolicies.get(0); - - // If existing policy-items contains conditions, then we add/remove specified accesses to - // existing policy-items as specified in applied policy, ignoring those conditions. - // New policy-items will have no conditions. - - boolean applyResult = ServiceRESTUtil.processApplyPolicy(existingPolicy, policy); - - if (applyResult) { - ret = updatePolicy(existingPolicy); - } else { - LOG.error("applyPolicy processing failed"); - throw new Exception("applyPolicy processing failed"); - } - } else { - // there should be only one policy for the given resources - throw new Exception("Invalid state: multiple policies exists for resource " + policy.getResources()); + ServiceRESTUtil.processApplyPolicy(existingPolicy, policy); + + ret = updatePolicy(existingPolicy); } + } catch(WebApplicationException excp) { + throw excp; } catch (Exception exception) { LOG.error("Failed to apply policy:", exception); throw restErrorUtil.createRESTException(exception.getMessage()); @@ -1544,16 +1519,18 @@ public class ServiceREST { } } - private RangerPolicy getExactMatchPolicyForResource(RangerPolicyEngine policyEngine, RangerAccessResource resource) throws Exception { + private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource resource) throws Exception { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ")"); } - RangerPolicy ret = policyEngine != null ? policyEngine.getExactMatchPolicy(resource) : null; + RangerPolicy ret = null; + RangerPolicyEngine policyEngine = getPolicyEngine(serviceName); + List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource) : null; - if(ret != null) { + if(CollectionUtils.isNotEmpty(policies)) { // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store - ret = svcStore.getPolicy(ret.getId()); + ret = svcStore.getPolicy(policies.get(0).getId()); } if(LOG.isDebugEnabled()) { @@ -1563,6 +1540,27 @@ public class ServiceREST { return ret; } + private RangerPolicy getExactMatchPolicyForResource(String serviceName, Map<String, RangerPolicyResource> resources) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resources + ")"); + } + + RangerPolicy ret = null; + RangerPolicyEngine policyEngine = getPolicyEngine(serviceName); + List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resources) : null; + + if(CollectionUtils.isNotEmpty(policies)) { + // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store + ret = svcStore.getPolicy(policies.get(0).getId()); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resources + "): " + ret); + } + + return ret; + } + @GET @Path("/policies/eventTime") @Produces({ "application/json", "application/xml" }) @@ -1683,7 +1681,7 @@ public class ServiceREST { continue; } - RangerPolicyEngine policyEngine = getPolicyEngine(serviceName); + RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName); if (policyEngine != null) { if(userGroups == null) { @@ -1714,12 +1712,12 @@ public class ServiceREST { if(!isAdmin && !isKeyAdmin) { boolean isAllowed = false; - RangerPolicyEngine policyEngine = getPolicyEngine(serviceName); + RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName); if (policyEngine != null) { Set<String> userGroups = userMgr.getGroupsForUser(userName); - isAllowed = hasAdminAccess(policyEngine, userName, userGroups, resources); + isAllowed = hasAdminAccess(serviceName, userName, userGroups, resources); } if (!isAllowed) { @@ -1747,9 +1745,11 @@ public class ServiceREST { } } - private boolean hasAdminAccess(RangerPolicyEngine policyEngine, String userName, Set<String> userGroups, Map<String, RangerPolicyResource> resources) { + private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, Map<String, RangerPolicyResource> resources) { boolean isAllowed = false; + RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName); + if(policyEngine != null) { isAllowed = policyEngine.isAccessAllowed(resources, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS); } @@ -1757,9 +1757,11 @@ public class ServiceREST { return isAllowed; } - private boolean hasAdminAccess(RangerPolicyEngine policyEngine, String userName, Set<String> userGroups, RangerAccessResource resource) { + private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, RangerAccessResource resource) { boolean isAllowed = false; + RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName); + if(policyEngine != null) { isAllowed = policyEngine.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS); } @@ -1767,7 +1769,7 @@ public class ServiceREST { return isAllowed; } - private RangerPolicyEngine getPolicyEngine(String serviceName) { + private RangerPolicyEngine getDelegatedAdminPolicyEngine(String serviceName) { if(RangerPolicyEngineCache.getInstance().getPolicyEngineOptions() == null) { RangerPolicyEngineOptions options = new RangerPolicyEngineOptions(); @@ -1787,6 +1789,24 @@ public class ServiceREST { return ret; } + private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception { + RangerPolicyEngineOptions options = new RangerPolicyEngineOptions(); + + String propertyPrefix = "ranger.admin"; + + options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED; + options.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false); + options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true); + options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true); + options.evaluateDelegateAdminOnly = false; + + ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L); + + RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, options); + + return ret; + } + @GET @Path("/checksso") @Produces(MediaType.TEXT_PLAIN) http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java index 7518363..dcae9b4 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java @@ -27,7 +27,6 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.util.GrantRevokeRequest; import java.util.ArrayList; -import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -74,7 +73,9 @@ public class ServiceRESTUtil { appliedPolicy.getPolicyItems().add(policyItem); - policyUpdated = processApplyPolicy(policy, appliedPolicy) || policyUpdated; + processApplyPolicy(policy, appliedPolicy); + + policyUpdated = true; if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.processGrantRequest() : " + policyUpdated); @@ -114,7 +115,9 @@ public class ServiceRESTUtil { appliedPolicy.getDenyPolicyItems().add(policyItem); - policyUpdated = processApplyPolicy(policy, appliedPolicy); + processApplyPolicy(policy, appliedPolicy); + + policyUpdated = true; } if (LOG.isDebugEnabled()) { @@ -124,32 +127,26 @@ public class ServiceRESTUtil { return policyUpdated; } - static public boolean processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { + static public void processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.processApplyPolicy()"); } - boolean ret = false; - - ret = processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); - ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); - ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); - ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS); + processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); + processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); + processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); + processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS); if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.processApplyPolicy()"); } - - return ret; } - static public boolean processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) { + static private void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()"); } - boolean ret = false; - List<RangerPolicy.RangerPolicyItem> appliedPolicyItems = null; switch (policyItemType) { @@ -166,8 +163,7 @@ public class ServiceRESTUtil { appliedPolicyItems = appliedPolicy.getDenyExceptions(); break; default: - LOG.warn("Should not have come here.."); - return false; + LOG.warn("processApplyPolicyForItemType(): invalid policyItemType=" + policyItemType); } if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { @@ -190,14 +186,12 @@ public class ServiceRESTUtil { // Add modified/new policyItems back to existing policy mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems); - ret = compactPolicy(existingPolicy); + compactPolicy(existingPolicy); } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.processApplyPolicyForItemType()"); } - - return ret; } static private void extractUsersAndGroups(List<RangerPolicy.RangerPolicyItem> policyItems, Set<String> users, Set<String> groups) { @@ -281,16 +275,15 @@ public class ServiceRESTUtil { } } - static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List<RangerPolicy.RangerPolicyItem> userPolicyItems, String user) { + static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List<RangerPolicy.RangerPolicyItem> policyItems, String user) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); } RangerPolicy.RangerPolicyItem ret = null; - if (CollectionUtils.isNotEmpty(userPolicyItems)) { - - for (RangerPolicy.RangerPolicyItem policyItem : userPolicyItems) { + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { List<String> users = policyItem.getUsers(); if (users.contains(user)) { if (ret == null) { @@ -302,7 +295,7 @@ public class ServiceRESTUtil { } addAccesses(ret, policyItem.getAccesses()); - // Remove this user/group from existingPolicyItem + // Remove this user from existingPolicyItem users.remove(user); } } @@ -315,16 +308,15 @@ public class ServiceRESTUtil { return ret; } - static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List<RangerPolicy.RangerPolicyItem> groupPolicyItems, String group) { + static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List<RangerPolicy.RangerPolicyItem> policyItems, String group) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); } RangerPolicy.RangerPolicyItem ret = null; - if (CollectionUtils.isNotEmpty(groupPolicyItems)) { - - for (RangerPolicy.RangerPolicyItem policyItem : groupPolicyItems) { + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { List<String> groups = policyItem.getGroups(); if (groups.contains(group)) { if (ret == null) { @@ -336,7 +328,7 @@ public class ServiceRESTUtil { } addAccesses(ret, policyItem.getAccesses()); - // Remove this user/group from existingPolicyItem + // Remove this group from existingPolicyItem groups.remove(group); } } @@ -541,14 +533,14 @@ public class ServiceRESTUtil { for (RangerPolicy.RangerPolicyItemAccess access : accesses) { String accessType = access.getType(); - int numOfItems = policyItem.getAccesses().size(); + int numOfAccesses = policyItem.getAccesses().size(); - for (int i = 0; i < numOfItems; i++) { + for (int i = 0; i < numOfAccesses; i++) { RangerPolicy.RangerPolicyItemAccess itemAccess = policyItem.getAccesses().get(i); if (StringUtils.equals(itemAccess.getType(), accessType)) { policyItem.getAccesses().remove(i); - numOfItems--; + numOfAccesses--; i--; ret = true; @@ -562,42 +554,11 @@ public class ServiceRESTUtil { return ret; } - static private boolean compactPolicy(RangerPolicy policy) { - boolean ret = true; // Always true for now - - List<?>[] policyItemsList = new List<?>[] { policy.getPolicyItems(), - policy.getDenyPolicyItems(), - policy.getAllowExceptions(), - policy.getDenyExceptions() - }; - - for(List<?> policyItemsObj : policyItemsList) { - @SuppressWarnings("unchecked") - List<RangerPolicy.RangerPolicyItem> policyItems = (List<RangerPolicy.RangerPolicyItem>)policyItemsObj; - - int numOfItems = policyItems.size(); - - for(int i = 0; i < numOfItems; i++) { - RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i); - - // remove the policy item if 1) there are no users and groups OR 2) if there are no accessTypes and not a delegate-admin - if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) || - (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) { - policyItems.remove(i); - numOfItems--; - i--; - - ret = true; - } - } - } - + static private void compactPolicy(RangerPolicy policy) { policy.setPolicyItems(mergePolicyItems(policy.getPolicyItems())); policy.setDenyPolicyItems(mergePolicyItems(policy.getDenyPolicyItems())); policy.setAllowExceptions(mergePolicyItems(policy.getAllowExceptions())); policy.setDenyExceptions(mergePolicyItems(policy.getDenyExceptions())); - - return ret; } static private List<RangerPolicy.RangerPolicyItem> mergePolicyItems(List<RangerPolicy.RangerPolicyItem> policyItems) { @@ -607,6 +568,11 @@ public class ServiceRESTUtil { Map<String, RangerPolicy.RangerPolicyItem> matchedPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem>(); for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { + if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) || + (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) { + continue; + } + if (policyItem.getConditions().size() > 1) { ret.add(policyItem); continue; @@ -620,19 +586,15 @@ public class ServiceRESTUtil { accesses.add("delegateAdmin"); } - StringBuilder allAccessesString = new StringBuilder(); - - for (String access = accesses.first(); access != null; access = accesses.higher(access)) { - allAccessesString.append(access); - } + String allAccessesString = accesses.toString(); - RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString.toString()); + RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString); if (matchingPolicyItem != null) { addDistinctItems(policyItem.getUsers(), matchingPolicyItem.getUsers()); addDistinctItems(policyItem.getGroups(), matchingPolicyItem.getGroups()); } else { - matchedPolicyItems.put(allAccessesString.toString(), policyItem); + matchedPolicyItems.put(allAccessesString, policyItem); } }
