Repository: incubator-ranger Updated Branches: refs/heads/master dddc4d420 -> 3620842ae
RANGER-874: deny and exceptions in policy items made optional - policy model updates Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3620842a Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3620842a Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3620842a Branch: refs/heads/master Commit: 3620842ae3841ed14bb1b00d5fbd802ae84d2f39 Parents: dddc4d4 Author: Madhan Neethiraj <[email protected]> Authored: Mon Mar 7 16:12:49 2016 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Mar 7 17:38:19 2016 -0800 ---------------------------------------------------------------------- .../ranger/plugin/model/RangerServiceDef.java | 2 + .../RangerDefaultPolicyEvaluator.java | 15 +++++- .../ranger/plugin/util/ServiceDefUtil.java | 56 ++++++++++++++++++++ ...test_policyengine_hive_mutex_conditions.json | 3 ++ .../test_policyengine_tag_hdfs.json | 3 ++ 5 files changed, 78 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3620842a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java index f6c2624..f66839e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java @@ -43,6 +43,8 @@ import org.codehaus.jackson.map.annotate.JsonSerialize; public class RangerServiceDef extends RangerBaseModelObject implements java.io.Serializable { private static final long serialVersionUID = 1L; + public static final String OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES = "enableDenyAndExceptionsInPolicies"; + private String name = null; private String implClass = null; private String label = null; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3620842a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 9394341..50c8165 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -45,6 +45,7 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; import org.apache.ranger.plugin.util.RangerPerfTracer; +import org.apache.ranger.plugin.util.ServiceDefUtil; public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator { @@ -530,7 +531,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator private List<RangerPolicyItemEvaluator> createPolicyItemEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options, List<RangerPolicyItem> policyItems, int policyItemType) { List<RangerPolicyItemEvaluator> ret = null; - if(CollectionUtils.isNotEmpty(policyItems)) { + if(CollectionUtils.isNotEmpty(policyItems) && isPolicyItemTypeEnabled(serviceDef, policyItemType)) { ret = new ArrayList<RangerPolicyItemEvaluator>(); int policyItemCounter = 1; @@ -553,6 +554,18 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } + private boolean isPolicyItemTypeEnabled(RangerServiceDef serviceDef, int policyItemType) { + boolean ret = true; + + if(policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY || + policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS || + policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS) { + ret = ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(serviceDef); + } + + return ret; + } + private RangerPolicyItemEvaluator getMatchingPolicyItem(RangerAccessRequest request, List<RangerPolicyItemEvaluator> evaluators, List<RangerPolicyItemEvaluator> exceptionEvaluators) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + request + ")"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3620842a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java new file mode 100644 index 0000000..90242da --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.util; + +import org.apache.commons.collections.MapUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; + +import java.util.Map; + +public class ServiceDefUtil { + + public static boolean getOption_enableDenyAndExceptionsInPolicies(RangerServiceDef serviceDef) { + boolean ret = false; + + if(serviceDef != null) { + boolean defaultValue = StringUtils.equalsIgnoreCase(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME); + + ret = ServiceDefUtil.getBooleanValue(serviceDef.getOptions(), RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, defaultValue); + } + + return ret; + } + + private static boolean getBooleanValue(Map<String, String> map, String elementName, boolean defaultValue) { + boolean ret = defaultValue; + + if(MapUtils.isNotEmpty(map) && map.containsKey(elementName)) { + String elementValue = map.get(elementName); + + if(StringUtils.isNotEmpty(elementValue)) { + ret = Boolean.valueOf(elementValue.toString()); + } + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3620842a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json index 4de74ad..36e11f3 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mutex_conditions.json @@ -20,6 +20,9 @@ {"name":"lock","label":"Lock"}, {"name":"all","label":"All"} ], + "options": { + "enableDenyAndExceptionsInPolicies":"true" + }, "policyConditions":[ { "itemId":1, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3620842a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json index 15fd4cd..6c9b966 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json @@ -6,6 +6,9 @@ "resources":[ {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"} ], + "options": { + "enableDenyAndExceptionsInPolicies":"true" + }, "accessTypes":[ {"name":"read","label":"Read"}, {"name":"write","label":"Write"},
