Repository: incubator-ranger Updated Branches: refs/heads/master f06795e2e -> 46c2f94ab
RANGER-877: Exceptions in policies: allowExceptions should implicitly deny; denyExceptions should implicitly allow Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/46c2f94a Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/46c2f94a Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/46c2f94a Branch: refs/heads/master Commit: 46c2f94abd0b95b8b9da741b9cdb21a9422c009b Parents: f06795e Author: Madhan Neethiraj <[email protected]> Authored: Mon Mar 7 18:30:13 2016 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Mar 9 13:47:12 2016 -0800 ---------------------------------------------------------------------- .../RangerDefaultPolicyEvaluator.java | 51 +++++++++++++++++--- .../test_policyengine_tag_hive.json | 4 +- .../test_policyengine_tag_hive_filebased.json | 8 +-- 3 files changed, 50 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/46c2f94a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 50c8165..1fa8644 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -97,10 +97,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator resourceMatcher.init(); if(policy != null) { - allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, policy.getPolicyItems(), RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW); - denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, policy.getDenyPolicyItems(), RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY); - allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, policy.getAllowExceptions(), RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS); - denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, policy.getDenyExceptions(), RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS); + allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW); + denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY); + allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS); + denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS); } else { allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList(); denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList(); @@ -528,10 +528,31 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } - private List<RangerPolicyItemEvaluator> createPolicyItemEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options, List<RangerPolicyItem> policyItems, int policyItemType) { - List<RangerPolicyItemEvaluator> ret = null; + private List<RangerPolicyItemEvaluator> createPolicyItemEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options, int policyItemType) { + List<RangerPolicyItemEvaluator> ret = null; + List<RangerPolicyItem> policyItems = null; - if(CollectionUtils.isNotEmpty(policyItems) && isPolicyItemTypeEnabled(serviceDef, policyItemType)) { + if(isPolicyItemTypeEnabled(serviceDef, policyItemType)) { + if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) { + policyItems = policy.getPolicyItems(); + + if (isPolicyItemTypeEnabled(serviceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS)) { + policyItems = mergeLists(policyItems, policy.getDenyExceptions()); + } + } else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) { + policyItems = policy.getDenyPolicyItems(); + + if (isPolicyItemTypeEnabled(serviceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS)) { + policyItems = mergeLists(policyItems, policy.getAllowExceptions()); + } + } else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS) { + policyItems = policy.getAllowExceptions(); + } else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS) { + policyItems = policy.getDenyExceptions(); + } + } + + if(CollectionUtils.isNotEmpty(policyItems)) { ret = new ArrayList<RangerPolicyItemEvaluator>(); int policyItemCounter = 1; @@ -641,4 +662,20 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } + + private <T> List<T> mergeLists(List<T> list1, List<T> list2) { + List<T> ret = null; + + if(CollectionUtils.isEmpty(list1)) { + ret = list2; + } else if(CollectionUtils.isEmpty(list2)) { + ret = list1; + } else { + ret = new ArrayList<T>(list1); + + ret.addAll(list2); + } + + return ret; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/46c2f94a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json index 0893f44..9c9bc40 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json @@ -238,7 +238,7 @@ "accessType":"select","user":"dataloader","userGroups":[],"requestData":"select ssn from employee.personal;' for dataloader", "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2015/08/10\"}}]"} }, - "result":{"isAudited":true,"isAllowed":true,"policyId":101} + "result":{"isAudited":true,"isAllowed":true,"policyId":5} }, {"name":"ALLOW 'select ssn from employee.personal;' for user1", "request":{ @@ -303,7 +303,7 @@ "accessType":"","user":"hive","userGroups":[],"requestData":"use default", "context": {"TAGS":"[{\"type\":\"PII-FINAL\", \"attributes\":{\"expiry\":\"2026/06/15\"}}]"} }, - "result":{"isAudited":true,"isAllowed":true,"policyId":101} + "result":{"isAudited":true,"isAllowed":true,"policyId":3} }, {"name":"DENY 'use default;' for user1", "request":{ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/46c2f94a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json index da00ea3..e9ee355 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json @@ -233,7 +233,7 @@ "resource":{"elements":{"database":"employee", "table":"personal", "column":"emp-number"}}, "accessType":"select","user":"dataloader","userGroups":[],"requestData":"select emp-number from employee.personal;' for dataloader" }, - "result":{"isAudited":true,"isAllowed":true,"policyId":101} + "result":{"isAudited":true,"isAllowed":true,"policyId":5} }, {"name":"DENY 'select salary from employee.personal;' for user1 using EXPIRES_ON tag", "request":{ @@ -268,14 +268,14 @@ "resource":{"elements":{"database":"default", "table":"table1", "column":"name"}}, "accessType":"select","user":"hive","userGroups":[],"requestData":"select name from default.table1;' for hive" }, - "result":{"isAudited":true,"isAllowed":true,"policyId":2} + "result":{"isAudited":true,"isAllowed":true,"policyId":3} }, {"name":"ALLOW 'desc default.table1;' for hive using PII, PII-FINAL tags", "request":{ "resource":{"elements":{"database":"default", "table":"table1"}}, "accessType":"","user":"hive","userGroups":[],"requestData":"desc default.table1;' for hive" }, - "result":{"isAudited":true,"isAllowed":true,"policyId":2} + "result":{"isAudited":true,"isAllowed":true,"policyId":3} }, {"name":"DENY 'desc default.table2;' for user1 using PII-FINAL tag", "request":{ @@ -296,7 +296,7 @@ "resource":{"elements":{"database":"default", "table":"table3", "column":"name"}}, "accessType":"select","user":"hive","userGroups":[],"requestData":"select name from default.table3 for user hive" }, - "result":{"isAudited":true,"isAllowed":true,"policyId":2} + "result":{"isAudited":true,"isAllowed":true,"policyId":3} } ]
