RANGER-844: commit id c20a0d1ad1995c404c0d32e85f820397226ea882 Signed-off-by: Madhan Neethiraj <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9e49cc68 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9e49cc68 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9e49cc68 Branch: refs/heads/ranger-0.5 Commit: 9e49cc688ac4a9bf23d40ff3c8abf29adba322e6 Parents: d3a2964 Author: Abhay Kulkarni <[email protected]> Authored: Mon Feb 1 12:07:41 2016 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Sun Mar 20 11:18:22 2016 -0700 ---------------------------------------------------------------------- .../policyengine/RangerPolicyEngineImpl.java | 7 +- .../policyengine/RangerPolicyEngineOptions.java | 1 + .../policyengine/RangerPolicyRepository.java | 63 ++------- .../org/apache/ranger/biz/ServiceDBStore.java | 78 +++++++---- .../common/RangerServicePoliciesCache.java | 37 +++--- .../apache/ranger/common/UserSessionBase.java | 1 + .../org/apache/ranger/db/XXGroupUserDao.java | 22 ++++ .../org/apache/ranger/rest/ServiceREST.java | 129 ++++++++++++------- .../resources/META-INF/jpa_named_queries.xml | 10 +- .../src/main/webapp/WEB-INF/log4j.xml | 4 +- 10 files changed, 203 insertions(+), 149 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 55ae785..1cfdc4f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -47,7 +47,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { private static final Log PERF_POLICYENGINE_AUDIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.audit"); private static final Log PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request"); - private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 500; + private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 100; private final RangerPolicyRepository policyRepository; @@ -279,12 +279,13 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); } + boolean ret = false; + RangerPerfTracer perf = null; if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + ")"); + perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")"); } - boolean ret = false; for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java index 3289661..7cacfa8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java @@ -27,4 +27,5 @@ public class RangerPolicyEngineOptions { public boolean cacheAuditResults = true; public boolean disableContextEnrichers = false; public boolean disableCustomConditions = false; + public boolean evaluateDelegateAdminOnly = false; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 595c324..f522cfb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -81,7 +81,7 @@ public class RangerPolicyRepository { List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>(); for (RangerPolicy policy : servicePolicies.getPolicies()) { - if (!policy.getIsEnabled()) { + if (skipBuildingPolicyEvaluator(policy, options)) { continue; } @@ -95,6 +95,17 @@ public class RangerPolicyRepository { Collections.sort(policyEvaluators); this.policyEvaluators = Collections.unmodifiableList(policyEvaluators); + if(LOG.isDebugEnabled()) { + LOG.debug("policy evaluation order: " + this.policyEvaluators.size() + " policies"); + + int order = 0; + for(RangerPolicyEvaluator policyEvaluator : this.policyEvaluators) { + RangerPolicy policy = policyEvaluator.getPolicy(); + + LOG.debug("policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder()); + } + } + String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize"; if(options.cacheAuditResults) { @@ -157,58 +168,12 @@ public class RangerPolicyRepository { boolean ret = false; if (!policy.getIsEnabled()) { ret = true; + } else if (options.evaluateDelegateAdminOnly && !isDelegateAdminPolicy(policy)) { + ret = true; } return ret; } - private void init(RangerPolicyEngineOptions options) { - - List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>(); - - for (RangerPolicy policy : policies) { - if (skipBuildingPolicyEvaluator(policy, options)) { - continue; - } - - RangerPolicyEvaluator evaluator = buildPolicyEvaluator(policy, serviceDef, options); - - if (evaluator != null) { - policyEvaluators.add(evaluator); - } - } - Collections.sort(policyEvaluators); - this.policyEvaluators = Collections.unmodifiableList(policyEvaluators); - - List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>(); - if (CollectionUtils.isNotEmpty(this.policyEvaluators)) { - if (!options.disableContextEnrichers && !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) { - for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) { - if (enricherDef == null) { - continue; - } - - RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef); - - if (contextEnricher != null) { - contextEnrichers.add(contextEnricher); - } - } - } - } - this.contextEnrichers = Collections.unmodifiableList(contextEnrichers); - - if(LOG.isDebugEnabled()) { - LOG.debug("policy evaluation order: " + this.policyEvaluators.size() + " policies"); - - int order = 0; - for(RangerPolicyEvaluator policyEvaluator : this.policyEvaluators) { - RangerPolicy policy = policyEvaluator.getPolicy(); - - LOG.debug("policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder()); - } - } - } - private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyRepository.buildContextEnricher(" + enricherDef + ")"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 6774170..1720063 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1549,31 +1549,15 @@ public class ServiceDBStore implements ServiceStore { if (service == null) { throw new Exception("service does not exist - id='" + serviceId); } - RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); - List<RangerPolicy> ret = policyRetriever.getServicePolicies(service); - if(filter != null) { - predicateUtil.applyFilter(ret, filter); - } - return ret; - } - private List<RangerPolicy> getServicePolicies(XXService service) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceDBStore.getServicePolicies(" + service.getName() + ")"); - } - - RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); - - List<RangerPolicy> ret = policyRetriever.getServicePolicies(service); + List<RangerPolicy> ret = getServicePolicies(service, filter); if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceDBStore.getServicePolicies(" + service.getName() + "): count=" + ((ret == null) ? 0 : ret.size())); + LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceId + ") : policy-count=" + (ret == null ? 0 : ret.size())); } - return ret; } - public RangerPolicyList getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceDBStore.getPaginatedServicePolicies(" + serviceId + ")"); @@ -1598,18 +1582,62 @@ public class ServiceDBStore implements ServiceStore { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceName + ")"); } + + List<RangerPolicy> ret = null; + XXService service = daoMgr.getXXService().findByName(serviceName); if (service == null) { throw new Exception("service does not exist - name='" + serviceName); } - RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); - List<RangerPolicy> ret = policyRetriever.getServicePolicies(service); - if(filter != null) { + + ret = getServicePolicies(service, filter); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null) ? 0 : ret.size())); + } + + return ret; + } + + private List<RangerPolicy> getServicePolicies(XXService service, SearchFilter filter) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceDBStore.getServicePolicies()"); + } + + if (service == null) { + throw new Exception("service does not exist"); + } + + List<RangerPolicy> ret = null; + + ServicePolicies servicePolicies = RangerServicePoliciesCache.getInstance().getServicePolicies(service.getName(), this); + List<RangerPolicy> policies = servicePolicies != null ? servicePolicies.getPolicies() : null; + + if(policies != null && filter != null) { + ret = new ArrayList<RangerPolicy>(policies); predicateUtil.applyFilter(ret, filter); + } else { + ret = policies; } if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null) ? 0 : ret.size())); + LOG.debug("<== ServiceDBStore.getServicePolicies(): count=" + ((ret == null) ? 0 : ret.size())); + } + + return ret; + } + + private List<RangerPolicy> getServicePoliciesFromDb(XXService service) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceDBStore.getServicePoliciesFromDb(" + service.getName() + ")"); + } + + RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); + + List<RangerPolicy> ret = policyRetriever.getServicePolicies(service); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceDBStore.getServicePoliciesFromDb(" + service.getName() + "): count=" + ((ret == null) ? 0 : ret.size())); } return ret; @@ -1688,7 +1716,7 @@ public class ServiceDBStore implements ServiceStore { XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName); - if(serviceDbObj == null) { + if (serviceDbObj == null) { throw new Exception("service does not exist. name=" + serviceName); } @@ -1701,7 +1729,7 @@ public class ServiceDBStore implements ServiceStore { if (serviceDbObj.getIsenabled()) { - policies = getServicePolicies(serviceDbObj); + policies = getServicePoliciesFromDb(serviceDbObj); } else { policies = new ArrayList<RangerPolicy>(); @@ -1773,7 +1801,7 @@ public class ServiceDBStore implements ServiceStore { } Map<String, RangerPolicyResource> createDefaultPolicyResource(List<RangerResourceDef> resourceHierarchy) throws Exception { - Map<String, RangerPolicyResource> resourceMap = new HashMap<>(); + Map<String, RangerPolicyResource> resourceMap = new HashMap<String, RangerPolicyResource>(); for (RangerResourceDef resourceDef : resourceHierarchy) { RangerPolicyResource polRes = new RangerPolicyResource(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java index 6c8cbff..f6c599e 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java @@ -36,6 +36,8 @@ import java.util.concurrent.locks.ReentrantLock; public class RangerServicePoliciesCache { private static final Log LOG = LogFactory.getLog(RangerServicePoliciesCache.class); + private static final int MAX_WAIT_TIME_FOR_UPDATE = 10; + private static volatile RangerServicePoliciesCache sInstance = null; private final boolean useServicePoliciesCache; private final int waitTimeInSeconds; @@ -55,7 +57,7 @@ public class RangerServicePoliciesCache { private RangerServicePoliciesCache() { useServicePoliciesCache = RangerConfiguration.getInstance().getBoolean("ranger.admin.policy.download.usecache", true); - waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.policy.download.cache.max.waittime.for.update", 20); + waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.policy.download.cache.max.waittime.for.update", MAX_WAIT_TIME_FOR_UPDATE); } public void dump() { @@ -97,7 +99,7 @@ public class RangerServicePoliciesCache { return ret; } - public ServicePolicies getServicePolicies(String serviceName, ServiceStore serviceStore) { + public ServicePolicies getServicePolicies(String serviceName, ServiceStore serviceStore) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerServicePoliciesCache.getServicePolicies(" + serviceName + ")"); @@ -137,7 +139,10 @@ public class RangerServicePoliciesCache { if (serviceStore != null) { boolean refreshed = servicePoliciesWrapper.getLatestOrCached(serviceName, serviceStore); - LOG.info("tryRefreshFromStore returned " + refreshed); + + if(LOG.isDebugEnabled()) { + LOG.debug("getLatestOrCached returned " + refreshed); + } } else { LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies as service-store is null!"); } @@ -181,7 +186,7 @@ public class RangerServicePoliciesCache { return longestDbLoadTimeInMs; } - boolean getLatestOrCached(String serviceName, ServiceStore serviceStore) { + boolean getLatestOrCached(String serviceName, ServiceStore serviceStore) throws Exception { boolean ret = false; try { @@ -190,7 +195,7 @@ public class RangerServicePoliciesCache { getLatest(serviceName, serviceStore); } } catch (InterruptedException exception) { - LOG.error("tryRefreshFromStore:lock got interrupted..", exception); + LOG.error("getLatestOrCached:lock got interrupted..", exception); } finally { if (ret) { lock.unlock(); @@ -200,7 +205,7 @@ public class RangerServicePoliciesCache { return ret; } - void getLatest(String serviceName, ServiceStore serviceStore) { + void getLatest(String serviceName, ServiceStore serviceStore) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> ServicePoliciesWrapper.getLatest(" + serviceName + ")"); @@ -218,22 +223,16 @@ public class RangerServicePoliciesCache { LOG.debug("loading servicePolicies from db ... cachedServicePoliciesVersion=" + (servicePolicies != null ? servicePolicies.getPolicyVersion() : null) + ", servicePolicyVersionInDb=" + servicePolicyVersionInDb); } - ServicePolicies servicePoliciesFromDb = null; + long startTimeMs = System.currentTimeMillis(); - try { - long startTimeMs = System.currentTimeMillis(); + ServicePolicies servicePoliciesFromDb = serviceStore.getServicePolicies(serviceName); - servicePoliciesFromDb = serviceStore.getServicePolicies(serviceName); + long dbLoadTime = System.currentTimeMillis() - startTimeMs; - long dbLoadTime = System.currentTimeMillis() - startTimeMs; - - if (dbLoadTime > longestDbLoadTimeInMs) { - longestDbLoadTimeInMs = dbLoadTime; - } - updateTime = new Date(); - } catch (Exception exception) { - LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies from service-store", exception); + if (dbLoadTime > longestDbLoadTimeInMs) { + longestDbLoadTimeInMs = dbLoadTime; } + updateTime = new Date(); if (servicePoliciesFromDb != null) { if (servicePoliciesFromDb.getPolicyVersion() == null) { @@ -265,7 +264,7 @@ public class RangerServicePoliciesCache { policy.setUpdatedBy(null); policy.setUpdateTime(null); policy.setGuid(null); - policy.setName(null); + // policy.setName(null); /* this is used by GUI in policy list page */ policy.setDescription(null); policy.setResourceSignature(null); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java index 175459c..ce865cf 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java +++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java @@ -22,6 +22,7 @@ import java.io.Serializable; import java.util.ArrayList; import java.util.List; +import java.util.Set; import java.util.concurrent.CopyOnWriteArraySet; import org.apache.ranger.entity.XXAuthSession; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java index ffc3c32..b437656 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java @@ -21,7 +21,9 @@ import java.util.ArrayList; +import java.util.HashSet; import java.util.List; +import java.util.Set; import javax.persistence.NoResultException; @@ -81,6 +83,26 @@ public class XXGroupUserDao extends BaseDao<XXGroupUser> { return null; } + public Set<String> findGroupNamesByUserName(String userName) { + List<String> groupList = null; + + if (userName != null) { + try { + groupList = getEntityManager().createNamedQuery("XXGroupUser.findGroupNamesByUserName", String.class).setParameter("userName", userName).getResultList(); + } catch (NoResultException e) { + logger.debug(e.getMessage()); + } + } else { + logger.debug("UserId not provided."); + } + + if(groupList != null) { + return new HashSet<String>(groupList); + } + + return new HashSet<String>(); + } + public List<XXGroupUser> findByGroupId(Long groupId) { if (groupId == null) { return new ArrayList<XXGroupUser>(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 40628bb..a6187ba 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -405,6 +405,8 @@ public class ServiceREST { throw restErrorUtil.createRESTException(excp.getMessage()); } + RangerPerfTracer.log(perf); + if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.getServiceDefs(): count=" + (ret == null ? 0 : ret.getListSize())); } @@ -782,7 +784,11 @@ public class ServiceREST { } try { - ret = serviceMgr.lookupResource(serviceName,context, svcStore); + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.lookupResource(serviceName=" + serviceName + ")"); + } + ret = serviceMgr.lookupResource(serviceName, context, svcStore); } catch(WebApplicationException excp) { throw excp; } catch(Throwable excp) { @@ -974,7 +980,7 @@ public class ServiceREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")"); } - if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { + if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { try { String userName = revokeRequest.getGrantor(); @@ -1274,7 +1280,7 @@ public class ServiceREST { filter.setMaxRows(savedMaxRows); } - applyAdminAccessFilter(policies); + policies = applyAdminAccessFilter(policies); ret = toRangerPolicyList(policies, filter); } @@ -1310,7 +1316,7 @@ public class ServiceREST { try { ret = svcStore.getPolicies(filter); - applyAdminAccessFilter(ret); + ret = applyAdminAccessFilter(ret); } catch(WebApplicationException excp) { throw excp; } catch(Throwable excp) { @@ -1346,7 +1352,7 @@ public class ServiceREST { try { List<RangerPolicy> policies = getPolicies(request).getPolicies(); - applyAdminAccessFilter(policies); + policies = applyAdminAccessFilter(policies); ret = new Long(policies == null ? 0 : policies.size()); } catch(WebApplicationException excp) { @@ -1402,7 +1408,7 @@ public class ServiceREST { filter.setMaxRows(savedMaxRows); } - applyAdminAccessFilter(servicePolicies); + servicePolicies = applyAdminAccessFilter(servicePolicies); ret = toRangerPolicyList(servicePolicies, filter); } @@ -1433,7 +1439,7 @@ public class ServiceREST { LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")"); } - RangerPolicyList ret = new RangerPolicyList();; + RangerPolicyList ret = new RangerPolicyList(); RangerPerfTracer perf = null; SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); @@ -1449,25 +1455,26 @@ public class ServiceREST { } else { // get all policies from the store; pick the page to return after applying filter int savedStartIndex = filter == null ? 0 : filter.getStartIndex(); - int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows(); + int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows(); - if(filter != null) { + if (filter != null) { filter.setStartIndex(0); filter.setMaxRows(Integer.MAX_VALUE); } List<RangerPolicy> servicePolicies = svcStore.getServicePolicies(serviceName, filter); - if(filter != null) { + if (filter != null) { filter.setStartIndex(savedStartIndex); filter.setMaxRows(savedMaxRows); } - applyAdminAccessFilter(servicePolicies); + servicePolicies = applyAdminAccessFilter(servicePolicies); ret = toRangerPolicyList(servicePolicies, filter); } + } catch(WebApplicationException excp) { throw excp; } catch (Throwable excp) { @@ -1484,7 +1491,7 @@ public class ServiceREST { if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.getServicePolicies(" + serviceName + "): count=" - + ret.getListSize()); + + ret != null ? ret.getListSize() : ret); } return ret; @@ -1792,59 +1799,80 @@ public class ServiceREST { return svcStore.getPolicyForVersionNumber(policyId, versionNo); } + private List<RangerPolicy> applyAdminAccessFilter(List<RangerPolicy> policies) { + List<RangerPolicy> ret = new ArrayList<RangerPolicy>(); + RangerPerfTracer perf = null; - private void applyAdminAccessFilter(List<RangerPolicy> policies) { - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - - if(!isAdmin && !isKeyAdmin && !CollectionUtils.isEmpty(policies)) { - String userName = bizUtil.getCurrentUserLoginId(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); - Map<String, RangerPolicyEngine> policyEngines = new HashMap<String, RangerPolicyEngine>(); + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")"); + } - for(int i = 0; i < policies.size(); i++) { - RangerPolicy policy = policies.get(i); - String serviceName = policy.getService(); - RangerPolicyEngine policyEngine = policyEngines.get(serviceName); + if (CollectionUtils.isNotEmpty(policies)) { + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + String userName = bizUtil.getCurrentUserLoginId(); + Set<String> userGroups = null; - if(policyEngine == null) { - policyEngine = getPolicyEngine(policy.getService()); + Map<String, List<RangerPolicy>> servicePoliciesMap = new HashMap<String, List<RangerPolicy>>(); - if(policyEngine != null) { - policyEngines.put(serviceName, policyEngine); - } - } + for (int i = 0; i < policies.size(); i++) { + RangerPolicy policy = policies.get(i); + String serviceName = policy.getService(); + List<RangerPolicy> policyList = servicePoliciesMap.get(serviceName); - boolean hasAdminAccess = hasAdminAccess(policyEngine, userName, userGroups, policy.getResources()); + if (policyList == null) { + policyList = new ArrayList<RangerPolicy>(); - if(!hasAdminAccess) { - policies.remove(i); - i--; + servicePoliciesMap.put(serviceName, policyList); } + + policyList.add(policy); } - } else if (isAdmin && !CollectionUtils.isEmpty(policies)) { - for (int i = 0; i < policies.size(); i++) { - XXService xService = daoManager.getXXService().findByName(policies.get(i).getService()); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + for (Map.Entry<String, List<RangerPolicy>> entry : servicePoliciesMap.entrySet()) { + String serviceName = entry.getKey(); + List<RangerPolicy> listToFilter = entry.getValue(); - if (xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - policies.remove(i); - i--; - } - } - } else if (isKeyAdmin && !CollectionUtils.isEmpty(policies)) { - for (int i = 0; i < policies.size(); i++) { + if (CollectionUtils.isNotEmpty(listToFilter)) { + if (isAdmin || isKeyAdmin) { + XXService xService = daoManager.getXXService().findByName(serviceName); + Long serviceDefId = xService.getType(); + boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId()); + + if (isAdmin) { + if (!isKmsService) { + ret.addAll(listToFilter); + } + } else { // isKeyAdmin + if (isKmsService) { + ret.addAll(listToFilter); + } + } - XXService xService = daoManager.getXXService().findByName(policies.get(i).getService()); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + continue; + } + + RangerPolicyEngine policyEngine = getPolicyEngine(serviceName); + + if (policyEngine != null) { + if(userGroups == null) { + userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName); + } + + for (RangerPolicy policy : listToFilter) { + if (policyEngine.isAccessAllowed(policy.getResources(), userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) { + ret.add(policy); + } + } + } - if (!xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - policies.remove(i); - i--; } } } + + RangerPerfTracer.log(perf); + + return ret; } void ensureAdminAccess(String serviceName, Map<String, RangerPolicyResource> resources) { @@ -1910,6 +1938,7 @@ public class ServiceREST { options.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false); options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true); options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true); + options.evaluateDelegateAdminOnly = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.evaluate.delegateadmin.only", true); RangerPolicyEngineCache.getInstance().setPolicyEngineOptions(options);; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/resources/META-INF/jpa_named_queries.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 6af938e..3826a37 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor +<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use @@ -177,6 +177,13 @@ </query> </named-query> + <named-query name="XXGroupUser.findGroupNamesByUserName"> + <query>SELECT obj.name FROM XXGroup obj + WHERE obj.id IN (SELECT gu.parentGroupId FROM XXGroupUser gu, XXUser u + WHERE gu.userId = u.id AND u.name=:userName) + </query> + </named-query> + <named-query name="XXGroupUser.findByGroupId"> <query>SELECT obj FROM XXGroupUser obj WHERE obj.parentGroupId=:groupId </query> @@ -656,6 +663,7 @@ xpu.id=:userId and gmp.isAllowed=:isAllowed </query> </named-query> + <named-query name="XXTrxLog.getMaxIdOfXXTrxLog"> <query>select max(obj.id) from XXTrxLog obj</query> </named-query> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/webapp/WEB-INF/log4j.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/WEB-INF/log4j.xml b/security-admin/src/main/webapp/WEB-INF/log4j.xml index 3510d02..f7d40bb 100644 --- a/security-admin/src/main/webapp/WEB-INF/log4j.xml +++ b/security-admin/src/main/webapp/WEB-INF/log4j.xml @@ -84,8 +84,8 @@ </category> <!-- - <category name="ranger.perf" additivity="false"> - <priority value="info" /> + <category name="org.apache.ranger.perf" additivity="false"> + <priority value="debug" /> <appender-ref ref="perf_appender" /> </category> -->
