Repository: incubator-ranger Updated Branches: refs/heads/master da10d0995 -> 9264dd006
RANGER:904 : Update create-policy REST API to support override values via query parameters Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9264dd00 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9264dd00 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9264dd00 Branch: refs/heads/master Commit: 9264dd00656a33f1cac0599788fbd362789a1145 Parents: da10d09 Author: rmani <[email protected]> Authored: Wed Mar 30 18:20:32 2016 -0700 Committer: rmani <[email protected]> Committed: Wed Mar 30 18:20:32 2016 -0700 ---------------------------------------------------------------------- .../apache/ranger/plugin/util/SearchFilter.java | 1 + .../java/org/apache/ranger/rest/AssetREST.java | 2 +- .../java/org/apache/ranger/rest/PublicAPIs.java | 2 +- .../org/apache/ranger/rest/PublicAPIsv2.java | 4 +- .../org/apache/ranger/rest/ServiceREST.java | 123 ++++++++++++++++--- .../ranger/service/RangerPolicyServiceBase.java | 1 + .../org/apache/ranger/rest/TestServiceREST.java | 2 +- .../rest/TestServiceRESTForValidation.java | 6 +- 8 files changed, 113 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9264dd00/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java index 25d69f0..61e8b09 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java @@ -50,6 +50,7 @@ public class SearchFilter { public static final String SORT_BY = "sortBy"; public static final String RESOURCE_SIGNATURE = "resourceSignature:"; // search public static final String POLICY_TYPE = "policyType"; // search + public static final String GUID = "guid"; //search public static final String TAG_DEF_ID = "tagDefId"; // search public static final String TAG_DEF_GUID = "tagDefGuid"; // search http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9264dd00/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index 827a69a..5a6203f 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -334,7 +334,7 @@ public class AssetREST { RangerService service = serviceREST.getService(vXResource.getAssetId()); RangerPolicy policy = serviceUtil.toRangerPolicy(vXResource, service); - RangerPolicy createdPolicy = serviceREST.createPolicy(policy); + RangerPolicy createdPolicy = serviceREST.createPolicy(policy,null); VXResource ret = serviceUtil.toVXResource(createdPolicy, service); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9264dd00/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java index ae407f1..21fdcd1 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java @@ -273,7 +273,7 @@ public class PublicAPIs { logger.debug("RANGERPOLICY: " + policy.toString()); } - RangerPolicy createdPolicy = serviceREST.createPolicy(policy); + RangerPolicy createdPolicy = serviceREST.createPolicy(policy,null); ret = serviceUtil.toVXPolicy(createdPolicy, service); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9264dd00/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java index 8601b95..b7c1b59 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java @@ -318,8 +318,8 @@ public class PublicAPIsv2 { @POST @Path("/api/policy/") @Produces({ "application/json", "application/xml" }) - public RangerPolicy createPolicy(RangerPolicy policy) { - return serviceREST.createPolicy(policy); + public RangerPolicy createPolicy(RangerPolicy policy , @Context HttpServletRequest request) { + return serviceREST.createPolicy(policy, request); } @POST http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9264dd00/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index e1aef0b..0dbd042 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -105,6 +105,10 @@ public class ServiceREST { private static final Log LOG = LogFactory.getLog(ServiceREST.class); private static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("rest.ServiceREST"); + final static public String PARAM_SERVICE_NAME = "serviceName"; + final static public String PARAM_POLICY_NAME = "policyName"; + final static public String PARAM_UPDATE_IF_EXISTS = "updateIfExists"; + @Autowired RESTErrorUtil restErrorUtil; @@ -974,7 +978,7 @@ public class ServiceREST { @POST @Path("/policies") @Produces({ "application/json", "application/xml" }) - public RangerPolicy createPolicy(RangerPolicy policy) { + public RangerPolicy createPolicy(RangerPolicy policy, @Context HttpServletRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.createPolicy(" + policy + ")"); } @@ -986,29 +990,65 @@ public class ServiceREST { if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createPolicy(policyName=" + policy.getName() + ")"); } - // this needs to happen before validator is called - // set name of policy if unspecified - if (StringUtils.isBlank(policy.getName())) { // use of isBlank over isEmpty is deliberate as a blank string does not strike us as a particularly useful policy name! - String guid = policy.getGuid(); - if (StringUtils.isBlank(guid)) { // use of isBlank is deliberate. External parties could send the guid in, perhaps to sync between dev/test/prod instances? - guid = guidUtil.genGUID(); - policy.setGuid(guid); - if (LOG.isDebugEnabled()) { - LOG.debug("No GUID supplied on the policy! Ok, setting GUID to [" + guid + "]."); - } + + if(request != null) { + String serviceName = request.getParameter(PARAM_SERVICE_NAME); + String policyName = request.getParameter(PARAM_POLICY_NAME); + String updateIfExists = request.getParameter(PARAM_UPDATE_IF_EXISTS); + + if(StringUtils.isNotEmpty(serviceName)) { + policy.setService(serviceName); } - String name = policy.getService() + "-" + guid; - policy.setName(name); - if (LOG.isDebugEnabled()) { - LOG.debug("Policy did not have its name set! Ok, setting name to [" + name + "]"); + + if(StringUtils.isNotEmpty(policyName)) { + policy.setName(policyName); + } + + if(Boolean.valueOf(updateIfExists)) { + RangerPolicy existingPolicy = null; + try { + if(StringUtils.isNotEmpty(policy.getGuid())) { + existingPolicy = getPolicyByGuid(policy.getGuid()); + } + + if(existingPolicy == null && StringUtils.isNotEmpty(serviceName) && StringUtils.isNotEmpty(policyName)) { + existingPolicy = getPolicyByName(policy.getService(), policy.getName()); + } + + if(existingPolicy != null) { + ret = updatePolicy(policy); + } + } catch(Exception excp) { + LOG.info("ServiceREST.createPolicy(): Failed to find/update exising policy, will attempt to create the policy", excp); + } } } - RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - validator.validate(policy, Action.CREATE, bizUtil.isAdmin()); - ensureAdminAccess(policy.getService(), policy.getResources()); + if(ret == null) { + // this needs to happen before validator is called + // set name of policy if unspecified + if (StringUtils.isBlank(policy.getName())) { // use of isBlank over isEmpty is deliberate as a blank string does not strike us as a particularly useful policy name! + String guid = policy.getGuid(); + if (StringUtils.isBlank(guid)) { // use of isBlank is deliberate. External parties could send the guid in, perhaps to sync between dev/test/prod instances? + guid = guidUtil.genGUID(); + policy.setGuid(guid); + if (LOG.isDebugEnabled()) { + LOG.debug("No GUID supplied on the policy! Ok, setting GUID to [" + guid + "]."); + } + } + String name = policy.getService() + "-" + guid; + policy.setName(name); + if (LOG.isDebugEnabled()) { + LOG.debug("Policy did not have its name set! Ok, setting name to [" + name + "]"); + } + } + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + validator.validate(policy, Action.CREATE, bizUtil.isAdmin()); + + ensureAdminAccess(policy.getService(), policy.getResources()); - ret = svcStore.createPolicy(policy); + ret = svcStore.createPolicy(policy); + } } catch(WebApplicationException excp) { throw excp; } catch(Throwable excp) { @@ -1051,7 +1091,7 @@ public class ServiceREST { RangerPolicy existingPolicy = getExactMatchPolicyForResource(policy.getService(), policy.getResources()); if (existingPolicy == null) { - ret = createPolicy(policy); + ret = createPolicy(policy, null); } else { ServiceRESTUtil.processApplyPolicy(existingPolicy, policy); @@ -1628,6 +1668,49 @@ public class ServiceREST { return svcStore.getPolicyForVersionNumber(policyId, versionNo); } + + private RangerPolicy getPolicyByGuid(String guid) { + RangerPolicy ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceREST.getPolicyByGuid(" + guid +")"); + } + + SearchFilter filter = new SearchFilter(); + filter.setParam(SearchFilter.GUID, guid); + List<RangerPolicy> policies = getPolicies(filter); + + if (CollectionUtils.isNotEmpty(policies)) { + ret = policies.get(0); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceREST.getPolicyByGuid(" + guid + ")" + ret); + } + return ret; + } + + private RangerPolicy getPolicyByName(String serviceName,String policyName) { + RangerPolicy ret = null; + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceREST.getPolicyByName(" + serviceName + "," + policyName + ")"); + } + + SearchFilter filter = new SearchFilter(); + filter.setParam(SearchFilter.SERVICE_NAME, serviceName); + filter.setParam(SearchFilter.POLICY_NAME, policyName); + List<RangerPolicy> policies = getPolicies(filter); + + if (CollectionUtils.isNotEmpty(policies)) { + ret = policies.get(0); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceREST.getPolicyByName(" + serviceName + "," + policyName + ")" + ret); + } + return ret; + } + private List<RangerPolicy> applyAdminAccessFilter(List<RangerPolicy> policies) { List<RangerPolicy> ret = new ArrayList<RangerPolicy>(); RangerPerfTracer perf = null; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9264dd00/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java index 1195a50..4929cf6 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java @@ -56,6 +56,7 @@ public abstract class RangerPolicyServiceBase<T extends XXPolicyBase, V extends .add(new SearchField(SearchFilter.IS_ENABLED, "obj.isEnabled", DATA_TYPE.BOOLEAN, SEARCH_TYPE.FULL)); searchFields.add(new SearchField(SearchFilter.POLICY_ID, "obj.id", DATA_TYPE.INTEGER, SEARCH_TYPE.FULL)); searchFields.add(new SearchField(SearchFilter.POLICY_NAME, "obj.name", DATA_TYPE.STRING, SEARCH_TYPE.FULL)); + searchFields.add(new SearchField(SearchFilter.GUID, "obj.guid", DATA_TYPE.STRING, SEARCH_TYPE.FULL)); searchFields.add(new SearchField(SearchFilter.USER, "xUser.name", DATA_TYPE.STRING, SEARCH_TYPE.FULL, "XXUser xUser, XXPolicyItem xPolItem, XXPolicyItemUserPerm userPerm", "obj.id = xPolItem.policyId " + "and userPerm.policyItemId = xPolItem.id and xUser.id = userPerm.userId")); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9264dd00/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 2be9441..083c777 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -757,7 +757,7 @@ public class TestServiceREST { Mockito.when(svcStore.createPolicy((RangerPolicy) Mockito.anyObject())) .thenReturn(rangPolicy); - RangerPolicy dbRangerPolicy = serviceREST.createPolicy(rangerPolicy); + RangerPolicy dbRangerPolicy = serviceREST.createPolicy(rangerPolicy,null); Assert.assertNotNull(dbRangerPolicy); Mockito.verify(bizUtil, Mockito.times(2)).isAdmin(); Mockito.verify(validatorFactory).getPolicyValidator(svcStore); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9264dd00/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java index c591750..2f1e467 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java @@ -214,7 +214,7 @@ public class TestServiceRESTForValidation { _serviceRest.updatePolicy(_policy); verify(_policyValidator).validate(_policy, Action.UPDATE, true); - _serviceRest.createPolicy(_policy); + _serviceRest.createPolicy(_policy,null); verify(_policyValidator).validate(_policy, Action.CREATE, true); } catch (Exception e) { LOG.debug(e); @@ -245,7 +245,7 @@ public class TestServiceRESTForValidation { doThrow(_exception).when(_policyValidator).validate(_policy, Action.CREATE, true); try { - _serviceRest.createPolicy(_policy); + _serviceRest.createPolicy(_policy,null); fail("Should have thrown exception!"); } catch (WebApplicationException t) { verify(_policyValidator).validate(_policy, Action.CREATE, true); @@ -288,7 +288,7 @@ public class TestServiceRESTForValidation { doThrow(_exception).when(_store).createPolicy(_policy); try { - _serviceRest.createPolicy(_policy); + _serviceRest.createPolicy(_policy,null); fail("Should have thrown exception!"); } catch (WebApplicationException e) { verify(_policyValidator).validate(_policy, Action.CREATE, true);
