http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json new file mode 100644 index 0000000..d3e0c25 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json @@ -0,0 +1,243 @@ +{ + "serviceName":"hivedev", + + "serviceDef":{ + "name":"hive", + "id":3, + "resources":[ + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"} + ], + "accessTypes":[ + {"name":"select","label":"Select"}, + {"name":"update","label":"Update"}, + {"name":"create","label":"Create"}, + {"name":"drop","label":"Drop"}, + {"name":"alter","label":"Alter"}, + {"name":"index","label":"Index"}, + {"name":"lock","label":"Lock"}, + {"name":"all","label":"All", + "impliedGrants": [ + "select", + "update", + "create", + "drop", + "alter", + "index", + "lock" + ] + } + ], + "dataMaskDef": { + "maskTypes": [ + { + "itemId": 1, + "name": "MASK", + "label": "Mask", + "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'" + }, + { + "itemId": 2, + "name": "SHUFFLE", + "label": "Shuffle", + "description": "Randomly shuffle the contents" + }, + { + "itemId": 10, + "name": "NULL", + "label": "NULL", + "description": "Replace with NULL" + } + + ], + "accessTypes":[ + {"name":"select","label":"Select"} + ], + "resources":[ + {"name":"database","matcherOptions":{"wildCard":false}}, + {"name":"table","matcherOptions":{"wildCard":false}}, + {"name":"column","matcherOptions":{"wildCard":false}} + ] + }, + "rowFilterDef": { + "accessTypes":[ + {"name":"select","label":"Select"} + ], + "resources":[ + {"name":"database","matcherOptions":{"wildCard":false}}, + {"name":"table","matcherOptions":{"wildCard":false}} + ] + } + }, + + "policies":[ + {"id":1,"name":"db=*: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false} + ] + }, + {"id":101,"name":"db=employee, table=personal, column=ssn: mask ssn column","isEnabled":true,"isAuditEnabled":true,"policyType":1, + "resources":{"database":{"values":["employee"]},"table":{"values":["personal"]},"column":{"values":["ssn"]}}, + "dataMaskPolicyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, + "dataMaskInfo": {"dataMaskType":"MASK"} + }, + {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, + "dataMaskInfo": {"dataMaskType":"SHUFFLE"} + } + ] + }, + {"id":102,"name":"db=hr, table=employee, column=date_of_birth: mask date_of_birth column","isEnabled":true,"isAuditEnabled":true,"policyType":1, + "resources":{"database":{"values":["hr"]},"table":{"values":["employee"]},"column":{"values":["date_of_birth"]}}, + "dataMaskPolicyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, + "dataMaskInfo": {"dataMaskType":"MASK"} + }, + {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, + "dataMaskInfo": {"dataMaskType":"SHUFFLE"} + } + ] + }, + {"id":201,"name":"db=employee, table=personal","isEnabled":true,"isAuditEnabled":true,"policyType":2, + "resources":{"database":{"values":["employee"]},"table":{"values":["personal"]}}, + "rowFilterPolicyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, + "rowFilterInfo": {"filterExpr":"location='US'"} + }, + {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, + "rowFilterInfo": {"filterExpr":"location='CA'"} + } + ] + }, + {"id":202,"name":"db=hr, table=employee","isEnabled":true,"isAuditEnabled":true,"policyType":2, + "resources":{"database":{"values":["hr"]},"table":{"values":["employee"]}}, + "rowFilterPolicyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, + "rowFilterInfo": {"filterExpr":"dept='production'"} + }, + {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, + "rowFilterInfo": {"filterExpr":"dept='purchase'"} + } + ] + } + ], + + "tests":[ + {"name":"'select ssn from employee.personal;' for user1 - maskType=MASK", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1" + }, + "dataMaskResult":{"maskType":"MASK","maskCondition":null,"maskValue":null,"policyId":101} + }, + {"name":"'select ssn from employee.personal;' for user2 - maskType=SHUFFLE", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, + "accessType":"select","user":"user2","userGroups":[],"requestData":"select ssn from employee.personal;' for user2" + }, + "dataMaskResult":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null,"policyId":101} + }, + {"name":"'select ssn from employee.personal;' for user3 - no-mask", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, + "accessType":"select","user":"user3","userGroups":[],"requestData":"select ssn from employee.personal;' for user3" + }, + "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} + }, + {"name":"'select name from employee.personal;' for user1 - no-mask", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"name"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select name from employee.personal;' for user1" + }, + "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} + }, + {"name":"'select date_of_birth from hr.employee;' for user1 - maskType=MASK", + "request":{ + "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user1" + }, + "dataMaskResult":{"maskType":"MASK","maskCondition":null,"maskValue":null,"policyId":102} + }, + {"name":"'select date_of_birth from hr.employee;' for user2 - maskType=SHUFFLE", + "request":{ + "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}}, + "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr.employee2;' for user2" + }, + "dataMaskResult":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null,"policyId":102} + }, + {"name":"'select date_of_birth1 from hr.employee;' for user1 - no-mask", + "request":{ + "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth1"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth1 from hr.employee;' for user1" + }, + "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} + }, + {"name":"'select date_of_birth from hr2.employee2;' for user2 - no-mask", + "request":{ + "resource":{"elements":{"database":"hr2", "table":"employee2", "column":"date_of_birth"}}, + "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr2.employee2;' for user2" + }, + "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} + }, + {"name":"'select ssn from employee.personal;' for user1 - filterExpr=location='US'", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1" + }, + "rowFilterResult":{"filterExpr":"location='US'","policyId":201} + }, + {"name":"'select ssn from employee.personal;' for user2 - filterExpr=location='CA'", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal"}}, + "accessType":"select","user":"user2","userGroups":[],"requestData":"select ssn from employee.personal;' for user2" + }, + "rowFilterResult":{"filterExpr":"location='CA'","policyId":201} + }, + {"name":"'select ssn from employee.personal;' for user3 - no-filter", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal"}}, + "accessType":"select","user":"user3","userGroups":[],"requestData":"select ssn from employee.personal;' for user3" + }, + "rowFilterResult":{"filterExpr":null,"policyId":-1} + }, + {"name":"'select name from employee.personal;' for group3 - no-filter", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal"}}, + "accessType":"select","user":"user5","userGroups":["group3"],"requestData":"select name from employee.personal;' for user5/group3" + }, + "rowFilterResult":{"filterExpr":null,"policyId":-1} + }, + {"name":"'select date_of_birth from hr.employee;' for user1 - filterExpr=dept='production'", + "request":{ + "resource":{"elements":{"database":"hr", "table":"employee"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user1" + }, + "rowFilterResult":{"filterExpr":"dept='production'","policyId":202} + }, + {"name":"'select date_of_birth from hr.employee;' for user2 - filterExpr=dept='purchase'", + "request":{ + "resource":{"elements":{"database":"hr", "table":"employee"}}, + "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr.employee2;' for user2" + }, + "rowFilterResult":{"filterExpr":"dept='purchase'","policyId":202} + }, + {"name":"'select date_of_birth from hr.employee;' for user3 - no-filter", + "request":{ + "resource":{"elements":{"database":"hr", "table":"employee"}}, + "accessType":"select","user":"user3","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user3" + }, + "rowFilterResult":{"filterExpr":null,"policyId":-1} + }, + {"name":"'select date_of_birth from hr2.employee2;' for user2 - no-mask", + "request":{ + "resource":{"elements":{"database":"hr2", "table":"employee2"}}, + "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr2.employee2;' for user2" + }, + "rowFilterResult":{"filterExpr":null,"policyId":-1} + } + ] +} +
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/agents-common/src/test/resources/policyengine/test_policyengine_hive_masking.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive_masking.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive_masking.json deleted file mode 100644 index b0e4557..0000000 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hive_masking.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "serviceName":"hivedev", - - "serviceDef":{ - "name":"hive", - "id":3, - "resources":[ - {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"}, - {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"}, - {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"}, - {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"} - ], - "accessTypes":[ - {"name":"select","label":"Select"}, - {"name":"update","label":"Update"}, - {"name":"create","label":"Create"}, - {"name":"drop","label":"Drop"}, - {"name":"alter","label":"Alter"}, - {"name":"index","label":"Index"}, - {"name":"lock","label":"Lock"}, - {"name":"all","label":"All", - "impliedGrants": [ - "select", - "update", - "create", - "drop", - "alter", - "index", - "lock" - ] - } - ], - "dataMaskDef": { - "maskTypes": [ - { - "itemId": 1, - "name": "MASK", - "label": "Mask", - "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'" - }, - { - "itemId": 2, - "name": "SHUFFLE", - "label": "Shuffle", - "description": "Randomly shuffle the contents" - }, - { - "itemId": 10, - "name": "NULL", - "label": "NULL", - "description": "Replace with NULL" - } - - ], - "accessTypes":[ - {"name":"select","label":"Select"} - ], - "resources":[ - {"name":"database","matcherOptions":{"wildCard":false}}, - {"name":"table","matcherOptions":{"wildCard":false}}, - {"name":"column","matcherOptions":{"wildCard":false}} - ] - } - }, - - "policies":[ - {"id":1,"name":"db=*: audit-all-access","isEnabled":true,"isAuditEnabled":true, - "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, - "policyItems":[ - {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false} - ] - }, - {"id":101,"name":"db=*, table=*, column=ssn: mask ssn column in all tables, databases","isEnabled":true,"isAuditEnabled":true,"policyType":1, - "resources":{"database":{"values":["employee"]},"table":{"values":["personal"]},"column":{"values":["ssn"]}}, - "dataMaskPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"SHUFFLE"} - } - ] - }, - {"id":102,"name":"db=hr, table=*, column=date_of_birth: mask date_of_birth column in all tables in hr database","isEnabled":true,"isAuditEnabled":true,"policyType":1, - "resources":{"database":{"values":["hr"]},"table":{"values":["employee"]},"column":{"values":["date_of_birth"]}}, - "dataMaskPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"SHUFFLE"} - } - ] - } - ], - - "tests":[ - {"name":"'select ssn from employee.personal;' for user1 - maskType=MASK", - "request":{ - "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, - "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1" - }, - "dataMaskResult":{"maskType":"MASK","maskCondition":null,"maskValue":null,"policyId":101} - }, - {"name":"'select ssn from employee.personal;' for user2 - maskType=SHUFFLE", - "request":{ - "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, - "accessType":"select","user":"user2","userGroups":[],"requestData":"select ssn from employee.personal;' for user2" - }, - "dataMaskResult":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null,"policyId":101} - }, - {"name":"'select ssn from employee.personal;' for user3 - no-mask", - "request":{ - "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, - "accessType":"select","user":"user3","userGroups":[],"requestData":"select ssn from employee.personal;' for user3" - }, - "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} - }, - {"name":"'select name from employee.personal;' for user1 - no-mask", - "request":{ - "resource":{"elements":{"database":"employee", "table":"personal", "column":"name"}}, - "accessType":"select","user":"user1","userGroups":[],"requestData":"select name from employee.personal;' for user1" - }, - "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} - }, - {"name":"'select date_of_birth from hr.employee;' for user1 - maskType=MASK", - "request":{ - "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}}, - "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user1" - }, - "dataMaskResult":{"maskType":"MASK","maskCondition":null,"maskValue":null,"policyId":102} - }, - {"name":"'select date_of_birth from hr.employee;' for user2 - maskType=SHUFFLE", - "request":{ - "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}}, - "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr.employee2;' for user2" - }, - "dataMaskResult":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null,"policyId":102} - }, - {"name":"'select date_of_birth1 from hr.employee;' for user1 - no-mask", - "request":{ - "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth1"}}, - "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth1 from hr.employee;' for user1" - }, - "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} - }, - {"name":"'select date_of_birth from hr2.employee2;' for user2 - no-mask", - "request":{ - "resource":{"elements":{"database":"hr2", "table":"employee2", "column":"date_of_birth"}}, - "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr2.employee2;' for user2" - }, - "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} - } - ] -} - http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index e0e1e7a..a2a49ad 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -30,6 +30,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import com.google.common.collect.Lists; +import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { @@ -59,14 +60,19 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { RangerAccessResource resource = request.getResource(); String accessType = null; - if(request instanceof RangerHiveAccessRequest) { - RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest)request; - accessType = hiveRequest.getHiveAccessType().toString(); - } + if(result instanceof RangerDataMaskResult) { + accessType = ((RangerDataMaskResult)result).getMaskType(); + } else { + if (request instanceof RangerHiveAccessRequest) { + RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request; - if(StringUtils.isEmpty(accessType)) { - accessType = request.getAccessType(); + accessType = hiveRequest.getHiveAccessType().toString(); + } + + if (StringUtils.isEmpty(accessType)) { + accessType = request.getAccessType(); + } } String resourcePath = resource != null ? resource.getAsString() : null; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/db/mysql/patches/020-datamask-policy.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/mysql/patches/020-datamask-policy.sql b/security-admin/db/mysql/patches/020-datamask-policy.sql index 8a612b3..fffa613 100644 --- a/security-admin/db/mysql/patches/020-datamask-policy.sql +++ b/security-admin/db/mysql/patches/020-datamask-policy.sql @@ -22,6 +22,9 @@ delimiter ;; if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_access_type_def' and column_name = 'datamask_options') then ALTER TABLE `x_access_type_def` ADD `datamask_options` varchar(1024) DEFAULT NULL; end if; + if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_access_type_def' and column_name = 'rowfilter_options') then + ALTER TABLE `x_access_type_def` ADD `rowfilter_options` varchar(1024) DEFAULT NULL; + end if; end if; end;; @@ -38,6 +41,9 @@ delimiter ;; if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_resource_def' and column_name = 'datamask_options') then ALTER TABLE `x_resource_def` ADD `datamask_options` varchar(1024) DEFAULT NULL; end if; + if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_resource_def' and column_name = 'rowfilter_options') then + ALTER TABLE `x_resource_def` ADD `rowfilter_options` varchar(1024) DEFAULT NULL; + end if; end if; end;; @@ -93,3 +99,20 @@ CONSTRAINT `x_policy_item_datamask_FK_added_by_id` FOREIGN KEY (`added_by_id`) R CONSTRAINT `x_policy_item_datamask_FK_upd_by_id` FOREIGN KEY (`upd_by_id`) REFERENCES `x_portal_user` (`id`) ); CREATE INDEX x_policy_item_datamask_IDX_policy_item_id ON x_policy_item_datamask(policy_item_id); + +DROP TABLE IF EXISTS `x_policy_item_rowfilter`; +CREATE TABLE `x_policy_item_rowfilter` ( +`id` bigint(20) NOT NULL AUTO_INCREMENT , +`guid` varchar(1024) DEFAULT NULL, +`create_time` datetime DEFAULT NULL, +`update_time` datetime DEFAULT NULL, +`added_by_id` bigint(20) DEFAULT NULL, +`upd_by_id` bigint(20) DEFAULT NULL, +`policy_item_id` bigint(20) NOT NULL, +`filter_expr` varchar(1024) DEFAULT NULL, +primary key (id), +CONSTRAINT `x_policy_item_rowfilter_FK_policy_item_id` FOREIGN KEY (`policy_item_id`) REFERENCES `x_policy_item` (`id`) , +CONSTRAINT `x_policy_item_rowfilter_FK_added_by_id` FOREIGN KEY (`added_by_id`) REFERENCES `x_portal_user` (`id`), +CONSTRAINT `x_policy_item_rowfilter_FK_upd_by_id` FOREIGN KEY (`upd_by_id`) REFERENCES `x_portal_user` (`id`) +); +CREATE INDEX x_policy_item_rowfilter_IDX_policy_item_id ON x_policy_item_rowfilter(policy_item_id); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/db/postgres/patches/020-datamask-policy.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/postgres/patches/020-datamask-policy.sql b/security-admin/db/postgres/patches/020-datamask-policy.sql index d000822..393684b 100644 --- a/security-admin/db/postgres/patches/020-datamask-policy.sql +++ b/security-admin/db/postgres/patches/020-datamask-policy.sql @@ -20,11 +20,16 @@ CREATE OR REPLACE FUNCTION add_datamask_options_to_x_access_type_def_table() RETURNS void AS $$ DECLARE exists_access_type_def_datamask_options integer := 0; + exists_access_type_def_rowfilter_options integer := 0; BEGIN select count(*) into exists_access_type_def_datamask_options from pg_attribute where attrelid in(select oid from pg_class where relname='x_access_type_def') and attname='datamask_options'; + select count(*) into exists_access_type_def_rowfilter_options from pg_attribute where attrelid in(select oid from pg_class where relname='x_access_type_def') and attname='rowfilter_options'; IF exists_access_type_def_datamask_options = 0 THEN ALTER TABLE x_access_type_def ADD COLUMN datamask_options VARCHAR(1024) DEFAULT NULL; END IF; + IF exists_access_type_def_rowfilter_options = 0 THEN + ALTER TABLE x_access_type_def ADD COLUMN rowfilter_options VARCHAR(1024) DEFAULT NULL; + END IF; END; $$ LANGUAGE plpgsql; @@ -33,11 +38,16 @@ CREATE OR REPLACE FUNCTION add_datamask_options_to_x_resource_def_table() RETURNS void AS $$ DECLARE exists_resource_def_datamask_options integer := 0; + exists_resource_def_rowfilter_options integer := 0; BEGIN select count(*) into exists_resource_def_datamask_options from pg_attribute where attrelid in(select oid from pg_class where relname='x_resource_def') and attname='datamask_options'; + select count(*) into exists_resource_def_rowfilter_options from pg_attribute where attrelid in(select oid from pg_class where relname='x_resource_def') and attname='rowfilter_options'; IF exists_resource_def_datamask_options = 0 THEN ALTER TABLE x_resource_def ADD COLUMN datamask_options VARCHAR(1024) DEFAULT NULL; END IF; + IF exists_resource_def_rowfilter_options = 0 THEN + ALTER TABLE x_resource_def ADD COLUMN rowfilter_options VARCHAR(1024) DEFAULT NULL; + END IF; END; $$ LANGUAGE plpgsql; @@ -96,3 +106,23 @@ CREATE TABLE x_policy_item_datamask ( CONSTRAINT x_policy_item_datamask_FK_upd_by_id FOREIGN KEY (upd_by_id) REFERENCES x_portal_user (id) ); CREATE INDEX x_policy_item_datamask_IDX_policy_item_id ON x_policy_item_datamask(policy_item_id); + +DROP TABLE IF EXISTS x_policy_item_rowfilter; +DROP SEQUENCE IF EXISTS x_policy_item_rowfilter_seq; + +CREATE SEQUENCE x_policy_item_rowfilter_seq; +CREATE TABLE x_policy_item_rowfilter ( + id BIGINT DEFAULT nextval('x_policy_item_rowfilter_seq'::regclass), + guid VARCHAR(1024) DEFAULT NULL, + create_time TIMESTAMP DEFAULT NULL, + update_time TIMESTAMP DEFAULT NULL, + added_by_id BIGINT DEFAULT NULL, + upd_by_id BIGINT DEFAULT NULL, + policy_item_id BIGINT NOT NULL, + filter_expr VARCHAR(1024) DEFAULT NULL, + primary key (id), + CONSTRAINT x_policy_item_rowfilter_FK_policy_item_id FOREIGN KEY (policy_item_id) REFERENCES x_policy_item (id) , + CONSTRAINT x_policy_item_rowfilter_FK_added_by_id FOREIGN KEY (added_by_id) REFERENCES x_portal_user (id), + CONSTRAINT x_policy_item_rowfilter_FK_upd_by_id FOREIGN KEY (upd_by_id) REFERENCES x_portal_user (id) +); +CREATE INDEX x_policy_item_rowfilter_IDX_policy_item_id ON x_policy_item_rowfilter(policy_item_id); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java index 89daaea..469ebbe 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java @@ -37,7 +37,9 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator; import org.apache.ranger.plugin.util.RangerPerfTracer; @@ -408,7 +410,8 @@ public class RangerPolicyRetriever { final ListIterator<XXPolicyItemGroupPerm> iterGroupPerms; final ListIterator<XXPolicyItemAccess> iterAccesses; final ListIterator<XXPolicyItemCondition> iterConditions; - final ListIterator<XXPolicyItemDataMaskInfo> iterDataMaskInfos; + final ListIterator<XXPolicyItemDataMaskInfo> iterDataMaskInfos; + final ListIterator<XXPolicyItemRowFilterInfo> iterRowFilterInfos; RetrieverContext(XXService xService) { Long serviceId = xService == null ? null : xService.getId(); @@ -421,7 +424,8 @@ public class RangerPolicyRetriever { List<XXPolicyItemGroupPerm> xGroupPerms = daoMgr.getXXPolicyItemGroupPerm().findByServiceId(serviceId); List<XXPolicyItemAccess> xAccesses = daoMgr.getXXPolicyItemAccess().findByServiceId(serviceId); List<XXPolicyItemCondition> xConditions = daoMgr.getXXPolicyItemCondition().findByServiceId(serviceId); - List<XXPolicyItemDataMaskInfo> xDataMaskInfos = daoMgr.getXXPolicyItemDataMaskInfo().findByServiceId(serviceId); + List<XXPolicyItemDataMaskInfo> xDataMaskInfos = daoMgr.getXXPolicyItemDataMaskInfo().findByServiceId(serviceId); + List<XXPolicyItemRowFilterInfo> xRowFilterInfos = daoMgr.getXXPolicyItemRowFilterInfo().findByServiceId(serviceId); this.service = xService; this.iterPolicy = xPolicies.listIterator(); @@ -432,7 +436,8 @@ public class RangerPolicyRetriever { this.iterGroupPerms = xGroupPerms.listIterator(); this.iterAccesses = xAccesses.listIterator(); this.iterConditions = xConditions.listIterator(); - this.iterDataMaskInfos = xDataMaskInfos.listIterator(); + this.iterDataMaskInfos = xDataMaskInfos.listIterator(); + this.iterRowFilterInfos = xRowFilterInfos.listIterator(); } RetrieverContext(XXPolicy xPolicy) { @@ -450,7 +455,8 @@ public class RangerPolicyRetriever { List<XXPolicyItemGroupPerm> xGroupPerms = daoMgr.getXXPolicyItemGroupPerm().findByPolicyId(policyId); List<XXPolicyItemAccess> xAccesses = daoMgr.getXXPolicyItemAccess().findByPolicyId(policyId); List<XXPolicyItemCondition> xConditions = daoMgr.getXXPolicyItemCondition().findByPolicyId(policyId); - List<XXPolicyItemDataMaskInfo> xDataMaskInfos = daoMgr.getXXPolicyItemDataMaskInfo().findByPolicyId(policyId); + List<XXPolicyItemDataMaskInfo> xDataMaskInfos = daoMgr.getXXPolicyItemDataMaskInfo().findByPolicyId(policyId); + List<XXPolicyItemRowFilterInfo> xRowFilterInfos = daoMgr.getXXPolicyItemRowFilterInfo().findByPolicyId(policyId); this.service = xService; this.iterPolicy = xPolicies.listIterator(); @@ -461,7 +467,8 @@ public class RangerPolicyRetriever { this.iterGroupPerms = xGroupPerms.listIterator(); this.iterAccesses = xAccesses.listIterator(); this.iterConditions = xConditions.listIterator(); - this.iterDataMaskInfos = xDataMaskInfos.listIterator(); + this.iterDataMaskInfos = xDataMaskInfos.listIterator(); + this.iterRowFilterInfos = xRowFilterInfos.listIterator(); } RangerPolicy getNextPolicy() { @@ -549,7 +556,8 @@ public class RangerPolicyRetriever { || iterGroupPerms.hasNext() || iterAccesses.hasNext() || iterConditions.hasNext() - || iterDataMaskInfos.hasNext(); + || iterDataMaskInfos.hasNext() + || iterRowFilterInfos.hasNext(); return !moreToProcess; } @@ -592,15 +600,22 @@ public class RangerPolicyRetriever { XXPolicyItem xPolicyItem = iterPolicyItems.next(); if(xPolicyItem.getPolicyid().equals(policy.getId())) { - final RangerPolicyItem policyItem; - final RangerDataMaskPolicyItem dataMaskPolicyItem; - - if(xPolicyItem.getItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATA_MASKING) { - dataMaskPolicyItem = new RangerDataMaskPolicyItem(); - policyItem = dataMaskPolicyItem; + final RangerPolicyItem policyItem; + final RangerDataMaskPolicyItem dataMaskPolicyItem; + final RangerRowFilterPolicyItem rowFilterPolicyItem; + + if(xPolicyItem.getItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK) { + dataMaskPolicyItem = new RangerDataMaskPolicyItem(); + rowFilterPolicyItem = null; + policyItem = dataMaskPolicyItem; + } else if(xPolicyItem.getItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER) { + dataMaskPolicyItem = null; + rowFilterPolicyItem = new RangerRowFilterPolicyItem(); + policyItem = rowFilterPolicyItem; } else { - dataMaskPolicyItem = null; - policyItem = new RangerPolicyItem(); + dataMaskPolicyItem = null; + rowFilterPolicyItem = null; + policyItem = new RangerPolicyItem(); } @@ -674,7 +689,7 @@ public class RangerPolicyRetriever { while (iterDataMaskInfos.hasNext()) { XXPolicyItemDataMaskInfo xDataMaskInfo = iterDataMaskInfos.next(); - if (xDataMaskInfo.getPolicyitemid().equals(xPolicyItem.getId())) { + if (xDataMaskInfo.getPolicyItemId().equals(xPolicyItem.getId())) { dataMaskPolicyItem.setDataMaskInfo(new RangerPolicyItemDataMaskInfo(lookupCache.getDataMaskName(xDataMaskInfo.getType()), xDataMaskInfo.getConditionExpr(), xDataMaskInfo.getValueExpr())); } else { if (iterDataMaskInfos.hasPrevious()) { @@ -685,6 +700,21 @@ public class RangerPolicyRetriever { } } + if(rowFilterPolicyItem != null) { + while (iterRowFilterInfos.hasNext()) { + XXPolicyItemRowFilterInfo xRowFilterInfo = iterRowFilterInfos.next(); + + if (xRowFilterInfo.getPolicyItemId().equals(xPolicyItem.getId())) { + rowFilterPolicyItem.setRowFilterInfo(new RangerPolicyItemRowFilterInfo(xRowFilterInfo.getFilterExpr())); + } else { + if (iterRowFilterInfos.hasPrevious()) { + iterRowFilterInfos.previous(); + } + break; + } + } + } + int itemType = xPolicyItem.getItemType() == null ? RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW : xPolicyItem.getItemType(); @@ -696,10 +726,12 @@ public class RangerPolicyRetriever { policy.getAllowExceptions().add(policyItem); } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS) { policy.getDenyExceptions().add(policyItem); - } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATA_MASKING) { + } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK) { policy.getDataMaskPolicyItems().add(dataMaskPolicyItem); - } else { // unknown itemType.. set to default type - policy.getPolicyItems().add(policyItem); + } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER) { + policy.getRowFilterPolicyItems().add(rowFilterPolicyItem); + } else { // unknown itemType + LOG.warn("RangerPolicyRetriever.getPolicy(policyId=" + policy.getId() + "): ignoring unknown policyItemType " + itemType); } } else if(xPolicyItem.getPolicyid().compareTo(policy.getId()) > 0) { if(iterPolicyItems.hasPrevious()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index c4a823c..a8f063b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -34,9 +34,12 @@ import org.apache.ranger.db.*; import org.apache.ranger.entity.*; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerPolicyResourceSignature; import org.apache.ranger.plugin.model.RangerService; @@ -49,6 +52,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumElementDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerRowFilterDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef; import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper; import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator; @@ -212,9 +216,14 @@ public class ServiceDBStore extends AbstractServiceStore { List<RangerPolicyConditionDef> policyConditions = serviceDef.getPolicyConditions(); List<RangerContextEnricherDef> contextEnrichers = serviceDef.getContextEnrichers(); List<RangerEnumDef> enums = serviceDef.getEnums(); - RangerDataMaskDef dataMaskDef = serviceDef.getDataMaskDef(); + RangerDataMaskDef dataMaskDef = serviceDef.getDataMaskDef(); + RangerRowFilterDef rowFilterDef = serviceDef.getRowFilterDef(); + List<RangerDataMaskTypeDef> dataMaskTypes = dataMaskDef == null || dataMaskDef.getMaskTypes() == null ? new ArrayList<RangerDataMaskTypeDef>() : dataMaskDef.getMaskTypes(); + List<RangerAccessTypeDef> dataMaskAccessTypes = dataMaskDef == null || dataMaskDef.getAccessTypes() == null ? new ArrayList<RangerAccessTypeDef>() : dataMaskDef.getAccessTypes(); + List<RangerResourceDef> dataMaskResources = dataMaskDef == null || dataMaskDef.getResources() == null ? new ArrayList<RangerResourceDef>() : dataMaskDef.getResources(); + List<RangerAccessTypeDef> rowFilterAccessTypes = rowFilterDef == null || rowFilterDef.getAccessTypes() == null ? new ArrayList<RangerAccessTypeDef>() : rowFilterDef.getAccessTypes(); + List<RangerResourceDef> rowFilterResources = rowFilterDef == null || rowFilterDef.getResources() == null ? new ArrayList<RangerResourceDef>() : rowFilterDef.getResources(); - // While creating, value of version should be 1. serviceDef.setVersion(Long.valueOf(1)); @@ -325,93 +334,100 @@ public class ServiceDBStore extends AbstractServiceStore { } } - if(dataMaskDef != null) { - List<RangerDataMaskTypeDef> dataMaskTypes = dataMaskDef.getMaskTypes(); - List<RangerAccessTypeDef> dataMaskAccessTypes = dataMaskDef.getAccessTypes(); - List<RangerResourceDef> dataMaskResources = dataMaskDef.getResources(); + XXDataMaskTypeDefDao xxDataMaskDefDao = daoMgr.getXXDataMaskTypeDef(); + for (int i = 0; i < dataMaskTypes.size(); i++) { + RangerDataMaskTypeDef dataMask = dataMaskTypes.get(i); - if(CollectionUtils.isNotEmpty(dataMaskTypes)) { - XXDataMaskTypeDefDao xxDataMaskDefDao = daoMgr.getXXDataMaskTypeDef(); - for (int i = 0; i < dataMaskTypes.size(); i++) { - RangerDataMaskTypeDef dataMask = dataMaskTypes.get(i); + XXDataMaskTypeDef xDataMaskDef = new XXDataMaskTypeDef(); + xDataMaskDef = serviceDefService.populateRangerDataMaskDefToXX(dataMask, xDataMaskDef, createdSvcDef, + RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xDataMaskDef.setOrder(i); + xDataMaskDef = xxDataMaskDefDao.create(xDataMaskDef); + } - XXDataMaskTypeDef xDataMaskDef = new XXDataMaskTypeDef(); - xDataMaskDef = serviceDefService.populateRangerDataMaskDefToXX(dataMask, xDataMaskDef, createdSvcDef, - RangerServiceDefService.OPERATION_CREATE_CONTEXT); - xDataMaskDef.setOrder(i); - xDataMaskDef = xxDataMaskDefDao.create(xDataMaskDef); - } + List<XXAccessTypeDef> xxAccessTypeDefs = xxATDDao.findByServiceDefId(createdSvcDef.getId()); + + for(RangerAccessTypeDef accessType : dataMaskAccessTypes) { + if(! isAccessTypeInList(accessType.getName(), xxAccessTypeDefs)) { + throw restErrorUtil.createRESTException("accessType with name: " + + accessType.getName() + " does not exists", MessageEnums.DATA_NOT_FOUND); } + } - if(CollectionUtils.isNotEmpty(dataMaskAccessTypes)) { - List<XXAccessTypeDef> xxAccessTypeDefs = xxATDDao.findByServiceDefId(xServiceDef.getId()); + for(RangerAccessTypeDef accessType : rowFilterAccessTypes) { + if(! isAccessTypeInList(accessType.getName(), xxAccessTypeDefs)) { + throw restErrorUtil.createRESTException("accessType with name: " + + accessType.getName() + " does not exists", MessageEnums.DATA_NOT_FOUND); + } + } - for(RangerAccessTypeDef accessType : dataMaskAccessTypes) { - boolean found = false; - for(XXAccessTypeDef xxAccessTypeDef : xxAccessTypeDefs) { - if(StringUtils.equals(xxAccessTypeDef.getName(), accessType.getName())) { - found = true; + for(XXAccessTypeDef xxAccessTypeDef : xxAccessTypeDefs) { + String dataMaskOptions = null; + String rowFilterOptions = null; - break; - } - } + for(RangerAccessTypeDef accessTypeDef : dataMaskAccessTypes) { + if(StringUtils.equals(accessTypeDef.getName(), xxAccessTypeDef.getName())) { + dataMaskOptions = svcDefServiceWithAssignedId.objectToJson(accessTypeDef); + break; + } + } - if(! found) { - throw restErrorUtil.createRESTException("accessType with name: " - + accessType + " does not exists", MessageEnums.DATA_NOT_FOUND); - } + for(RangerAccessTypeDef accessTypeDef : rowFilterAccessTypes) { + if(StringUtils.equals(accessTypeDef.getName(), xxAccessTypeDef.getName())) { + rowFilterOptions = svcDefServiceWithAssignedId.objectToJson(accessTypeDef); + break; } + } - for(XXAccessTypeDef xxAccessTypeDef : xxAccessTypeDefs) { - String dataMaskOptions = null; + if(!StringUtils.equals(dataMaskOptions, xxAccessTypeDef.getDataMaskOptions()) || + !StringUtils.equals(rowFilterOptions, xxAccessTypeDef.getRowFilterOptions())) { + xxAccessTypeDef.setDataMaskOptions(dataMaskOptions); + xxAccessTypeDef.setRowFilterOptions(rowFilterOptions); - for(RangerAccessTypeDef dataMaskAccessType : dataMaskAccessTypes) { - if(StringUtils.equals(dataMaskAccessType.getName(), xxAccessTypeDef.getName())) { - dataMaskOptions = svcDefServiceWithAssignedId.objectToJson(dataMaskAccessType); - break; - } - } + xxATDDao.update(xxAccessTypeDef); + } + } - if(! StringUtils.equals(dataMaskOptions, xxAccessTypeDef.getDataMaskOptions())) { - xxAccessTypeDef.setDataMaskOptions(dataMaskOptions); - xxATDDao.update(xxAccessTypeDef); - } - } + List<XXResourceDef> xxResourceDefs = xxResDefDao.findByServiceDefId(createdSvcDef.getId()); + + for(RangerResourceDef resource : dataMaskResources) { + if(! isResourceInList(resource.getName(), xxResourceDefs)) { + throw restErrorUtil.createRESTException("resource with name: " + + resource.getName() + " does not exists", MessageEnums.DATA_NOT_FOUND); } + } - if(CollectionUtils.isNotEmpty(dataMaskResources)) { - List<XXResourceDef> xxResourceDefs = xxResDefDao.findByServiceDefId(xServiceDef.getId()); + for(RangerResourceDef resource : rowFilterResources) { + if(! isResourceInList(resource.getName(), xxResourceDefs)) { + throw restErrorUtil.createRESTException("resource with name: " + + resource.getName() + " does not exists", MessageEnums.DATA_NOT_FOUND); + } + } - for(RangerResourceDef resource : dataMaskResources) { - boolean found = false; - for(XXResourceDef xxResourceDef : xxResourceDefs) { - if(StringUtils.equals(xxResourceDef.getName(), resource.getName())) { - found = true; - break; - } - } + for(XXResourceDef xxResourceDef : xxResourceDefs) { + String dataMaskOptions = null; + String rowFilterOptions = null; - if(! found) { - throw restErrorUtil.createRESTException("resource with name: " - + resource + " does not exists", MessageEnums.DATA_NOT_FOUND); - } + for(RangerResourceDef resource : dataMaskResources) { + if(StringUtils.equals(resource.getName(), xxResourceDef.getName())) { + dataMaskOptions = svcDefServiceWithAssignedId.objectToJson(resource); + break; } + } - for(XXResourceDef xxResourceDef : xxResourceDefs) { - String dataMaskOptions = null; + for(RangerResourceDef resource : rowFilterResources) { + if(StringUtils.equals(resource.getName(), xxResourceDef.getName())) { + rowFilterOptions = svcDefServiceWithAssignedId.objectToJson(resource); + break; + } + } - for(RangerResourceDef dataMaskResource : dataMaskResources) { - if(StringUtils.equals(dataMaskResource.getName(), xxResourceDef.getName())) { - dataMaskOptions = svcDefServiceWithAssignedId.objectToJson(dataMaskResource); - break; - } - } + if(!StringUtils.equals(dataMaskOptions, xxResourceDef.getDataMaskOptions()) || + !StringUtils.equals(rowFilterOptions, xxResourceDef.getRowFilterOptions())) { + xxResourceDef.setDataMaskOptions(dataMaskOptions); + xxResourceDef.setRowFilterOptions(rowFilterOptions); - if(! StringUtils.equals(dataMaskOptions, xxResourceDef.getDataMaskOptions())) { - xxResourceDef.setDataMaskOptions(dataMaskOptions); - xxResDefDao.update(xxResourceDef); - } - } + xxResDefDao.update(xxResourceDef); } } @@ -462,6 +478,7 @@ public class ServiceDBStore extends AbstractServiceStore { List<RangerContextEnricherDef> contextEnrichers = serviceDef.getContextEnrichers() != null ? serviceDef.getContextEnrichers() : new ArrayList<RangerContextEnricherDef>(); List<RangerEnumDef> enums = serviceDef.getEnums() != null ? serviceDef.getEnums() : new ArrayList<RangerEnumDef>(); RangerDataMaskDef dataMaskDef = serviceDef.getDataMaskDef(); + RangerRowFilterDef rowFilterDef = serviceDef.getRowFilterDef(); serviceDef.setCreateTime(existing.getCreateTime()); serviceDef.setGuid(existing.getGuid()); @@ -470,7 +487,7 @@ public class ServiceDBStore extends AbstractServiceStore { serviceDef = serviceDefService.update(serviceDef); XXServiceDef createdSvcDef = daoMgr.getXXServiceDef().getById(serviceDefId); - updateChildObjectsOfServiceDef(createdSvcDef, configs, resources, accessTypes, policyConditions, contextEnrichers, enums, dataMaskDef); + updateChildObjectsOfServiceDef(createdSvcDef, configs, resources, accessTypes, policyConditions, contextEnrichers, enums, dataMaskDef, rowFilterDef); RangerServiceDef updatedSvcDef = getServiceDef(serviceDefId); dataHistService.createObjectDataHistory(updatedSvcDef, RangerDataHistService.ACTION_UPDATE); @@ -488,7 +505,7 @@ public class ServiceDBStore extends AbstractServiceStore { private void updateChildObjectsOfServiceDef(XXServiceDef createdSvcDef, List<RangerServiceConfigDef> configs, List<RangerResourceDef> resources, List<RangerAccessTypeDef> accessTypes, List<RangerPolicyConditionDef> policyConditions, List<RangerContextEnricherDef> contextEnrichers, - List<RangerEnumDef> enums, RangerServiceDef.RangerDataMaskDef dataMaskDef) { + List<RangerEnumDef> enums, RangerDataMaskDef dataMaskDef, RangerRowFilterDef rowFilterDef) { Long serviceDefId = createdSvcDef.getId(); @@ -822,13 +839,18 @@ public class ServiceDBStore extends AbstractServiceStore { } } - List<RangerDataMaskTypeDef> dataMasks = dataMaskDef == null || dataMaskDef.getMaskTypes() == null ? new ArrayList<RangerDataMaskTypeDef>() : dataMaskDef.getMaskTypes(); - List<RangerAccessTypeDef> dataMaskAccessTypes = dataMaskDef == null || dataMaskDef.getAccessTypes() == null ? new ArrayList<RangerAccessTypeDef>() : dataMaskDef.getAccessTypes(); - List<RangerResourceDef> dataMaskResources = dataMaskDef == null || dataMaskDef.getResources() == null ? new ArrayList<RangerResourceDef>() : dataMaskDef.getResources(); - XXDataMaskTypeDefDao dataMaskTypeDao = daoMgr.getXXDataMaskTypeDef(); - List<XXDataMaskTypeDef> xxDataMaskTypes = dataMaskTypeDao.findByServiceDefId(serviceDefId); + List<RangerDataMaskTypeDef> dataMasks = dataMaskDef == null || dataMaskDef.getMaskTypes() == null ? new ArrayList<RangerDataMaskTypeDef>() : dataMaskDef.getMaskTypes(); + List<RangerAccessTypeDef> dataMaskAccessTypes = dataMaskDef == null || dataMaskDef.getAccessTypes() == null ? new ArrayList<RangerAccessTypeDef>() : dataMaskDef.getAccessTypes(); + List<RangerResourceDef> dataMaskResources = dataMaskDef == null || dataMaskDef.getResources() == null ? new ArrayList<RangerResourceDef>() : dataMaskDef.getResources(); + List<RangerAccessTypeDef> rowFilterAccessTypes = rowFilterDef == null || rowFilterDef.getAccessTypes() == null ? new ArrayList<RangerAccessTypeDef>() : rowFilterDef.getAccessTypes(); + List<RangerResourceDef> rowFilterResources = rowFilterDef == null || rowFilterDef.getResources() == null ? new ArrayList<RangerResourceDef>() : rowFilterDef.getResources(); + XXDataMaskTypeDefDao dataMaskTypeDao = daoMgr.getXXDataMaskTypeDef(); + List<XXDataMaskTypeDef> xxDataMaskTypes = dataMaskTypeDao.findByServiceDefId(serviceDefId); + List<XXAccessTypeDef> xxAccessTypeDefs = xxATDDao.findByServiceDefId(serviceDefId); + List<XXResourceDef> xxResourceDefs = xxResDefDao.findByServiceDefId(serviceDefId); + // create or update dataMasks - for (RangerServiceDef.RangerDataMaskTypeDef dataMask : dataMasks) { + for (RangerDataMaskTypeDef dataMask : dataMasks) { boolean found = false; for (XXDataMaskTypeDef xxDataMask : xxDataMaskTypes) { if (xxDataMask.getItemId() != null && xxDataMask.getItemId().equals(dataMask.getItemId())) { @@ -874,68 +896,82 @@ public class ServiceDBStore extends AbstractServiceStore { } } - List<XXAccessTypeDef> xxAccessTypeDefs = xxATDDao.findByServiceDefId(serviceDefId); - for(RangerAccessTypeDef accessType : dataMaskAccessTypes) { - boolean found = false; - for(XXAccessTypeDef xxAccessTypeDef : xxAccessTypeDefs) { - if(StringUtils.equals(xxAccessTypeDef.getName(), accessType.getName())) { - found = true; - break; - } + if(! isAccessTypeInList(accessType.getName(), xxAccessTypeDefs)) { + throw restErrorUtil.createRESTException("accessType with name: " + + accessType.getName() + " does not exists", MessageEnums.DATA_NOT_FOUND); } + } - if(! found) { + for(RangerAccessTypeDef accessType : rowFilterAccessTypes) { + if(! isAccessTypeInList(accessType.getName(), xxAccessTypeDefs)) { throw restErrorUtil.createRESTException("accessType with name: " - + accessType + " does not exists", MessageEnums.DATA_NOT_FOUND); + + accessType.getName() + " does not exists", MessageEnums.DATA_NOT_FOUND); } } for(XXAccessTypeDef xxAccessTypeDef : xxAccessTypeDefs) { String dataMaskOptions = null; + String rowFilterOptions = null; + + for(RangerAccessTypeDef accessTypeDef : dataMaskAccessTypes) { + if(StringUtils.equals(accessTypeDef.getName(), xxAccessTypeDef.getName())) { + dataMaskOptions = svcDefServiceWithAssignedId.objectToJson(accessTypeDef); + break; + } + } - for(RangerAccessTypeDef dataMaskAccessType : dataMaskAccessTypes) { - if(StringUtils.equals(dataMaskAccessType.getName(), xxAccessTypeDef.getName())) { - dataMaskOptions = svcDefServiceWithAssignedId.objectToJson(dataMaskAccessType); + for(RangerAccessTypeDef accessTypeDef : rowFilterAccessTypes) { + if(StringUtils.equals(accessTypeDef.getName(), xxAccessTypeDef.getName())) { + rowFilterOptions = svcDefServiceWithAssignedId.objectToJson(accessTypeDef); break; } } - if(! StringUtils.equals(dataMaskOptions, xxAccessTypeDef.getDataMaskOptions())) { + if(!StringUtils.equals(dataMaskOptions, xxAccessTypeDef.getDataMaskOptions()) || + !StringUtils.equals(rowFilterOptions, xxAccessTypeDef.getRowFilterOptions())) { xxAccessTypeDef.setDataMaskOptions(dataMaskOptions); + xxAccessTypeDef.setRowFilterOptions(rowFilterOptions); xxATDDao.update(xxAccessTypeDef); } } - List<XXResourceDef> xxResourceDefs = xxResDefDao.findByServiceDefId(serviceDefId); - for(RangerResourceDef resource : dataMaskResources) { - boolean found = false; - for(XXResourceDef xxResourceDef : xxResourceDefs) { - if(StringUtils.equals(xxResourceDef.getName(), resource.getName())) { - found = true; - break; - } + if(! isResourceInList(resource.getName(), xxResourceDefs)) { + throw restErrorUtil.createRESTException("resource with name: " + + resource.getName() + " does not exists", MessageEnums.DATA_NOT_FOUND); } + } - if(! found) { + for(RangerResourceDef resource : rowFilterResources) { + if(! isResourceInList(resource.getName(), xxResourceDefs)) { throw restErrorUtil.createRESTException("resource with name: " - + resource + " does not exists", MessageEnums.DATA_NOT_FOUND); + + resource.getName() + " does not exists", MessageEnums.DATA_NOT_FOUND); } } for(XXResourceDef xxResourceDef : xxResourceDefs) { - String dataMaskOptions = null; + String dataMaskOptions = null; + String rowFilterOptions = null; - for(RangerResourceDef dataMaskResource : dataMaskResources) { - if(StringUtils.equals(dataMaskResource.getName(), xxResourceDef.getName())) { - dataMaskOptions = svcDefServiceWithAssignedId.objectToJson(dataMaskResource); + for(RangerResourceDef resource : dataMaskResources) { + if(StringUtils.equals(resource.getName(), xxResourceDef.getName())) { + dataMaskOptions = svcDefServiceWithAssignedId.objectToJson(resource); break; } } - if(! StringUtils.equals(dataMaskOptions, xxResourceDef.getDataMaskOptions())) { + for(RangerResourceDef resource : rowFilterResources) { + if(StringUtils.equals(resource.getName(), xxResourceDef.getName())) { + rowFilterOptions = svcDefServiceWithAssignedId.objectToJson(resource); + break; + } + } + + if(!StringUtils.equals(dataMaskOptions, xxResourceDef.getDataMaskOptions()) || + !StringUtils.equals(rowFilterOptions, xxResourceDef.getRowFilterOptions())) { xxResourceDef.setDataMaskOptions(dataMaskOptions); + xxResourceDef.setRowFilterOptions(rowFilterOptions); xxResDefDao.update(xxResourceDef); } } @@ -1596,6 +1632,7 @@ public class ServiceDBStore extends AbstractServiceStore { List<RangerPolicyItem> allowExceptions = policy.getAllowExceptions(); List<RangerPolicyItem> denyExceptions = policy.getDenyExceptions(); List<RangerDataMaskPolicyItem> dataMaskItems = policy.getDataMaskPolicyItems(); + List<RangerRowFilterPolicyItem> rowFilterItems = policy.getRowFilterPolicyItems(); policy.setVersion(Long.valueOf(1)); updatePolicySignature(policy); @@ -1620,7 +1657,8 @@ public class ServiceDBStore extends AbstractServiceStore { createNewPolicyItemsForPolicy(policy, xCreatedPolicy, denyPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY); createNewPolicyItemsForPolicy(policy, xCreatedPolicy, allowExceptions, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS); createNewPolicyItemsForPolicy(policy, xCreatedPolicy, denyExceptions, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS); - createNewDataMaskPolicyItemsForPolicy(policy, xCreatedPolicy, dataMaskItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATA_MASKING); + createNewDataMaskPolicyItemsForPolicy(policy, xCreatedPolicy, dataMaskItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK); + createNewRowFilterPolicyItemsForPolicy(policy, xCreatedPolicy, rowFilterItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER); handlePolicyUpdate(service); RangerPolicy createdPolicy = policyService.getPopulatedViewObject(xCreatedPolicy); dataHistService.createObjectDataHistory(createdPolicy, RangerDataHistService.ACTION_CREATE); @@ -1674,7 +1712,8 @@ public class ServiceDBStore extends AbstractServiceStore { List<RangerPolicyItem> allowExceptions = policy.getAllowExceptions(); List<RangerPolicyItem> denyExceptions = policy.getDenyExceptions(); List<RangerDataMaskPolicyItem> dataMaskPolicyItems = policy.getDataMaskPolicyItems(); - + List<RangerRowFilterPolicyItem> rowFilterItems = policy.getRowFilterPolicyItems(); + policy.setCreateTime(xxExisting.getCreateTime()); policy.setGuid(xxExisting.getGuid()); policy.setVersion(xxExisting.getVersion()); @@ -1694,7 +1733,8 @@ public class ServiceDBStore extends AbstractServiceStore { createNewPolicyItemsForPolicy(policy, newUpdPolicy, denyPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY); createNewPolicyItemsForPolicy(policy, newUpdPolicy, allowExceptions, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS); createNewPolicyItemsForPolicy(policy, newUpdPolicy, denyExceptions, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS); - createNewDataMaskPolicyItemsForPolicy(policy, newUpdPolicy, dataMaskPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATA_MASKING); + createNewDataMaskPolicyItemsForPolicy(policy, newUpdPolicy, dataMaskPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK); + createNewRowFilterPolicyItemsForPolicy(policy, newUpdPolicy, rowFilterItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER); handlePolicyUpdate(service); RangerPolicy updPolicy = policyService.getPopulatedViewObject(newUpdPolicy); @@ -2284,7 +2324,7 @@ public class ServiceDBStore extends AbstractServiceStore { } } - private XXPolicyItem createNewPolicyItemForPolicy(RangerPolicy policy, XXPolicy xPolicy, RangerPolicy.RangerPolicyItem policyItem, XXServiceDef xServiceDef, int itemOrder, int policyItemType) throws Exception { + private XXPolicyItem createNewPolicyItemForPolicy(RangerPolicy policy, XXPolicy xPolicy, RangerPolicyItem policyItem, XXServiceDef xServiceDef, int itemOrder, int policyItemType) throws Exception { XXPolicyItem xPolicyItem = new XXPolicyItem(); xPolicyItem = (XXPolicyItem) rangerAuditFields.populateAuditFields(xPolicyItem, xPolicy); @@ -2393,7 +2433,7 @@ public class ServiceDBStore extends AbstractServiceStore { XXPolicyItem xPolicyItem = createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType); - RangerPolicy.RangerPolicyItemDataMaskInfo dataMaskInfo = policyItem.getDataMaskInfo(); + RangerPolicyItemDataMaskInfo dataMaskInfo = policyItem.getDataMaskInfo(); if(dataMaskInfo != null) { XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskInfo.getDataMaskType(), xPolicy.getService()); @@ -2404,7 +2444,7 @@ public class ServiceDBStore extends AbstractServiceStore { XXPolicyItemDataMaskInfo xxDataMaskInfo = new XXPolicyItemDataMaskInfo(); - xxDataMaskInfo.setPolicyitemid(xPolicyItem.getId()); + xxDataMaskInfo.setPolicyItemId(xPolicyItem.getId()); xxDataMaskInfo.setType(dataMaskDef.getId()); xxDataMaskInfo.setConditionExpr(dataMaskInfo.getConditionExpr()); xxDataMaskInfo.setValueExpr(dataMaskInfo.getValueExpr()); @@ -2415,6 +2455,27 @@ public class ServiceDBStore extends AbstractServiceStore { } } + private void createNewRowFilterPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerRowFilterPolicyItem> policyItems, XXServiceDef xServiceDef, int policyItemType) throws Exception { + if(CollectionUtils.isNotEmpty(policyItems)) { + for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) { + RangerRowFilterPolicyItem policyItem = policyItems.get(itemOrder); + + XXPolicyItem xPolicyItem = createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType); + + RangerPolicyItemRowFilterInfo dataMaskInfo = policyItem.getRowFilterInfo(); + + if(dataMaskInfo != null) { + XXPolicyItemRowFilterInfo xxRowFilterInfo = new XXPolicyItemRowFilterInfo(); + + xxRowFilterInfo.setPolicyItemId(xPolicyItem.getId()); + xxRowFilterInfo.setFilterExpr(dataMaskInfo.getFilterExpr()); + + xxRowFilterInfo = daoMgr.getXXPolicyItemRowFilterInfo().create(xxRowFilterInfo); + } + } + } + } + private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy xPolicy, Map<String, RangerPolicyResource> resources) throws Exception { for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) { @@ -2491,6 +2552,12 @@ public class ServiceDBStore extends AbstractServiceStore { polItemDataMaskInfoDao.remove(dataMaskInfo); } + XXPolicyItemRowFilterInfoDao polItemRowFilterInfoDao = daoMgr.getXXPolicyItemRowFilterInfo(); + List<XXPolicyItemRowFilterInfo> rowFilterInfos = polItemRowFilterInfoDao.findByPolicyItemId(polItemId); + for(XXPolicyItemRowFilterInfo rowFilterInfo : rowFilterInfos) { + polItemRowFilterInfoDao.remove(rowFilterInfo); + } + policyItemDao.remove(policyItem); } return true; @@ -2628,4 +2695,23 @@ public class ServiceDBStore extends AbstractServiceStore { return ret; } + private boolean isAccessTypeInList(String accessType, List<XXAccessTypeDef> xAccessTypeDefs) { + for(XXAccessTypeDef xxAccessTypeDef : xAccessTypeDefs) { + if(StringUtils.equals(xxAccessTypeDef.getName(), accessType)) { + return true; + } + } + + return false; + } + + private boolean isResourceInList(String resource, List<XXResourceDef> xResourceDefs) { + for(XXResourceDef xResourceDef : xResourceDefs) { + if(StringUtils.equals(xResourceDef.getName(), resource)) { + return true; + } + } + + return false; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index e9c8394..6f53a24 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -34,7 +34,9 @@ import org.apache.ranger.entity.XXGroupPermission; import org.apache.ranger.entity.XXModuleDef; import org.apache.ranger.entity.XXUserPermission; import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; import org.apache.ranger.service.RangerPolicyService; import org.apache.ranger.service.XGroupPermissionService; import org.apache.ranger.service.XModuleDefService; @@ -1522,6 +1524,14 @@ public class XUserMgr extends XUserMgrBase { removeUserGroupReferences(denyExceptions,null,vXGroup.getName()); rangerPolicy.setDenyExceptions(denyExceptions); + List<RangerDataMaskPolicyItem> dataMaskItems = rangerPolicy.getDataMaskPolicyItems(); + removeUserGroupReferences(dataMaskItems,null,vXGroup.getName()); + rangerPolicy.setDataMaskPolicyItems(dataMaskItems); + + List<RangerRowFilterPolicyItem> rowFilterItems = rangerPolicy.getRowFilterPolicyItems(); + removeUserGroupReferences(rowFilterItems,null,vXGroup.getName()); + rangerPolicy.setRowFilterPolicyItems(rowFilterItems); + try { svcStore.updatePolicy(rangerPolicy); } catch (Throwable excp) { @@ -1694,6 +1704,14 @@ public class XUserMgr extends XUserMgrBase { removeUserGroupReferences(denyExceptions,vXUser.getName(),null); rangerPolicy.setDenyExceptions(denyExceptions); + List<RangerDataMaskPolicyItem> dataMaskItems = rangerPolicy.getDataMaskPolicyItems(); + removeUserGroupReferences(dataMaskItems,vXUser.getName(),null); + rangerPolicy.setDataMaskPolicyItems(dataMaskItems); + + List<RangerRowFilterPolicyItem> rowFilterItems = rangerPolicy.getRowFilterPolicyItems(); + removeUserGroupReferences(rowFilterItems,vXUser.getName(),null); + rangerPolicy.setRowFilterPolicyItems(rowFilterItems); + try{ svcStore.updatePolicy(rangerPolicy); }catch(Throwable excp) { @@ -1761,9 +1779,9 @@ public class XUserMgr extends XUserMgrBase { } } - private void removeUserGroupReferences(List<RangerPolicyItem> policyItems, String user, String group) { - List<RangerPolicyItem> itemsToRemove = null; - for(RangerPolicyItem policyItem : policyItems) { + private <T extends RangerPolicyItem> void removeUserGroupReferences(List<T> policyItems, String user, String group) { + List<T> itemsToRemove = null; + for(T policyItem : policyItems) { if(!StringUtil.isEmpty(user)) { policyItem.getUsers().remove(user); } @@ -1772,7 +1790,7 @@ public class XUserMgr extends XUserMgrBase { } if(policyItem.getUsers().isEmpty() && policyItem.getGroups().isEmpty()) { if(itemsToRemove == null) { - itemsToRemove = new ArrayList<RangerPolicyItem>(); + itemsToRemove = new ArrayList<T>(); } itemsToRemove.add(policyItem); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java index 6988750..3851069 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java +++ b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java @@ -583,11 +583,15 @@ public class AppConstants extends RangerCommonEnums { * CLASS_TYPE_RANGER_POLICY_ITEM_DATAMASK_INFO is an element of enum ClassTypes. Its value is "CLASS_TYPE_RANGER_POLICY_ITEM_DATAMASK_INFO". */ public static final int CLASS_TYPE_RANGER_POLICY_ITEM_DATAMASK_INFO = 1050; + /** + * CLASS_TYPE_RANGER_POLICY_ITEM_ROWFILTER_INFO is an element of enum ClassTypes. Its value is "CLASS_TYPE_RANGER_POLICY_ITEM_ROWFILTER_INFO". + */ + public static final int CLASS_TYPE_RANGER_POLICY_ITEM_ROWFILTER_INFO = 1051; /** * Max value for enum ClassTypes_MAX */ - public static final int ClassTypes_MAX = 1050; + public static final int ClassTypes_MAX = 1051; /*************************************************************** * Enum values for Default SortOrder http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java b/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java index 5431553..6559850 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java +++ b/security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java @@ -192,6 +192,9 @@ public abstract class RangerDaoManagerBase { if (classType == AppConstants.CLASS_TYPE_RANGER_POLICY_ITEM_DATAMASK_INFO) { return getXXPolicyItemDataMaskInfo(); } + if (classType== AppConstants.CLASS_TYPE_RANGER_POLICY_ITEM_ROWFILTER_INFO) { + return getXXPolicyItemRowFilterInfo(); + } logger.error("No DaoManager found for classType=" + classType, new Throwable()); return null; @@ -352,6 +355,9 @@ public abstract class RangerDaoManagerBase { if (className.equals("XXPolicyItemDataMaskInfo")) { return getXXPolicyItemDataMaskInfo(); } + if (className.equals("XXPolicyItemRowFilterInfo")) { + return getXXPolicyItemRowFilterInfo(); + } logger.error("No DaoManager found for className=" + className, new Throwable()); return null; @@ -566,5 +572,9 @@ public abstract class RangerDaoManagerBase { return new XXPolicyItemDataMaskInfoDao(this); } + public XXPolicyItemRowFilterInfoDao getXXPolicyItemRowFilterInfo() { + return new XXPolicyItemRowFilterInfoDao(this); + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemRowFilterInfoDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemRowFilterInfoDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemRowFilterInfoDao.java new file mode 100644 index 0000000..4618e7d --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemRowFilterInfoDao.java @@ -0,0 +1,71 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.db; + +import org.apache.ranger.common.db.BaseDao; +import org.apache.ranger.entity.XXPolicyItemRowFilterInfo; + +import javax.persistence.NoResultException; +import java.util.ArrayList; +import java.util.List; + +public class XXPolicyItemRowFilterInfoDao extends BaseDao<XXPolicyItemRowFilterInfo> { + + public XXPolicyItemRowFilterInfoDao(RangerDaoManagerBase daoManager) { + super(daoManager); + } + + public List<XXPolicyItemRowFilterInfo> findByPolicyItemId(Long polItemId) { + if(polItemId == null) { + return new ArrayList<XXPolicyItemRowFilterInfo>(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemRowFilterInfo.findByPolicyItemId", tClass) + .setParameter("polItemId", polItemId).getResultList(); + } catch (NoResultException e) { + return new ArrayList<XXPolicyItemRowFilterInfo>(); + } + } + + public List<XXPolicyItemRowFilterInfo> findByPolicyId(Long policyId) { + if(policyId == null) { + return new ArrayList<XXPolicyItemRowFilterInfo>(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemRowFilterInfo.findByPolicyId", tClass) + .setParameter("policyId", policyId).getResultList(); + } catch (NoResultException e) { + return new ArrayList<XXPolicyItemRowFilterInfo>(); + } + } + + public List<XXPolicyItemRowFilterInfo> findByServiceId(Long serviceId) { + if(serviceId == null) { + return new ArrayList<XXPolicyItemRowFilterInfo>(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemRowFilterInfo.findByServiceId", tClass) + .setParameter("serviceId", serviceId).getResultList(); + } catch (NoResultException e) { + return new ArrayList<XXPolicyItemRowFilterInfo>(); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/entity/XXAccessTypeDef.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXAccessTypeDef.java b/security-admin/src/main/java/org/apache/ranger/entity/XXAccessTypeDef.java index 5bc22e0..719ada1 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXAccessTypeDef.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXAccessTypeDef.java @@ -103,6 +103,15 @@ public class XXAccessTypeDef extends XXDBBase implements java.io.Serializable { protected String dataMaskOptions; /** + * rowFilterOptions of the XXAccessTypeDef + * <ul> + * </ul> + * + */ + @Column(name = "rowfilter_options") + protected String rowFilterOptions; + + /** * This method sets the value to the member attribute <b> id</b> . You * cannot set null to the attribute. * @@ -250,6 +259,10 @@ public class XXAccessTypeDef extends XXDBBase implements java.io.Serializable { this.dataMaskOptions = dataMaskOptions; } + public String getRowFilterOptions() { return rowFilterOptions; } + + public void setRowFilterOptions(String rowFilterOptions) { this.rowFilterOptions = rowFilterOptions; } + /* * (non-Javadoc) * @@ -326,6 +339,13 @@ public class XXAccessTypeDef extends XXDBBase implements java.io.Serializable { } else if (!dataMaskOptions.equals(other.dataMaskOptions)) { return false; } + if (rowFilterOptions == null) { + if (other.rowFilterOptions != null) { + return false; + } + } else if (!rowFilterOptions.equals(other.rowFilterOptions)) { + return false; + } return true; } @@ -338,7 +358,8 @@ public class XXAccessTypeDef extends XXDBBase implements java.io.Serializable { public String toString() { return "XXAccessTypeDef [" + super.toString() + " id=" + id + ", defId=" + defId + ", itemId=" + itemId + ", name=" + name + ", label=" + label - + ", rbKeyLabel=" + rbKeyLabel + ", dataMaskOptions=" + dataMaskOptions + ", order=" + order + "]"; + + ", rbKeyLabel=" + rbKeyLabel + ", dataMaskOptions=" + dataMaskOptions + + ", rowFilterOptions=" + rowFilterOptions + ", order=" + order + "]"; } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemDataMaskInfo.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemDataMaskInfo.java b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemDataMaskInfo.java index 391f5a8..5561255 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemDataMaskInfo.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemDataMaskInfo.java @@ -41,16 +41,6 @@ public class XXPolicyItemDataMaskInfo extends XXDBBase implements protected Long id; /** - * Global Id for the object - * <ul> - * <li>The maximum length for this attribute is <b>512</b>. - * </ul> - * - */ - @Column(name = "guid", unique = true, nullable = false, length = 512) - protected String GUID; - - /** * policyItemId of the XXPolicyItemDataMaskInfo * <ul> * </ul> @@ -107,28 +97,13 @@ public class XXPolicyItemDataMaskInfo extends XXDBBase implements } /** - * @return the gUID - */ - public String getGUID() { - return GUID; - } - - /** - * @param gUID - * the gUID to set - */ - public void setGUID(String gUID) { - GUID = gUID; - } - - /** * This method sets the value to the member attribute <b> policyItemId</b> . * You cannot set null to the attribute. * * @param policyItemId * Value to set member attribute <b> policyItemId</b> */ - public void setPolicyitemid(Long policyItemId) { + public void setPolicyItemId(Long policyItemId) { this.policyItemId = policyItemId; } @@ -137,7 +112,7 @@ public class XXPolicyItemDataMaskInfo extends XXDBBase implements * * @return Date - value of member attribute <b>policyItemId</b> . */ - public Long getPolicyitemid() { + public Long getPolicyItemId() { return this.policyItemId; } @@ -256,13 +231,6 @@ public class XXPolicyItemDataMaskInfo extends XXDBBase implements } else if (!type.equals(other.type)) { return false; } - if (GUID == null) { - if (other.GUID != null) { - return false; - } - } else if (!GUID.equals(other.GUID)) { - return false; - } return true; } @@ -274,9 +242,8 @@ public class XXPolicyItemDataMaskInfo extends XXDBBase implements @Override public String toString() { return "XXPolicyItemDataMaskInfo [" + super.toString() + " id=" + id - + ", guid=" + GUID + ", policyItemId=" - + policyItemId + ", type=" + type + ", conditionExpr=" + conditionExpr - + ", valueExpr=" + valueExpr + "]"; + + ", policyItemId=" + policyItemId + ", type=" + type + + ", conditionExpr=" + conditionExpr + ", valueExpr=" + valueExpr + "]"; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemRowFilterInfo.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemRowFilterInfo.java b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemRowFilterInfo.java new file mode 100644 index 0000000..6a63ad1 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyItemRowFilterInfo.java @@ -0,0 +1,176 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.ranger.entity; + +import javax.persistence.*; +import javax.xml.bind.annotation.XmlRootElement; + +@Entity +@Cacheable +@XmlRootElement +@Table(name = "x_policy_item_rowfilter") +public class XXPolicyItemRowFilterInfo extends XXDBBase implements + java.io.Serializable { + private static final long serialVersionUID = 1L; + /** + * id of the XXPolicyItemRowFilterInfo + * <ul> + * </ul> + * + */ + @Id + @SequenceGenerator(name = "x_policy_item_rowfilter_SEQ", sequenceName = "x_policy_item_rowfilter_SEQ", allocationSize = 1) + @GeneratedValue(strategy = GenerationType.AUTO, generator = "x_policy_item_rowfilter_SEQ") + @Column(name = "id") + protected Long id; + + /** + * policyItemId of the XXPolicyItemRowFilterInfo + * <ul> + * </ul> + * + */ + @Column(name = "policy_item_id") + protected Long policyItemId; + + /** + * filter_expr of the XXPolicyItemRowFilterInfo + * <ul> + * </ul> + * + */ + @Column(name = "filter_expr") + protected String filterExpr; + + /** + * This method sets the value to the member attribute <b> id</b> . You + * cannot set null to the attribute. + * + * @param id + * Value to set member attribute <b> id</b> + */ + public void setId(Long id) { + this.id = id; + } + + /** + * Returns the value for the member attribute <b>id</b> + * + * @return Long - value of member attribute <b>id</b> . + */ + public Long getId() { + return this.id; + } + + /** + * This method sets the value to the member attribute <b> policyItemId</b> . + * You cannot set null to the attribute. + * + * @param policyItemId + * Value to set member attribute <b> policyItemId</b> + */ + public void setPolicyItemId(Long policyItemId) { + this.policyItemId = policyItemId; + } + + /** + * Returns the value for the member attribute <b>policyItemId</b> + * + * @return Long - value of member attribute <b>policyItemId</b> . + */ + public Long getPolicyItemId() { + return this.policyItemId; + } + + /** + * This method sets the value to the member attribute <b> filterExpr</b> . + * You cannot set null to the attribute. + * + * @param filterExpr + * Value to set member attribute <b> filterExpr</b> + */ + public void setFilterExpr(String filterExpr) { + this.filterExpr = filterExpr; + } + + /** + * Returns the value for the member attribute <b>filterExpr</b> + * + * @return String - value of member attribute <b>filterExpr</b> . + */ + public String getFilterExpr() { + return this.filterExpr; + } + + /* + * (non-Javadoc) + * + * @see java.lang.Object#equals(java.lang.Object) + */ + @Override + public boolean equals(Object obj) { + if (!super.equals(obj)) { + return false; + } + if (this == obj) { + return true; + } + if (!super.equals(obj)) { + return false; + } + if (getClass() != obj.getClass()) { + return false; + } + XXPolicyItemRowFilterInfo other = (XXPolicyItemRowFilterInfo) obj; + if (id == null) { + if (other.id != null) { + return false; + } + } else if (!id.equals(other.id)) { + return false; + } + if (filterExpr == null) { + if (other.filterExpr != null) { + return false; + } + } else if (!filterExpr.equals(other.filterExpr)) { + return false; + } + if (policyItemId == null) { + if (other.policyItemId != null) { + return false; + } + } else if (!policyItemId.equals(other.policyItemId)) { + return false; + } + return true; + } + + /* + * (non-Javadoc) + * + * @see java.lang.Object#toString() + */ + @Override + public String toString() { + return "XXPolicyItemDataMaskInfo [" + super.toString() + " id=" + id + + ", policyItemId=" + policyItemId + ", filterExpr=" + filterExpr + "]"; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2c7f617b/security-admin/src/main/java/org/apache/ranger/entity/XXResourceDef.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXResourceDef.java b/security-admin/src/main/java/org/apache/ranger/entity/XXResourceDef.java index 6679c35..28ee4e7 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXResourceDef.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXResourceDef.java @@ -238,6 +238,15 @@ public class XXResourceDef extends XXDBBase implements java.io.Serializable { protected String dataMaskOptions; /** + * rowFilterOptions of the XXAccessTypeDef + * <ul> + * </ul> + * + */ + @Column(name = "rowfilter_options") + protected String rowFilterOptions; + + /** * This method sets the value to the member attribute <b> id</b> . You * cannot set null to the attribute. * @@ -661,6 +670,10 @@ public class XXResourceDef extends XXDBBase implements java.io.Serializable { this.dataMaskOptions = dataMaskOptions; } + public String getRowFilterOptions() { return rowFilterOptions; } + + public void setRowFilterOptions(String rowFilterOptions) { this.rowFilterOptions = rowFilterOptions; } + /* * (non-Javadoc) * @@ -803,6 +816,13 @@ public class XXResourceDef extends XXDBBase implements java.io.Serializable { } else if (!dataMaskOptions.equals(other.dataMaskOptions)) { return false; } + if (rowFilterOptions == null) { + if (other.rowFilterOptions != null) { + return false; + } + } else if (!rowFilterOptions.equals(other.rowFilterOptions)) { + return false; + } return true; } @@ -829,6 +849,7 @@ public class XXResourceDef extends XXDBBase implements java.io.Serializable { + ", rbKeyValidationMessage=" + rbKeyValidationMessage + ", order=" + order + ", dataMaskOptions=" + dataMaskOptions + + ", rowFilterOptions=" + rowFilterOptions + "]"; }
