http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/db/sqlserver/patches/035-update-schema-for-x-policy.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/sqlserver/patches/035-update-schema-for-x-policy.sql b/security-admin/db/sqlserver/patches/035-update-schema-for-x-policy.sql new file mode 100644 index 0000000..ebf44ac --- /dev/null +++ b/security-admin/db/sqlserver/patches/035-update-schema-for-x-policy.sql @@ -0,0 +1,453 @@ +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +GO +IF (OBJECT_ID('x_policy_ref_resource_FK_policy_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_resource] DROP CONSTRAINT x_policy_ref_resource_FK_policy_id +END +GO +IF (OBJECT_ID('x_policy_ref_resource_FK_resource_def_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_resource] DROP CONSTRAINT x_policy_ref_resource_FK_resource_def_id +END +GO +IF (OBJECT_ID('x_policy_ref_resource_UK') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_resource] DROP CONSTRAINT x_policy_ref_resource_UK +END +GO +IF (OBJECT_ID('x_policy_ref_resource') IS NOT NULL) +BEGIN + DROP TABLE [dbo].[x_policy_ref_resource] +END +GO +IF (OBJECT_ID('x_policy_ref_access_type_FK_policy_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_access_type] DROP CONSTRAINT x_policy_ref_access_type_FK_policy_id +END +GO +IF (OBJECT_ID('x_policy_ref_access_type_FK_access_def_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_access_type] DROP CONSTRAINT x_policy_ref_access_type_FK_access_def_id +END +GO +IF (OBJECT_ID('x_policy_ref_access_type_UK') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_access_type] DROP CONSTRAINT x_policy_ref_access_type_UK +END +GO +IF (OBJECT_ID('x_policy_ref_access_type') IS NOT NULL) +BEGIN + DROP TABLE [dbo].[x_policy_ref_access_type] +END +GO +IF (OBJECT_ID('x_policy_ref_condition_FK_policy_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_condition] DROP CONSTRAINT x_policy_ref_condition_FK_policy_id +END +GO +IF (OBJECT_ID('x_policy_ref_condition_FK_condition_def_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_condition] DROP CONSTRAINT x_policy_ref_condition_FK_condition_def_id +END +GO +IF (OBJECT_ID('x_policy_ref_condition_UK') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_condition] DROP CONSTRAINT x_policy_ref_condition_UK +END +GO +IF (OBJECT_ID('x_policy_ref_condition') IS NOT NULL) +BEGIN + DROP TABLE [dbo].[x_policy_ref_condition] +END +GO +IF (OBJECT_ID('x_policy_ref_datamask_type_FK_policy_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_datamask_type] DROP CONSTRAINT x_policy_ref_datamask_type_FK_policy_id +END +GO +IF (OBJECT_ID('x_policy_ref_datamask_type_FK_datamask_def_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_datamask_type] DROP CONSTRAINT x_policy_ref_datamask_type_FK_datamask_def_id +END +GO +IF (OBJECT_ID('x_policy_ref_datamask_type_UK') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_datamask_type] DROP CONSTRAINT x_policy_ref_datamask_type_UK +END +GO +IF (OBJECT_ID('x_policy_ref_datamask_type') IS NOT NULL) +BEGIN + DROP TABLE [dbo].[x_policy_ref_datamask_type] +END +GO +IF (OBJECT_ID('x_policy_ref_user_FK_policy_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_user] DROP CONSTRAINT x_policy_ref_user_FK_policy_id +END +GO +IF (OBJECT_ID('x_policy_ref_user_FK_user_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_user] DROP CONSTRAINT x_policy_ref_user_FK_user_id +END +GO +IF (OBJECT_ID('x_policy_ref_user_UK') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_user] DROP CONSTRAINT x_policy_ref_user_UK +END +GO +IF (OBJECT_ID('x_policy_ref_user') IS NOT NULL) +BEGIN + DROP TABLE [dbo].[x_policy_ref_user] +END +GO +IF (OBJECT_ID('x_policy_ref_group_FK_policy_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_group] DROP CONSTRAINT x_policy_ref_group_FK_policy_id +END +GO +IF (OBJECT_ID('x_policy_ref_group_FK_group_id') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_group] DROP CONSTRAINT x_policy_ref_group_FK_group_id +END +GO +IF (OBJECT_ID('x_policy_ref_group_UK') IS NOT NULL) +BEGIN + ALTER TABLE [dbo].[x_policy_ref_group] DROP CONSTRAINT x_policy_ref_group_UK +END +GO +IF (OBJECT_ID('x_policy_ref_group') IS NOT NULL) +BEGIN + DROP TABLE [dbo].[x_policy_ref_group] +END +GO +SET ANSI_NULLS ON +GO +SET QUOTED_IDENTIFIER ON +GO +SET ANSI_PADDING ON +GO +CREATE TABLE [dbo].[x_policy_ref_resource] ( + [id] [bigint] IDENTITY (1, 1) NOT NULL, + [guid] [varchar](1024) DEFAULT NULL NULL, + [create_time] [datetime2] DEFAULT NULL NULL, + [update_time] [datetime2] DEFAULT NULL NULL, + [added_by_id] [bigint] DEFAULT NULL NULL, + [upd_by_id] [bigint] DEFAULT NULL NULL, + [policy_id] [bigint] NOT NULL, + [resource_def_id] [bigint] NOT NULL, + [resource_name] [varchar](4000) DEFAULT NULL NULL, + PRIMARY KEY CLUSTERED + ( + [id] ASC + ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY], + CONSTRAINT [x_policy_ref_resource$x_policy_ref_resource_UK] UNIQUE NONCLUSTERED + ( + [policy_id] ASC, [resource_def_id] ASC + )WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY] +) ON [PRIMARY] +GO +SET ANSI_NULLS ON +GO +SET QUOTED_IDENTIFIER ON +GO +SET ANSI_PADDING ON +GO +CREATE TABLE [dbo].[x_policy_ref_access_type] ( + [id] [bigint] IDENTITY (1, 1) NOT NULL, + [guid] [varchar](1024) DEFAULT NULL NULL, + [create_time] [datetime2] DEFAULT NULL NULL, + [update_time] [datetime2] DEFAULT NULL NULL, + [added_by_id] [bigint] DEFAULT NULL NULL, + [upd_by_id] [bigint] DEFAULT NULL NULL, + [policy_id] [bigint] NOT NULL, + [access_def_id] [bigint] NOT NULL, + [access_type_name] [varchar](4000) DEFAULT NULL NULL, + PRIMARY KEY CLUSTERED + ( + [id] ASC + ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY], + CONSTRAINT [x_policy_ref_access_type$x_policy_ref_access_type_UK] UNIQUE NONCLUSTERED +( + [policy_id] ASC, [access_def_id] ASC +)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY] +) ON [PRIMARY] +GO +SET ANSI_NULLS ON +GO +SET QUOTED_IDENTIFIER ON +GO +SET ANSI_PADDING ON +GO +CREATE TABLE [dbo].[x_policy_ref_condition] ( + [id] [bigint] IDENTITY (1, 1) NOT NULL, + [guid] [varchar](1024) DEFAULT NULL NULL, + [create_time] [datetime2] DEFAULT NULL NULL, + [update_time] [datetime2] DEFAULT NULL NULL, + [added_by_id] [bigint] DEFAULT NULL NULL, + [upd_by_id] [bigint] DEFAULT NULL NULL, + [policy_id] [bigint] NOT NULL, + [condition_def_id] [bigint] NOT NULL, + [condition_name] [varchar](4000) DEFAULT NULL NULL, + PRIMARY KEY CLUSTERED + ( + [id] ASC + ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY], + CONSTRAINT [x_policy_ref_condition$x_policy_ref_condition_UK] UNIQUE NONCLUSTERED +( + [policy_id] ASC, [condition_def_id] ASC +)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY] +) ON [PRIMARY] +GO +SET ANSI_NULLS ON +GO +SET QUOTED_IDENTIFIER ON +GO +SET ANSI_PADDING ON +GO +CREATE TABLE [dbo].[x_policy_ref_datamask_type] ( + [id] [bigint] IDENTITY (1, 1) NOT NULL, + [guid] [varchar](1024) DEFAULT NULL NULL, + [create_time] [datetime2] DEFAULT NULL NULL, + [update_time] [datetime2] DEFAULT NULL NULL, + [added_by_id] [bigint] DEFAULT NULL NULL, + [upd_by_id] [bigint] DEFAULT NULL NULL, + [policy_id] [bigint] NOT NULL, + [datamask_def_id] [bigint] NOT NULL, + [datamask_type_name] [varchar](4000) DEFAULT NULL NULL, + PRIMARY KEY CLUSTERED + ( + [id] ASC + ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY], + CONSTRAINT [x_policy_ref_datamask_type$x_policy_ref_datamask_type_UK] UNIQUE NONCLUSTERED +( + [policy_id] ASC, [datamask_def_id] ASC +)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY] +) ON [PRIMARY] +GO +SET ANSI_NULLS ON +GO +SET QUOTED_IDENTIFIER ON +GO +SET ANSI_PADDING ON +GO +CREATE TABLE [dbo].[x_policy_ref_user] ( + [id] [bigint] IDENTITY (1, 1) NOT NULL, + [guid] [varchar](1024) DEFAULT NULL NULL, + [create_time] [datetime2] DEFAULT NULL NULL, + [update_time] [datetime2] DEFAULT NULL NULL, + [added_by_id] [bigint] DEFAULT NULL NULL, + [upd_by_id] [bigint] DEFAULT NULL NULL, + [policy_id] [bigint] NOT NULL, + [user_id] [bigint] NOT NULL, + [user_name] [varchar](4000) DEFAULT NULL NULL, + PRIMARY KEY CLUSTERED + ( + [id] ASC + ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY], + CONSTRAINT [x_policy_ref_user$x_policy_ref_user_UK] UNIQUE NONCLUSTERED +( + [policy_id] ASC, [user_id] ASC +)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY] +) ON [PRIMARY] +GO +SET ANSI_NULLS ON +GO +SET QUOTED_IDENTIFIER ON +GO +SET ANSI_PADDING ON +GO +CREATE TABLE [dbo].[x_policy_ref_group] ( + [id] [bigint] IDENTITY (1, 1) NOT NULL, + [guid] [varchar](1024) DEFAULT NULL NULL, + [create_time] [datetime2] DEFAULT NULL NULL, + [update_time] [datetime2] DEFAULT NULL NULL, + [added_by_id] [bigint] DEFAULT NULL NULL, + [upd_by_id] [bigint] DEFAULT NULL NULL, + [policy_id] [bigint] NOT NULL, + [group_id] [bigint] NOT NULL, + [group_name] [varchar](4000) DEFAULT NULL NULL, + PRIMARY KEY CLUSTERED + ( + [id] ASC + ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY], + CONSTRAINT [x_policy_ref_group$x_policy_ref_group_UK] UNIQUE NONCLUSTERED +( + [policy_id] ASC, [group_id] ASC +)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY] +) ON [PRIMARY] +GO +ALTER TABLE [dbo].[x_policy_ref_resource] WITH CHECK ADD CONSTRAINT [x_policy_ref_resource_FK_policy_id] FOREIGN KEY ([policy_id]) +REFERENCES [dbo].[x_policy] ([id]) +ALTER TABLE [dbo].[x_policy_ref_resource] CHECK CONSTRAINT [x_policy_ref_resource_FK_policy_id] +ALTER TABLE [dbo].[x_policy_ref_resource] WITH CHECK ADD CONSTRAINT [x_policy_ref_resource_FK_resource_def_id] FOREIGN KEY ([resource_def_id]) +REFERENCES [dbo].[x_resource_def] ([id]) +ALTER TABLE [dbo].[x_policy_ref_resource] CHECK CONSTRAINT [x_policy_ref_resource_FK_resource_def_id] +ALTER TABLE [dbo].[x_policy_ref_resource] WITH CHECK ADD CONSTRAINT [x_policy_ref_resource_FK_added_by] FOREIGN KEY ([added_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_resource] CHECK CONSTRAINT [x_policy_ref_resource_FK_added_by] +ALTER TABLE [dbo].[x_policy_ref_resource] WITH CHECK ADD CONSTRAINT [x_policy_ref_resource_FK_upd_by] FOREIGN KEY ([upd_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_access_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_access_type_FK_policy_id] FOREIGN KEY ([policy_id]) +REFERENCES [dbo].[x_policy] ([id]) +ALTER TABLE [dbo].[x_policy_ref_access_type] CHECK CONSTRAINT [x_policy_ref_access_type_FK_policy_id] +ALTER TABLE [dbo].[x_policy_ref_access_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_access_type_FK_access_def_id] FOREIGN KEY ([access_def_id]) +REFERENCES [dbo].[x_access_type_def] ([id]) +ALTER TABLE [dbo].[x_policy_ref_access_type] CHECK CONSTRAINT [x_policy_ref_access_type_FK_access_def_id] +ALTER TABLE [dbo].[x_policy_ref_access_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_access_type_FK_added_by] FOREIGN KEY ([added_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_access_type] CHECK CONSTRAINT [x_policy_ref_access_type_FK_added_by] +ALTER TABLE [dbo].[x_policy_ref_access_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_access_type_FK_upd_by] FOREIGN KEY ([upd_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_condition] WITH CHECK ADD CONSTRAINT [x_policy_ref_condition_FK_policy_id] FOREIGN KEY ([policy_id]) +REFERENCES [dbo].[x_policy] ([id]) +ALTER TABLE [dbo].[x_policy_ref_condition] CHECK CONSTRAINT [x_policy_ref_condition_FK_policy_id] +ALTER TABLE [dbo].[x_policy_ref_condition] WITH CHECK ADD CONSTRAINT [x_policy_ref_condition_FK_condition_def_id] FOREIGN KEY ([condition_def_id]) +REFERENCES [dbo].[x_policy_condition_def] ([id]) +ALTER TABLE [dbo].[x_policy_ref_condition] CHECK CONSTRAINT [x_policy_ref_condition_FK_condition_def_id] +ALTER TABLE [dbo].[x_policy_ref_condition] WITH CHECK ADD CONSTRAINT [x_policy_ref_condition_FK_added_by] FOREIGN KEY ([added_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_condition] CHECK CONSTRAINT [x_policy_ref_condition_FK_added_by] +ALTER TABLE [dbo].[x_policy_ref_condition] WITH CHECK ADD CONSTRAINT [x_policy_ref_condition_FK_upd_by] FOREIGN KEY ([upd_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_datamask_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_datamask_type_FK_policy_id] FOREIGN KEY ([policy_id]) +REFERENCES [dbo].[x_policy] ([id]) +ALTER TABLE [dbo].[x_policy_ref_datamask_type] CHECK CONSTRAINT [x_policy_ref_datamask_type_FK_policy_id] +ALTER TABLE [dbo].[x_policy_ref_datamask_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_datamask_type_FK_datamask_def_id] FOREIGN KEY ([datamask_def_id]) +REFERENCES [dbo].[x_datamask_type_def] ([id]) +ALTER TABLE [dbo].[x_policy_ref_datamask_type] CHECK CONSTRAINT [x_policy_ref_datamask_type_FK_datamask_def_id] +ALTER TABLE [dbo].[x_policy_ref_datamask_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_datamask_type_FK_added_by] FOREIGN KEY ([added_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_datamask_type] CHECK CONSTRAINT [x_policy_ref_datamask_type_FK_added_by] +ALTER TABLE [dbo].[x_policy_ref_datamask_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_datamask_type_FK_upd_by] FOREIGN KEY ([upd_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) + + +ALTER TABLE [dbo].[x_policy_ref_user] WITH CHECK ADD CONSTRAINT [x_policy_ref_user_FK_policy_id] FOREIGN KEY ([policy_id]) +REFERENCES [dbo].[x_policy] ([id]) +ALTER TABLE [dbo].[x_policy_ref_user] CHECK CONSTRAINT [x_policy_ref_user_FK_policy_id] + +ALTER TABLE [dbo].[x_policy_ref_user] WITH CHECK ADD CONSTRAINT [x_policy_ref_user_FK_user_id] FOREIGN KEY ([user_id]) +REFERENCES [dbo].[x_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_user] CHECK CONSTRAINT [x_policy_ref_user_FK_user_id] + +ALTER TABLE [dbo].[x_policy_ref_user] WITH CHECK ADD CONSTRAINT [x_policy_ref_user_FK_added_by] FOREIGN KEY ([added_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_user] CHECK CONSTRAINT [x_policy_ref_user_FK_added_by] + +ALTER TABLE [dbo].[x_policy_ref_user] WITH CHECK ADD CONSTRAINT [x_policy_ref_user_FK_upd_by] FOREIGN KEY ([upd_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_user] CHECK CONSTRAINT [x_policy_ref_user_FK_upd_by] + +ALTER TABLE [dbo].[x_policy_ref_group] WITH CHECK ADD CONSTRAINT [x_policy_ref_group_FK_policy_id] FOREIGN KEY ([policy_id]) +REFERENCES [dbo].[x_policy] ([id]) +ALTER TABLE [dbo].[x_policy_ref_group] CHECK CONSTRAINT [x_policy_ref_group_FK_policy_id] +ALTER TABLE [dbo].[x_policy_ref_group] WITH CHECK ADD CONSTRAINT [x_policy_ref_group_FK_group_id] FOREIGN KEY ([group_id]) +REFERENCES [dbo].[x_group] ([id]) +ALTER TABLE [dbo].[x_policy_ref_group] CHECK CONSTRAINT [x_policy_ref_group_FK_group_id] +ALTER TABLE [dbo].[x_policy_ref_group] WITH CHECK ADD CONSTRAINT [x_policy_ref_group_FK_added_by] FOREIGN KEY ([added_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +ALTER TABLE [dbo].[x_policy_ref_group] CHECK CONSTRAINT [x_policy_ref_group_FK_added_by] +ALTER TABLE [dbo].[x_policy_ref_group] WITH CHECK ADD CONSTRAINT [x_policy_ref_group_FK_upd_by] FOREIGN KEY ([upd_by_id]) +REFERENCES [dbo].[x_portal_user] ([id]) +GO +IF NOT EXISTS (SELECT + * + FROM INFORMATION_SCHEMA.columns + WHERE table_name = 'x_policy' + AND column_name = 'policy_text') +BEGIN + ALTER TABLE [dbo].[x_policy] ADD [policy_text] [nvarchar](max) DEFAULT NULL NULL; +END +GO + +SET ANSI_NULLS ON +GO +SET QUOTED_IDENTIFIER ON +GO +SET ANSI_PADDING ON +GO +IF EXISTS ( + SELECT type_desc, type + FROM sys.procedures WITH(NOLOCK) + WHERE NAME = 'removeConstraints' + AND type = 'P' + ) +BEGIN + PRINT 'Proc exist with name dbo.removeConstraints' + DROP PROCEDURE dbo.removeConstraints + PRINT 'Proc dropped dbo.removeConstraints' +END +GO +CREATE PROCEDURE dbo.removeConstraints + -- Add the parameters for the stored procedure here + @tablename nvarchar(100) +AS +BEGIN + + DECLARE @stmt VARCHAR(300); + + -- Cursor to generate ALTER TABLE DROP CONSTRAINT statements + DECLARE cur CURSOR FOR + SELECT 'ALTER TABLE ' + OBJECT_SCHEMA_NAME(parent_object_id) + '.' + OBJECT_NAME(parent_object_id) + + ' DROP CONSTRAINT ' + name + FROM sys.foreign_keys + WHERE OBJECT_SCHEMA_NAME(referenced_object_id) = 'dbo' AND + OBJECT_NAME(referenced_object_id) = @tablename; + + OPEN cur; + FETCH cur INTO @stmt; + + -- Drop each found foreign key constraint + WHILE @@FETCH_STATUS = 0 + BEGIN + EXEC (@stmt); + FETCH cur INTO @stmt; + END + + CLOSE cur; + DEALLOCATE cur; + +END +GO + +EXEC dbo.removeConstraints 'x_policy_item' +GO + +EXEC dbo.removeConstraints 'x_policy_item_access' +GO + +EXEC dbo.removeConstraints 'x_policy_item_condition' +GO + +EXEC dbo.removeConstraints 'x_policy_item_datamask' +GO + +EXEC dbo.removeConstraints 'x_policy_item_group_perm' +GO + +EXEC dbo.removeConstraints 'x_policy_item_user_perm' +GO + +EXEC dbo.removeConstraints 'x_policy_item_rowfilter' +GO + +EXEC dbo.removeConstraints 'x_policy_resource' +GO + +EXEC dbo.removeConstraints 'x_policy_resource_map' +GO + +EXIT
http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/db/sqlserver/patches/036-denormalize-tag-tables.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/sqlserver/patches/036-denormalize-tag-tables.sql b/security-admin/db/sqlserver/patches/036-denormalize-tag-tables.sql new file mode 100644 index 0000000..9bfae30 --- /dev/null +++ b/security-admin/db/sqlserver/patches/036-denormalize-tag-tables.sql @@ -0,0 +1,97 @@ +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +GO +IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_tag_def' and column_name = 'tag_attrs_def_text') +BEGIN + ALTER TABLE [dbo].[x_tag_def] ADD [tag_attrs_def_text] [nvarchar](max) DEFAULT NULL NULL; +END +IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_tag' and column_name = 'tag_attrs_text') +BEGIN + ALTER TABLE [dbo].[x_tag] ADD [tag_attrs_text] [nvarchar](max) DEFAULT NULL NULL; +END +IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_service_resource' and column_name = 'service_resource_elements_text') +BEGIN + ALTER TABLE [dbo].[x_service_resource] ADD [service_resource_elements_text] [nvarchar](max) DEFAULT NULL NULL; +END +IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_service_resource' and column_name = 'tags_text') +BEGIN + ALTER TABLE [dbo].[x_service_resource] ADD [tags_text] [nvarchar](max) DEFAULT NULL NULL; +END +GO + +SET ANSI_NULLS ON +GO +SET QUOTED_IDENTIFIER ON +GO +SET ANSI_PADDING ON +GO +IF EXISTS ( + SELECT type_desc, type + FROM sys.procedures WITH(NOLOCK) + WHERE NAME = 'removeConstraints' + AND type = 'P' + ) +BEGIN + PRINT 'Proc exist with name dbo.removeConstraints' + DROP PROCEDURE dbo.removeConstraints + PRINT 'Proc dropped dbo.removeConstraints' +END +GO +CREATE PROCEDURE dbo.removeConstraints + -- Add the parameters for the stored procedure here + @tablename nvarchar(100) +AS +BEGIN + + DECLARE @stmt VARCHAR(300); + + -- Cursor to generate ALTER TABLE DROP CONSTRAINT statements + DECLARE cur CURSOR FOR + SELECT 'ALTER TABLE ' + OBJECT_SCHEMA_NAME(parent_object_id) + '.' + OBJECT_NAME(parent_object_id) + + ' DROP CONSTRAINT ' + name + FROM sys.foreign_keys + WHERE OBJECT_SCHEMA_NAME(referenced_object_id) = 'dbo' AND + OBJECT_NAME(referenced_object_id) = @tablename; + + OPEN cur; + FETCH cur INTO @stmt; + + -- Drop each found foreign key constraint + WHILE @@FETCH_STATUS = 0 + BEGIN + EXEC (@stmt); + FETCH cur INTO @stmt; + END + + CLOSE cur; + DEALLOCATE cur; + +END +GO + +EXEC dbo.removeConstraints 'x_tag_attr_def' +GO + +EXEC dbo.removeConstraints 'x_tag_attr' +GO + +EXEC dbo.removeConstraints 'x_service_resource_element' +GO + +EXEC dbo.removeConstraints 'x_service_resource_element_val' +GO + +EXIT http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/scripts/db_setup.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index d4f37ed..83463cf 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -35,8 +35,9 @@ os_name = os_name.upper() ranger_version='' jisql_debug=True retryPatchAfterSeconds=120 - +java_patch_regex="^Patch.*?J\d{5}.class$" is_unix = os_name == "LINUX" or os_name == "DARWIN" +max_memory='1g' if is_unix: RANGER_ADMIN_HOME = os.getenv("RANGER_ADMIN_HOME") @@ -183,14 +184,14 @@ class BaseDB(object): class MysqlConf(BaseDB): # Constructor - def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type): + def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type): self.host = host self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR self.JAVA_BIN = JAVA_BIN self.db_ssl_enabled=db_ssl_enabled.lower() self.db_ssl_required=db_ssl_required.lower() self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower() - self.db_ssl_auth_type=db_ssl_auth_type.lower() + self.db_ssl_auth_type=db_ssl_auth_type.lower() self.javax_net_ssl_keyStore=javax_net_ssl_keyStore self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword self.javax_net_ssl_trustStore=javax_net_ssl_trustStore @@ -203,10 +204,10 @@ class MysqlConf(BaseDB): if self.db_ssl_enabled == 'true': db_ssl_param="?useSSL=%s&requireSSL=%s&verifyServerCertificate=%s" %(self.db_ssl_enabled,self.db_ssl_required,self.db_ssl_verifyServerCertificate) if self.db_ssl_verifyServerCertificate == 'true': - if self.db_ssl_auth_type == '1-way': - db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword) - else: - db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword) + if self.db_ssl_auth_type == '1-way': + db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword) + else: + db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword) self.JAVA_BIN = self.JAVA_BIN.strip("'") if is_unix: jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path,self.host,db_name,db_ssl_param,user,password) @@ -498,7 +499,7 @@ class MysqlConf(BaseDB): files = os.listdir(javaFiles) if files: for filename in files: - f = re.match("^Patch.*?.class$",filename) + f = re.match(java_patch_regex,filename) if f: className = re.match("(Patch.*?)_.*.class",filename) className = className.group(1) @@ -555,7 +556,7 @@ class MysqlConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className) if is_unix: ret = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -1188,7 +1189,7 @@ class OracleConf(BaseDB): files = os.listdir(javaFiles) if files: for filename in files: - f = re.match("^Patch.*?.class$",filename) + f = re.match(java_patch_regex,filename) if f: className = re.match("(Patch.*?)_.*.class",filename) className = className.group(1) @@ -1270,7 +1271,7 @@ class OracleConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Djava.security.egd=file:///dev/urandom -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Djava.security.egd=file:///dev/urandom -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className) if is_unix: ret = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -1359,7 +1360,7 @@ class OracleConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,max_memory,ranger_log,path,className,userName,oldPassword,newPassword) if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -1883,7 +1884,7 @@ class PostgresConf(BaseDB): files = os.listdir(javaFiles) if files: for filename in files: - f = re.match("^Patch.*?.class$",filename) + f = re.match(java_patch_regex,filename) if f: className = re.match("(Patch.*?)_.*.class",filename) className = className.group(1) @@ -1940,7 +1941,7 @@ class PostgresConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className) if is_unix: ret = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -2029,7 +2030,7 @@ class PostgresConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,max_memory,ranger_log,path,className,userName,oldPassword,newPassword) if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -2515,7 +2516,7 @@ class SqlServerConf(BaseDB): files = os.listdir(javaFiles) if files: for filename in files: - f = re.match("^Patch.*?.class$",filename) + f = re.match(java_patch_regex,filename) if f: className = re.match("(Patch.*?)_.*.class",filename) className = className.group(1) @@ -2572,7 +2573,7 @@ class SqlServerConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className) if is_unix: ret = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -2661,7 +2662,7 @@ class SqlServerConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,max_memory,ranger_log,path,className,userName,oldPassword,newPassword) if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -3139,7 +3140,7 @@ class SqlAnywhereConf(BaseDB): files = os.listdir(javaFiles) if files: for filename in files: - f = re.match("^Patch.*?.class$",filename) + f = re.match(java_patch_regex,filename) if f: className = re.match("(Patch.*?)_.*.class",filename) className = className.group(1) @@ -3196,7 +3197,7 @@ class SqlAnywhereConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className) if is_unix: ret = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -3306,7 +3307,7 @@ class SqlAnywhereConf(BaseDB): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword) + get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,max_memory,ranger_log,path,className,userName,oldPassword,newPassword) if is_unix: status = subprocess.call(shlex.split(get_java_cmd)) elif os_name == "WINDOWS": @@ -3608,7 +3609,7 @@ def main(argv): db_ssl_enabled='false' db_ssl_required='false' db_ssl_verifyServerCertificate='false' - db_ssl_auth_type='2-way' + db_ssl_auth_type='2-way' javax_net_ssl_keyStore='' javax_net_ssl_keyStorePassword='' javax_net_ssl_trustStore='' @@ -3622,8 +3623,8 @@ def main(argv): db_ssl_required=globalDict['db_ssl_required'].lower() if 'db_ssl_verifyServerCertificate' in globalDict: db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower() - if 'db_ssl_auth_type' in globalDict: - db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower() + if 'db_ssl_auth_type' in globalDict: + db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower() if db_ssl_verifyServerCertificate == 'true': if 'javax_net_ssl_trustStore' in globalDict: javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore'] @@ -3635,20 +3636,20 @@ def main(argv): if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="": log("[E] Invalid ssl truststore password!","error") sys.exit(1) - if db_ssl_auth_type == '2-way': - if 'javax_net_ssl_keyStore' in globalDict: - javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore'] - if 'javax_net_ssl_keyStorePassword' in globalDict: - javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword'] - if not os.path.exists(javax_net_ssl_keyStore): - log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error") - sys.exit(1) - if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="": - log("[E] Invalid ssl keystore password!","error") - sys.exit(1) + if db_ssl_auth_type == '2-way': + if 'javax_net_ssl_keyStore' in globalDict: + javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore'] + if 'javax_net_ssl_keyStorePassword' in globalDict: + javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword'] + if not os.path.exists(javax_net_ssl_keyStore): + log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error") + sys.exit(1) + if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="": + log("[E] Invalid ssl keystore password!","error") + sys.exit(1) MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] - xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type) + xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type) xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , mysql_dbversion_catalog) xa_db_core_file = os.path.join(RANGER_ADMIN_HOME , mysql_core_file) xa_patch_file = os.path.join(RANGER_ADMIN_HOME ,mysql_patches) @@ -3708,7 +3709,7 @@ def main(argv): if AUDIT_DB_FLAVOR == "MYSQL": MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] - audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type) + audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type) audit_db_file = os.path.join(RANGER_ADMIN_HOME ,mysql_audit_file) elif AUDIT_DB_FLAVOR == "ORACLE": http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java new file mode 100644 index 0000000..25b48bb --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java @@ -0,0 +1,286 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.ranger.biz; + +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.db.XXPolicyRefAccessTypeDao; +import org.apache.ranger.db.XXPolicyRefConditionDao; +import org.apache.ranger.db.XXPolicyRefDataMaskTypeDao; +import org.apache.ranger.db.XXPolicyRefGroupDao; +import org.apache.ranger.db.XXPolicyRefResourceDao; +import org.apache.ranger.db.XXPolicyRefUserDao; +import org.apache.ranger.entity.XXAccessTypeDef; +import org.apache.ranger.entity.XXDataMaskTypeDef; +import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXPolicy; +import org.apache.ranger.entity.XXPolicyConditionDef; +import org.apache.ranger.entity.XXPolicyRefAccessType; +import org.apache.ranger.entity.XXPolicyRefCondition; +import org.apache.ranger.entity.XXPolicyRefDataMaskType; +import org.apache.ranger.entity.XXPolicyRefGroup; +import org.apache.ranger.entity.XXPolicyRefResource; +import org.apache.ranger.entity.XXPolicyRefUser; +import org.apache.ranger.entity.XXResourceDef; +import org.apache.ranger.entity.XXServiceDef; +import org.apache.ranger.entity.XXUser; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; +import org.apache.ranger.service.RangerAuditFields; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class PolicyRefUpdater { + + @Autowired + RangerDaoManager daoMgr; + + @Autowired + RangerAuditFields<?> rangerAuditFields; + + public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception { + if(policy == null) { + return; + } + + cleanupRefTables(policy); + + final Set<String> resourceNames = policy.getResources().keySet(); + final Set<String> groupNames = new HashSet<>(); + final Set<String> userNames = new HashSet<>(); + final Set<String> accessTypes = new HashSet<>(); + final Set<String> conditionTypes = new HashSet<>(); + final Set<String> dataMaskTypes = new HashSet<>(); + + for (List<? extends RangerPolicyItem> policyItems : getAllPolicyItems(policy)) { + if (CollectionUtils.isEmpty(policyItems)) { + continue; + } + + for (RangerPolicyItem policyItem : policyItems) { + groupNames.addAll(policyItem.getGroups()); + userNames.addAll(policyItem.getUsers()); + + if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) { + for (RangerPolicyItemAccess access : policyItem.getAccesses()) { + accessTypes.add(access.getType()); + } + } + + if (CollectionUtils.isNotEmpty(policyItem.getConditions())) { + for (RangerPolicyItemCondition condition : policyItem.getConditions()) { + conditionTypes.add(condition.getType()); + } + } + + if (policyItem instanceof RangerDataMaskPolicyItem) { + RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerDataMaskPolicyItem) policyItem).getDataMaskInfo(); + + dataMaskTypes.add(dataMaskInfo.getDataMaskType()); + } + } + } + + for (String resource : resourceNames) { + XXResourceDef xResDef = daoMgr.getXXResourceDef().findByNameAndPolicyId(resource, policy.getId()); + + if (xResDef == null) { + throw new Exception(resource + ": is not a valid resource-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'"); + } + + XXPolicyRefResource xPolRes = rangerAuditFields.populateAuditFields(new XXPolicyRefResource(), xPolicy); + + xPolRes.setPolicyId(policy.getId()); + xPolRes.setResourceDefId(xResDef.getId()); + xPolRes.setResourceName(resource); + + daoMgr.getXXPolicyRefResource().create(xPolRes); + } + + for (String group : groupNames) { + if (StringUtils.isBlank(group)) { + continue; + } + + XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(group); + + if (xGroup == null) { + throw new Exception(group + ": group does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' group='" + group + "'"); + } + + XXPolicyRefGroup xPolGroup = rangerAuditFields.populateAuditFields(new XXPolicyRefGroup(), xPolicy); + + xPolGroup.setPolicyId(policy.getId()); + xPolGroup.setGroupId(xGroup.getId()); + xPolGroup.setGroupName(group); + + daoMgr.getXXPolicyRefGroup().create(xPolGroup); + } + + for (String user : userNames) { + if (StringUtils.isBlank(user)) { + continue; + } + + XXUser xUser = daoMgr.getXXUser().findByUserName(user); + + if (xUser == null) { + throw new Exception(user + ": user does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' user='" + user +"'"); + } + + XXPolicyRefUser xPolUser = rangerAuditFields.populateAuditFields(new XXPolicyRefUser(), xPolicy); + + xPolUser.setPolicyId(policy.getId()); + xPolUser.setUserId(xUser.getId()); + xPolUser.setUserName(user); + + daoMgr.getXXPolicyRefUser().create(xPolUser); + } + + for (String accessType : accessTypes) { + XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(accessType, xPolicy.getService()); + + if (xAccTypeDef == null) { + throw new Exception(accessType + ": is not a valid access-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'"); + } + + XXPolicyRefAccessType xPolAccess = rangerAuditFields.populateAuditFields(new XXPolicyRefAccessType(), xPolicy); + + xPolAccess.setPolicyId(policy.getId()); + xPolAccess.setAccessDefId(xAccTypeDef.getId()); + xPolAccess.setAccessTypeName(accessType); + + daoMgr.getXXPolicyRefAccessType().create(xPolAccess); + } + + for (String condition : conditionTypes) { + XXPolicyConditionDef xPolCondDef = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition); + + if (xPolCondDef == null) { + throw new Exception(condition + ": is not a valid condition-type. policy='"+ xPolicy.getName() + "' service='"+ xPolicy.getService() + "'"); + } + + XXPolicyRefCondition xPolCond = rangerAuditFields.populateAuditFields(new XXPolicyRefCondition(), xPolicy); + + xPolCond.setPolicyId(policy.getId()); + xPolCond.setConditionDefId(xPolCondDef.getId()); + xPolCond.setConditionName(condition); + + daoMgr.getXXPolicyRefCondition().create(xPolCond); + } + + for (String dataMaskType : dataMaskTypes ) { + XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskType, xPolicy.getService()); + + if (dataMaskDef == null) { + throw new Exception(dataMaskType + ": is not a valid datamask-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'"); + } + + XXPolicyRefDataMaskType xxDataMaskInfo = new XXPolicyRefDataMaskType(); + + xxDataMaskInfo.setPolicyId(policy.getId()); + xxDataMaskInfo.setDataMaskDefId(dataMaskDef.getId()); + xxDataMaskInfo.setDataMaskTypeName(dataMaskType); + + daoMgr.getXXPolicyRefDataMaskType().create(xxDataMaskInfo); + } + } + + public Boolean cleanupRefTables(RangerPolicy policy) { + final Long policyId = policy == null ? null : policy.getId(); + + if (policyId == null) { + return false; + } + + XXPolicyRefResourceDao xPolResDao = daoMgr.getXXPolicyRefResource(); + XXPolicyRefGroupDao xPolGroupDao = daoMgr.getXXPolicyRefGroup(); + XXPolicyRefUserDao xPolUserDao = daoMgr.getXXPolicyRefUser(); + XXPolicyRefAccessTypeDao xPolAccessDao = daoMgr.getXXPolicyRefAccessType(); + XXPolicyRefConditionDao xPolCondDao = daoMgr.getXXPolicyRefCondition(); + XXPolicyRefDataMaskTypeDao xPolDataMaskDao = daoMgr.getXXPolicyRefDataMaskType(); + + for (XXPolicyRefResource resource : xPolResDao.findByPolicyId(policyId)) { + xPolResDao.remove(resource); + } + + for(XXPolicyRefGroup group : xPolGroupDao.findByPolicyId(policyId)) { + xPolGroupDao.remove(group); + } + + for(XXPolicyRefUser user : xPolUserDao.findByPolicyId(policyId)) { + xPolUserDao.remove(user); + } + + for(XXPolicyRefAccessType access : xPolAccessDao.findByPolicyId(policyId)) { + xPolAccessDao.remove(access); + } + + for(XXPolicyRefCondition condVal : xPolCondDao.findByPolicyId(policyId)) { + xPolCondDao.remove(condVal); + } + + for(XXPolicyRefDataMaskType dataMask : xPolDataMaskDao.findByPolicyId(policyId)) { + xPolDataMaskDao.remove(dataMask); + } + + return true; + } + + static List<List<? extends RangerPolicyItem>> getAllPolicyItems(RangerPolicy policy) { + List<List<? extends RangerPolicyItem>> ret = new ArrayList<>(); + + if (CollectionUtils.isNotEmpty(policy.getPolicyItems())) { + ret.add(policy.getPolicyItems()); + } + + if (CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())) { + ret.add(policy.getDenyPolicyItems()); + } + + if (CollectionUtils.isNotEmpty(policy.getAllowExceptions())) { + ret.add(policy.getAllowExceptions()); + } + + if (CollectionUtils.isNotEmpty(policy.getDenyExceptions())) { + ret.add(policy.getDenyExceptions()); + } + + if (CollectionUtils.isNotEmpty(policy.getDataMaskPolicyItems())) { + ret.add(policy.getDataMaskPolicyItems()); + } + + if (CollectionUtils.isNotEmpty(policy.getRowFilterPolicyItems())) { + ret.add(policy.getRowFilterPolicyItems()); + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java index 354ab1c..b0734e4 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java @@ -26,28 +26,28 @@ import java.util.ListIterator; import java.util.Map; import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.collections.MapUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.authorization.utils.JsonUtils; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.db.RangerDaoManager; -import org.apache.ranger.entity.*; +import org.apache.ranger.entity.XXPolicy; +import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXService; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; -import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; -import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.springframework.transaction.PlatformTransactionManager; import org.springframework.transaction.TransactionStatus; import org.springframework.transaction.support.TransactionCallback; import org.springframework.transaction.support.TransactionTemplate; + public class RangerPolicyRetriever { static final Log LOG = LogFactory.getLog(RangerPolicyRetriever.class); static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("db.RangerPolicyRetriever"); @@ -299,33 +299,13 @@ public class RangerPolicyRetriever { } class LookupCache { - final Map<Long, String> userNames = new HashMap<Long, String>(); - final Map<Long, String> userScreenNames = new HashMap<Long, String>(); - final Map<Long, String> groupNames = new HashMap<Long, String>(); - final Map<Long, String> accessTypes = new HashMap<Long, String>(); - final Map<Long, String> conditions = new HashMap<Long, String>(); - final Map<Long, String> resourceDefs = new HashMap<Long, String>(); - final Map<Long, String> dataMasks = new HashMap<Long, String>(); - - String getUserName(Long userId) { - String ret = null; - - if(userId != null) { - ret = userNames.get(userId); - - if(ret == null) { - XXUser user = daoMgr.getXXUser().getById(userId); - - if(user != null) { - ret = user.getName(); // Name is `loginId` - - userNames.put(userId, ret); - } - } - } - - return ret; - } + final Map<Long, String> userScreenNames = new HashMap<Long, String>(); + final Map<Long, Map<String, String>> groupMappingsPerPolicy = new HashMap<>(); + final Map<Long, Map<String, String>> userMappingsPerPolicy = new HashMap<>(); + final Map<Long, Map<String, String>> accessMappingsPerPolicy = new HashMap<>(); + final Map<Long, Map<String, String>> resourceMappingsPerPolicy = new HashMap<>(); + final Map<Long, Map<String, String>> dataMaskMappingsPerPolicy = new HashMap<>(); + final Map<Long, Map<String, String>> conditionMappingsPerPolicy = new HashMap<>(); String getUserScreenName(Long userId) { String ret = null; @@ -361,257 +341,135 @@ public class RangerPolicyRetriever { return ret; } - String getGroupName(Long groupId) { - String ret = null; - - if(groupId != null) { - ret = groupNames.get(groupId); + void setNameMapping(Map<Long, Map<String, String>> nameMappingContainer, List<PolicyTextNameMap> nameMappings) { + nameMappingContainer.clear(); - if(ret == null) { - XXGroup group = daoMgr.getXXGroup().getById(groupId); + for (PolicyTextNameMap nameMapping : nameMappings) { + Map<String, String> policyNameMap = nameMappingContainer.get(nameMapping.policyId); - if(group != null) { - ret = group.getName(); + if (policyNameMap == null) { + policyNameMap = new HashMap<>(); - groupNames.put(groupId, ret); - } + nameMappingContainer.put(nameMapping.policyId, policyNameMap); } - } - - return ret; - } - String getAccessType(Long accessTypeId) { - String ret = null; - - if(accessTypeId != null) { - ret = accessTypes.get(accessTypeId); - - if(ret == null) { - XXAccessTypeDef xAccessType = daoMgr.getXXAccessTypeDef().getById(accessTypeId); - - if(xAccessType != null) { - ret = xAccessType.getName(); - - accessTypes.put(accessTypeId, ret); - } - } + policyNameMap.put(nameMapping.oldName, nameMapping.currentName); } - - return ret; } - String getConditionType(Long conditionDefId) { - String ret = null; - - if(conditionDefId != null) { - ret = conditions.get(conditionDefId); + String getMappedName(Map<Long, Map<String, String>> nameMappingContainer, Long policyId, String nameToMap) { + Map<String, String> policyNameMap = nameMappingContainer.get(policyId); - if(ret == null) { - XXPolicyConditionDef xPolicyConditionDef = daoMgr.getXXPolicyConditionDef().getById(conditionDefId); - - if(xPolicyConditionDef != null) { - ret = xPolicyConditionDef.getName(); - - conditions.put(conditionDefId, ret); - } - } - } - - return ret; + return policyNameMap != null ? policyNameMap.get(nameToMap) : null; } - String getResourceName(Long resourceDefId) { - String ret = null; - - if(resourceDefId != null) { - ret = resourceDefs.get(resourceDefId); - - if(ret == null) { - XXResourceDef xResourceDef = daoMgr.getXXResourceDef().getById(resourceDefId); - - if(xResourceDef != null) { - ret = xResourceDef.getName(); + void setGroupNameMapping(List<PolicyTextNameMap> groupNameMapping) { + setNameMapping(groupMappingsPerPolicy, groupNameMapping); + } - resourceDefs.put(resourceDefId, ret); - } - } - } + void setUserNameMapping(List<PolicyTextNameMap> userNameMapping) { + setNameMapping(userMappingsPerPolicy, userNameMapping); + } - return ret; + void setAccessNameMapping(List<PolicyTextNameMap> accessNameMapping) { + setNameMapping(accessMappingsPerPolicy, accessNameMapping); } - String getDataMaskName(Long dataMaskDefId) { - String ret = null; + public void setResourceNameMapping(List<PolicyTextNameMap> resourceNameMapping) { + setNameMapping(resourceMappingsPerPolicy, resourceNameMapping); + } - if(dataMaskDefId != null) { - ret = dataMasks.get(dataMaskDefId); + public void setDataMaskNameMapping(List<PolicyTextNameMap> dataMaskMapping) { + setNameMapping(dataMaskMappingsPerPolicy, dataMaskMapping); + } - if(ret == null) { - XXDataMaskTypeDef xDataMaskDef = daoMgr.getXXDataMaskTypeDef().getById(dataMaskDefId); + public void setConditionNameMapping(List<PolicyTextNameMap> conditionNameMapping) { + setNameMapping(conditionMappingsPerPolicy, conditionNameMapping); + } - if(xDataMaskDef != null) { - ret = xDataMaskDef.getName(); + } - dataMasks.put(dataMaskDefId, ret); - } - } - } + public static class PolicyTextNameMap { + final Long policyId; + final String oldName; + final String currentName; - return ret; + public PolicyTextNameMap(Long policyId, String oldName, String currentName) { + this.policyId = policyId; + this.oldName = oldName; + this.currentName = currentName; } } - static List<XXPolicy> asList(XXPolicy policy) { - List<XXPolicy> ret = new ArrayList<XXPolicy>(); + static List<XXPolicy> asList(XXPolicy policy) { + List<XXPolicy> ret = new ArrayList<>(); - if(policy != null) { - ret.add(policy); - } + if (policy != null) { + ret.add(policy); + } - return ret; - } + return ret; + } class RetrieverContext { - final XXService service; - final ListIterator<XXPolicy> iterPolicy; - final ListIterator<XXPolicyResource> iterResources; - final ListIterator<XXPolicyResourceMap> iterResourceMaps; - final ListIterator<XXPolicyItem> iterPolicyItems; - final ListIterator<XXPolicyItemUserPerm> iterUserPerms; - final ListIterator<XXPolicyItemGroupPerm> iterGroupPerms; - final ListIterator<XXPolicyItemAccess> iterAccesses; - final ListIterator<XXPolicyItemCondition> iterConditions; - final ListIterator<XXPolicyItemDataMaskInfo> iterDataMaskInfos; - final ListIterator<XXPolicyItemRowFilterInfo> iterRowFilterInfos; + final XXService service; + final ListIterator<XXPolicy> iterPolicy; RetrieverContext(XXService xService) { - Long serviceId = xService == null ? null : xService.getId(); - - List<XXPolicy> xPolicies = daoMgr.getXXPolicy().findByServiceId(serviceId); - List<XXPolicyResource> xResources = daoMgr.getXXPolicyResource().findByServiceId(serviceId); - List<XXPolicyResourceMap> xResourceMaps = daoMgr.getXXPolicyResourceMap().findByServiceId(serviceId); - List<XXPolicyItem> xPolicyItems = daoMgr.getXXPolicyItem().findByServiceId(serviceId); - List<XXPolicyItemUserPerm> xUserPerms = daoMgr.getXXPolicyItemUserPerm().findByServiceId(serviceId); - List<XXPolicyItemGroupPerm> xGroupPerms = daoMgr.getXXPolicyItemGroupPerm().findByServiceId(serviceId); - List<XXPolicyItemAccess> xAccesses = daoMgr.getXXPolicyItemAccess().findByServiceId(serviceId); - List<XXPolicyItemCondition> xConditions = daoMgr.getXXPolicyItemCondition().findByServiceId(serviceId); - List<XXPolicyItemDataMaskInfo> xDataMaskInfos = daoMgr.getXXPolicyItemDataMaskInfo().findByServiceId(serviceId); - List<XXPolicyItemRowFilterInfo> xRowFilterInfos = daoMgr.getXXPolicyItemRowFilterInfo().findByServiceId(serviceId); - - this.service = xService; - this.iterPolicy = xPolicies.listIterator(); - this.iterResources = xResources.listIterator(); - this.iterResourceMaps = xResourceMaps.listIterator(); - this.iterPolicyItems = xPolicyItems.listIterator(); - this.iterUserPerms = xUserPerms.listIterator(); - this.iterGroupPerms = xGroupPerms.listIterator(); - this.iterAccesses = xAccesses.listIterator(); - this.iterConditions = xConditions.listIterator(); - this.iterDataMaskInfos = xDataMaskInfos.listIterator(); - this.iterRowFilterInfos = xRowFilterInfos.listIterator(); - } - - RetrieverContext(XXPolicy xPolicy) { - this(xPolicy, getXXService(xPolicy.getService())); + if (xService != null) { + Long serviceId = xService.getId(); + + lookupCache.setGroupNameMapping(daoMgr.getXXPolicyRefGroup().findUpdatedGroupNamesByService(serviceId)); + lookupCache.setUserNameMapping(daoMgr.getXXPolicyRefUser().findUpdatedUserNamesByService(serviceId)); + lookupCache.setAccessNameMapping(daoMgr.getXXPolicyRefAccessType().findUpdatedAccessNamesByService(serviceId)); + lookupCache.setResourceNameMapping(daoMgr.getXXPolicyRefResource().findUpdatedResourceNamesByService(serviceId)); + lookupCache.setDataMaskNameMapping(daoMgr.getXXPolicyRefDataMaskType().findUpdatedDataMaskNamesByService(serviceId)); + lookupCache.setConditionNameMapping(daoMgr.getXXPolicyRefCondition().findUpdatedConditionNamesByService(serviceId)); + + this.service = xService; + this.iterPolicy = daoMgr.getXXPolicy().findByServiceId(serviceId).listIterator(); + } else { + this.service = null; + this.iterPolicy = null; + } } RetrieverContext(XXPolicy xPolicy, XXService xService) { - Long policyId = xPolicy == null ? null : xPolicy.getId(); - - List<XXPolicy> xPolicies = asList(xPolicy); - List<XXPolicyResource> xResources = daoMgr.getXXPolicyResource().findByPolicyId(policyId); - List<XXPolicyResourceMap> xResourceMaps = daoMgr.getXXPolicyResourceMap().findByPolicyId(policyId); - List<XXPolicyItem> xPolicyItems = daoMgr.getXXPolicyItem().findByPolicyId(policyId); - List<XXPolicyItemUserPerm> xUserPerms = daoMgr.getXXPolicyItemUserPerm().findByPolicyId(policyId); - List<XXPolicyItemGroupPerm> xGroupPerms = daoMgr.getXXPolicyItemGroupPerm().findByPolicyId(policyId); - List<XXPolicyItemAccess> xAccesses = daoMgr.getXXPolicyItemAccess().findByPolicyId(policyId); - List<XXPolicyItemCondition> xConditions = daoMgr.getXXPolicyItemCondition().findByPolicyId(policyId); - List<XXPolicyItemDataMaskInfo> xDataMaskInfos = daoMgr.getXXPolicyItemDataMaskInfo().findByPolicyId(policyId); - List<XXPolicyItemRowFilterInfo> xRowFilterInfos = daoMgr.getXXPolicyItemRowFilterInfo().findByPolicyId(policyId); - - this.service = xService; - this.iterPolicy = xPolicies.listIterator(); - this.iterResources = xResources.listIterator(); - this.iterResourceMaps = xResourceMaps.listIterator(); - this.iterPolicyItems = xPolicyItems.listIterator(); - this.iterUserPerms = xUserPerms.listIterator(); - this.iterGroupPerms = xGroupPerms.listIterator(); - this.iterAccesses = xAccesses.listIterator(); - this.iterConditions = xConditions.listIterator(); - this.iterDataMaskInfos = xDataMaskInfos.listIterator(); - this.iterRowFilterInfos = xRowFilterInfos.listIterator(); + Long policyId = xPolicy.getId(); + + lookupCache.setGroupNameMapping(daoMgr.getXXPolicyRefGroup().findUpdatedGroupNamesByPolicy(policyId)); + lookupCache.setUserNameMapping(daoMgr.getXXPolicyRefUser().findUpdatedUserNamesByPolicy(policyId)); + lookupCache.setAccessNameMapping(daoMgr.getXXPolicyRefAccessType().findUpdatedAccessNamesByPolicy(policyId)); + lookupCache.setResourceNameMapping(daoMgr.getXXPolicyRefResource().findUpdatedResourceNamesByPolicy(policyId)); + lookupCache.setDataMaskNameMapping(daoMgr.getXXPolicyRefDataMaskType().findUpdatedDataMaskNamesByPolicy(policyId)); + lookupCache.setConditionNameMapping(daoMgr.getXXPolicyRefCondition().findUpdatedConditionNamesByPolicy(policyId)); + + this.service = xService; + this.iterPolicy = asList(xPolicy).listIterator(); } RangerPolicy getNextPolicy() { RangerPolicy ret = null; - if(iterPolicy.hasNext()) { + if (service != null && iterPolicy != null && iterPolicy.hasNext()) { XXPolicy xPolicy = iterPolicy.next(); - if(xPolicy != null) { - ret = new RangerPolicy(); - - ret.setId(xPolicy.getId()); - ret.setGuid(xPolicy.getGuid()); - ret.setIsEnabled(xPolicy.getIsEnabled()); - ret.setCreatedBy(lookupCache.getUserScreenName(xPolicy.getAddedByUserId())); - ret.setUpdatedBy(lookupCache.getUserScreenName(xPolicy.getUpdatedByUserId())); - ret.setCreateTime(xPolicy.getCreateTime()); - ret.setUpdateTime(xPolicy.getUpdateTime()); - ret.setVersion(xPolicy.getVersion()); - ret.setService(service == null ? null : service.getName()); - ret.setName(StringUtils.trim(xPolicy.getName())); - ret.setPolicyType(xPolicy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : xPolicy.getPolicyType()); - ret.setDescription(xPolicy.getDescription()); - ret.setResourceSignature(xPolicy.getResourceSignature()); - ret.setIsAuditEnabled(xPolicy.getIsAuditEnabled()); - - getResource(ret); - getPolicyItems(ret); - } - } - - return ret; - } - - List<RangerPolicy> getAllPolicies() { - List<RangerPolicy> ret = new ArrayList<RangerPolicy>(); - - while(iterPolicy.hasNext()) { - RangerPolicy policy = getNextPolicy(); - - if(policy != null) { - ret.add(policy); - } - } - - if(! hasProcessedAll()) { - LOG.warn("getAllPolicies(): perhaps one or more policies got updated during retrieval. Falling back to secondary method"); - - ret = getAllPoliciesBySecondary(); - } - - return ret; - } - - List<RangerPolicy> getAllPoliciesBySecondary() { - List<RangerPolicy> ret = null; - - if(service != null) { - List<XXPolicy> xPolicies = daoMgr.getXXPolicy().findByServiceId(service.getId()); - - if(CollectionUtils.isNotEmpty(xPolicies)) { - ret = new ArrayList<RangerPolicy>(xPolicies.size()); - - for(XXPolicy xPolicy : xPolicies) { - RetrieverContext ctx = new RetrieverContext(xPolicy, service); - - RangerPolicy policy = ctx.getNextPolicy(); - - if(policy != null) { - ret.add(policy); - } + if (xPolicy != null) { + String policyText = xPolicy.getPolicyText(); + + ret = JsonUtils.jsonToObject(policyText, RangerPolicy.class); + + if (ret != null) { + ret.setId(xPolicy.getId()); + ret.setGuid(xPolicy.getGuid()); + ret.setCreatedBy(lookupCache.getUserScreenName(xPolicy.getAddedByUserId())); + ret.setUpdatedBy(lookupCache.getUserScreenName(xPolicy.getUpdatedByUserId())); + ret.setCreateTime(xPolicy.getCreateTime()); + ret.setUpdateTime(xPolicy.getUpdateTime()); + ret.setVersion(xPolicy.getVersion()); + ret.setPolicyType(xPolicy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : xPolicy.getPolicyType()); + ret.setService(service.getName()); + updatePolicyReferenceFields(ret); } } } @@ -619,206 +477,121 @@ public class RangerPolicyRetriever { return ret; } - private boolean hasProcessedAll() { - boolean moreToProcess = iterPolicy.hasNext() - || iterResources.hasNext() - || iterResourceMaps.hasNext() - || iterPolicyItems.hasNext() - || iterUserPerms.hasNext() - || iterGroupPerms.hasNext() - || iterAccesses.hasNext() - || iterConditions.hasNext() - || iterDataMaskInfos.hasNext() - || iterRowFilterInfos.hasNext(); - - return !moreToProcess; - } + void updatePolicyReferenceFields(final RangerPolicy policy) { + final Long policyId = policy.getId(); - private void getResource(RangerPolicy policy) { - while(iterResources.hasNext()) { - XXPolicyResource xResource = iterResources.next(); + Map<String, String> policyResourceNameMap = lookupCache.resourceMappingsPerPolicy.get(policyId); - if(xResource.getPolicyid().equals(policy.getId())) { - RangerPolicyResource resource = new RangerPolicyResource(); + if (MapUtils.isNotEmpty(policyResourceNameMap) && CollectionUtils.containsAny(policyResourceNameMap.keySet(), policy.getResources().keySet())) { + Map<String, RangerPolicyResource> updatedResources = new HashMap<>(); - resource.setIsExcludes(xResource.getIsexcludes()); - resource.setIsRecursive(xResource.getIsrecursive()); + for (Map.Entry<String, RangerPolicyResource> entry : policy.getResources().entrySet()) { + String resourceName = entry.getKey(); + RangerPolicyResource policyResource = entry.getValue(); + String updatedName = policyResourceNameMap.get(resourceName); - while(iterResourceMaps.hasNext()) { - XXPolicyResourceMap xResourceMap = iterResourceMaps.next(); - - if(xResourceMap.getResourceid().equals(xResource.getId())) { - resource.getValues().add(xResourceMap.getValue()); - } else { - if(iterResourceMaps.hasPrevious()) { - iterResourceMaps.previous(); - } - break; - } + if (updatedName == null) { + updatedName = resourceName; } - policy.getResources().put(lookupCache.getResourceName(xResource.getResdefid()), resource); - } else if(xResource.getPolicyid().compareTo(policy.getId()) > 0) { - if(iterResources.hasPrevious()) { - iterResources.previous(); - } - break; + updatedResources.put(updatedName, policyResource); } + + policy.setResources(updatedResources); } - } - private void getPolicyItems(RangerPolicy policy) { - while(iterPolicyItems.hasNext()) { - XXPolicyItem xPolicyItem = iterPolicyItems.next(); + for (List<? extends RangerPolicyItem> policyItems : PolicyRefUpdater.getAllPolicyItems(policy)) { + if (CollectionUtils.isEmpty(policyItems)) { + continue; + } - if(xPolicyItem.getPolicyid().equals(policy.getId())) { - final RangerPolicyItem policyItem; - final RangerDataMaskPolicyItem dataMaskPolicyItem; - final RangerRowFilterPolicyItem rowFilterPolicyItem; + for (RangerPolicyItem policyItem : policyItems) { + if (lookupCache.groupMappingsPerPolicy.containsKey(policyId)) { + List<String> updatedGroups = getUpdatedNames(lookupCache.groupMappingsPerPolicy, policyId, policyItem.getGroups()); - if(xPolicyItem.getItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK) { - dataMaskPolicyItem = new RangerDataMaskPolicyItem(); - rowFilterPolicyItem = null; - policyItem = dataMaskPolicyItem; - } else if(xPolicyItem.getItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER) { - dataMaskPolicyItem = null; - rowFilterPolicyItem = new RangerRowFilterPolicyItem(); - policyItem = rowFilterPolicyItem; - } else { - dataMaskPolicyItem = null; - rowFilterPolicyItem = null; - policyItem = new RangerPolicyItem(); + if (updatedGroups != null) { + policyItem.setGroups(updatedGroups); + } } + if (lookupCache.userMappingsPerPolicy.containsKey(policyId)) { + List<String> updatedUsers = getUpdatedNames(lookupCache.userMappingsPerPolicy, policyId, policyItem.getUsers()); - while(iterAccesses.hasNext()) { - XXPolicyItemAccess xAccess = iterAccesses.next(); - - if(xAccess.getPolicyitemid().equals(xPolicyItem.getId())) { - policyItem.getAccesses().add(new RangerPolicyItemAccess(lookupCache.getAccessType(xAccess.getType()), xAccess.getIsallowed())); - } else { - if(iterAccesses.hasPrevious()) { - iterAccesses.previous(); - } - break; + if (updatedUsers != null) { + policyItem.setUsers(updatedUsers); } } - while(iterUserPerms.hasNext()) { - XXPolicyItemUserPerm xUserPerm = iterUserPerms.next(); + if (lookupCache.accessMappingsPerPolicy.containsKey(policyId)) { + for (RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) { + String updatedName = lookupCache.getMappedName(lookupCache.accessMappingsPerPolicy, policyId, itemAccess.getType()); - if(xUserPerm.getPolicyitemid().equals(xPolicyItem.getId())) { - String userName = lookupCache.getUserName(xUserPerm.getUserid()); - if (userName != null) { - policyItem.getUsers().add(userName); + if (updatedName != null) { + itemAccess.setType(updatedName); } - } else { - if(iterUserPerms.hasPrevious()) { - iterUserPerms.previous(); - } - break; } } - while(iterGroupPerms.hasNext()) { - XXPolicyItemGroupPerm xGroupPerm = iterGroupPerms.next(); + if (lookupCache.conditionMappingsPerPolicy.containsKey(policyId)) { + for (RangerPolicyItemCondition condition : policyItem.getConditions()) { + String updatedName = lookupCache.getMappedName(lookupCache.conditionMappingsPerPolicy, policyId, condition.getType()); - if(xGroupPerm.getPolicyitemid().equals(xPolicyItem.getId())) { - String groupName = lookupCache.getGroupName(xGroupPerm.getGroupid()); - if (groupName != null) { - policyItem.getGroups().add(groupName); - } - } else { - if(iterGroupPerms.hasPrevious()) { - iterGroupPerms.previous(); + if (updatedName != null) { + condition.setType(updatedName); } - break; } } - RangerPolicyItemCondition condition = null; - Long prevConditionType = null; - while(iterConditions.hasNext()) { - XXPolicyItemCondition xCondition = iterConditions.next(); + if (policyItem instanceof RangerDataMaskPolicyItem && lookupCache.dataMaskMappingsPerPolicy.containsKey(policyId)) { + RangerDataMaskPolicyItem dataMaskItem = (RangerDataMaskPolicyItem) policyItem; + String updatedName = lookupCache.getMappedName(lookupCache.dataMaskMappingsPerPolicy, policyId, dataMaskItem.getDataMaskInfo().getDataMaskType()); - if(xCondition.getPolicyitemid().equals(xPolicyItem.getId())) { - if(! xCondition.getType().equals(prevConditionType)) { - condition = new RangerPolicyItemCondition(); - condition.setType(lookupCache.getConditionType(xCondition.getType())); - condition.getValues().add(xCondition.getValue()); - - policyItem.getConditions().add(condition); - - prevConditionType = xCondition.getType(); - } else { - condition.getValues().add(xCondition.getValue()); - } - } else { - if(iterConditions.hasPrevious()) { - iterConditions.previous(); - } - break; + if (updatedName != null) { + dataMaskItem.getDataMaskInfo().setDataMaskType(updatedName); } } + } + } + } - policyItem.setDelegateAdmin(xPolicyItem.getDelegateAdmin()); + List<String> getUpdatedNames(final Map<Long, Map<String, String>> nameMappingContainer, final Long policyId, final List<String> namesToMap) { + List<String> ret = null; + Map<String, String> policyNameMap = nameMappingContainer.get(policyId); - if(dataMaskPolicyItem != null) { - while (iterDataMaskInfos.hasNext()) { - XXPolicyItemDataMaskInfo xDataMaskInfo = iterDataMaskInfos.next(); + if (MapUtils.isNotEmpty(policyNameMap) && CollectionUtils.containsAny(policyNameMap.keySet(), namesToMap)) { + ret = new ArrayList<>(); - if (xDataMaskInfo.getPolicyItemId().equals(xPolicyItem.getId())) { - dataMaskPolicyItem.setDataMaskInfo(new RangerPolicyItemDataMaskInfo(lookupCache.getDataMaskName(xDataMaskInfo.getType()), xDataMaskInfo.getConditionExpr(), xDataMaskInfo.getValueExpr())); - } else { - if (iterDataMaskInfos.hasPrevious()) { - iterDataMaskInfos.previous(); - } - break; - } - } + for (String nameToMap : namesToMap) { + String mappedName = policyNameMap.get(nameToMap); + + if (mappedName != null) { + ret.add(mappedName); + } else { + ret.add(nameToMap); } + } - if(rowFilterPolicyItem != null) { - while (iterRowFilterInfos.hasNext()) { - XXPolicyItemRowFilterInfo xRowFilterInfo = iterRowFilterInfos.next(); + } - if (xRowFilterInfo.getPolicyItemId().equals(xPolicyItem.getId())) { - rowFilterPolicyItem.setRowFilterInfo(new RangerPolicyItemRowFilterInfo(xRowFilterInfo.getFilterExpr())); - } else { - if (iterRowFilterInfos.hasPrevious()) { - iterRowFilterInfos.previous(); - } - break; - } - } - } + return ret; + } + List<RangerPolicy> getAllPolicies() { + List<RangerPolicy> ret = new ArrayList<>(); - int itemType = xPolicyItem.getItemType() == null ? RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW : xPolicyItem.getItemType(); - - if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) { - policy.getPolicyItems().add(policyItem); - } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) { - policy.getDenyPolicyItems().add(policyItem); - } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS) { - policy.getAllowExceptions().add(policyItem); - } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS) { - policy.getDenyExceptions().add(policyItem); - } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK) { - policy.getDataMaskPolicyItems().add(dataMaskPolicyItem); - } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER) { - policy.getRowFilterPolicyItems().add(rowFilterPolicyItem); - } else { // unknown itemType - LOG.warn("RangerPolicyRetriever.getPolicy(policyId=" + policy.getId() + "): ignoring unknown policyItemType " + itemType); - } - } else if(xPolicyItem.getPolicyid().compareTo(policy.getId()) > 0) { - if(iterPolicyItems.hasPrevious()) { - iterPolicyItems.previous(); + if (iterPolicy != null) { + while (iterPolicy.hasNext()) { + RangerPolicy policy = getNextPolicy(); + + if (policy != null) { + ret.add(policy); } - break; } } + + return ret; } } + }