Repository: ranger Updated Branches: refs/heads/ranger-0.7 21b880271 -> 9e7760c6f
RANGER-2066: Hbase column family access is authorized by a tagged column in the column family Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9e7760c6 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9e7760c6 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9e7760c6 Branch: refs/heads/ranger-0.7 Commit: 9e7760c6fedf8e39dcfe37fce54084578f2a8864 Parents: 21b8802 Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Thu Apr 12 22:04:20 2018 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Thu Apr 12 22:04:20 2018 -0700 ---------------------------------------------------------------------- .../contextenricher/RangerTagEnricher.java | 3 +- .../policyengine/RangerTagAccessRequest.java | 1 + .../RangerDefaultPolicyEvaluator.java | 43 +++++++++++--------- .../test_policyengine_tag_hdfs.json | 4 +- .../test_policyengine_tag_hive.json | 21 ++++++++-- 5 files changed, 46 insertions(+), 26 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/9e7760c6/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index 4a3a950..858a7a4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -324,10 +324,11 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { if (request.isAccessTypeAny()) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT; + isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else { isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; } + if (isMatched) { if (ret == null) { ret = new HashSet<RangerTagForEval>(); http://git-wip-us.apache.org/repos/asf/ranger/blob/9e7760c6/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java index dbdcacd..cf590f9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java @@ -52,6 +52,7 @@ public class RangerTagAccessRequest extends RangerAccessRequestImpl { super.setRemoteIPAddress(request.getRemoteIPAddress()); super.setForwardedAddresses(request.getForwardedAddresses()); super.setSessionId(request.getSessionId()); + super.setResourceMatchingScope(request.getResourceMatchingScope()); } public RangerPolicyResourceMatcher.MatchType getMatchType() { return matchType; http://git-wip-us.apache.org/repos/asf/ranger/blob/9e7760c6/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 71c076d..b1d6337 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -169,21 +169,25 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (request != null && result != null) { if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) { - RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; + RangerPolicyResourceMatcher.MatchType matchType; + + if (RangerTagAccessRequest.class.isInstance(request)) { + matchType = ((RangerTagAccessRequest) request).getMatchType(); + } else { + matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; + } final boolean isMatched; + if (request.isAccessTypeAny()) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT; + isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else { isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; } if (isMatched) { - if (RangerTagAccessRequest.class.isInstance(request)) { - matchType = ((RangerTagAccessRequest) request).getMatchType(); - } if (!result.getIsAuditedDetermined()) { if (isAuditEnabled()) { result.setIsAudited(true); @@ -410,17 +414,15 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + result + ")"); } - RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; - - final boolean isMatched; - if (request.isAccessTypeAny()) { - isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; - } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT; - } else { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; + RangerPolicyResourceMatcher.MatchType matchType; + if (RangerTagAccessRequest.class.isInstance(request)) { + matchType = ((RangerTagAccessRequest) request).getMatchType(); + } else { + matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; } + final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; + if (isMatched) { if (CollectionUtils.isNotEmpty(allowEvaluators)) { @@ -470,7 +472,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } - protected void evaluatePolicyItems(RangerAccessRequest request, RangerAccessResult result, boolean isResourceMatch) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")"); @@ -486,16 +487,18 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerPolicy policy = getPolicy(); if(matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) { - if(isResourceMatch) { + if(isResourceMatch || !request.isAccessTypeAny()) { result.setIsAllowed(false); result.setPolicyId(policy.getId()); result.setReason(matchedPolicyItem.getComments()); } } else { - if(! result.getIsAllowed()) { // if access is not yet allowed by another policy - result.setIsAllowed(true); - result.setPolicyId(policy.getId()); - result.setReason(matchedPolicyItem.getComments()); + if(isResourceMatch || request.isAccessTypeAny()) { + if(! result.getIsAllowed()) { // if access is not yet allowed by another policy + result.setIsAllowed(true); + result.setPolicyId(policy.getId()); + result.setReason(matchedPolicyItem.getComments()); + } } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/9e7760c6/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json index b4941cd..eb2251c 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json @@ -215,7 +215,7 @@ "userGroups": [ ], "requestData": "read /resource", "context": { - "TAGS": "[{\"type\":\"PII\", \"matchType\":1}]" + "TAGS": "[{\"type\":\"PII\", \"matchType\": \"SELF\"}]" } }, "result": { "isAudited": true, "isAllowed": false, "policyId": 101 } @@ -371,7 +371,7 @@ "userGroups": [ ], "requestData": "read /resource", "context": { - "TAGS": "[{\"type\":\"Unaudited-TAG\", \"matchType\":1}]" + "TAGS": "[{\"type\":\"Unaudited-TAG\", \"matchType\": \"SELF\"}]" } }, "result": { "isAudited": true, "isAllowed": false, "policyId": 1 } http://git-wip-us.apache.org/repos/asf/ranger/blob/9e7760c6/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json index 11f31e3..d66f6e8 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json @@ -31,7 +31,10 @@ "lock" ] } - ] + ], + "options": { + "enableDenyAndExceptionsInPolicies":"true" + } }, "policies":[ @@ -39,7 +42,10 @@ "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, "policyItems":[ {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false} - ] + ], + "allowExceptions":[ + {"accesses":[{"type":"all","isAllowed":true}],"users":["testuser"],"groups":[],"delegateAdmin":false} + ] }, {"id":102,"name":"db=*, udf=*: audit-all-access","isEnabled":true,"isAuditEnabled":true, "resources":{"database":{"values":["*"]},"udf":{"values":["*"]}}, @@ -219,12 +225,21 @@ }, "tests":[ + {"name":"DENY 'select ssn from employee.personal;' for testuser using EXPIRES_ON tag with DESCENDANT match", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, + "accessType":"select","user":"testuser","userGroups":[],"requestData":"select ssn from employee.personal;' for testuser", + + "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, \"matchType\":\"DESCENDANT\"}]"} + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + }, {"name":"ALLOW 'select ssn from employee.personal;' for user1 using EXPIRES_ON tag", "request":{ "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1", - "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, \"matchType\":1}]"} + "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, \"matchType\":\"SELF\"}]"} }, "result":{"isAudited":true,"isAllowed":true,"policyId":101} },