You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/11/05 23:13:17 UTC
[1/7] incubator-ranger git commit: RANGER-274: unit test fix in
cleanup
Repository: incubator-ranger
Updated Branches:
refs/heads/tag-policy 6b79130d9 -> e11533079
RANGER-274: unit test fix in cleanup
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
(cherry picked from commit fb56f9c22f319e70819e6405fad255bf82935daa)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/85008427
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/85008427
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/85008427
Branch: refs/heads/tag-policy
Commit: 85008427ceebff816f6152009ceaee88bb26b7d9
Parents: 6b79130
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Fri Oct 30 16:57:05 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Nov 5 13:57:54 2015 -0800
----------------------------------------------------------------------
.../ranger/plugin/store/TestTagStore.java | 25 +++++---------------
1 file changed, 6 insertions(+), 19 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/85008427/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java
index 5b867ad..1bf35c6 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java
@@ -121,29 +121,16 @@ public class TestTagStore {
@AfterClass
public static void tearDownAfterClass() throws Exception {
- Path dirPath = new Path(tmpDir);
- FileSystem fs = dirPath.getFileSystem(config);
+ if (filePath != null) {
+ try {
+ FileSystem fs = filePath.getFileSystem(config);
- try {
- if (fs.exists(dirPath) && fs.isDirectory(dirPath)) {
-
- RemoteIterator<LocatedFileStatus> files = fs.listFiles(dirPath, false);
-
- if (files != null) {
- while (files.hasNext()) {
- LocatedFileStatus fileStatus = files.next();
- Path path = fileStatus.getPath();
- if (fs.isFile(path)) {
- fs.delete(path, true);
- }
- }
- }
+ fs.delete(filePath, true);
+ } catch (Throwable t) {
+ // Ignore
}
- } catch (IOException excp) {
}
- fs.delete(filePath, true);
-
}
@Test
[6/7] incubator-ranger git commit: Ranger-652: Excluding windows
azure package dependency in Ldap Config check tool
Posted by ma...@apache.org.
Ranger-652: Excluding windows azure package dependency in Ldap Config check tool
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
(cherry picked from commit ec3d1121d8a7b6e6018f1d6c5330ccd902884025)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3fdcfc49
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3fdcfc49
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3fdcfc49
Branch: refs/heads/tag-policy
Commit: 3fdcfc4929c34269d0ed1a3842dc6da067093c8f
Parents: a61a17f
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Tue Nov 3 10:01:25 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Nov 5 14:00:22 2015 -0800
----------------------------------------------------------------------
.../ldapconfigchecktool/ldapconfigcheck/pom.xml | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3fdcfc49/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
index 4ac823f..8d7a150 100644
--- a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
@@ -90,17 +90,27 @@
<version>${springframework.security.version}</version>
</dependency>
<dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>credentialbuilder</artifactId>
- <version>${project.version}</version>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>credentialbuilder</artifactId>
+ <version>${project.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>com.microsoft.windowsazure</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
-
<dependency>
<groupId>org.apache.ranger</groupId>
<artifactId>ranger-util</artifactId>
<version>${project.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>com.microsoft.windowsazure</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
-
</dependencies>
<build>
<finalName>ldapconfigcheck</finalName>
[2/7] incubator-ranger git commit: RANGER-713:Knox-plugin failed to
enable after plugin modification for not to add dependent libraries to
component's CLASSPATH
Posted by ma...@apache.org.
RANGER-713:Knox-plugin failed to enable after plugin modification for not to add dependent libraries to component's CLASSPATH
(cherry picked from commit efd317f90ec0a2ffd750292807ea2116054d8cc2)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/fa072f66
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/fa072f66
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/fa072f66
Branch: refs/heads/tag-policy
Commit: fa072f665d38b2b268dcfe1098c77ee3c9ac6f51
Parents: 8500842
Author: rmani <rm...@hortonworks.com>
Authored: Sat Oct 31 09:53:00 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Nov 5 13:58:07 2015 -0800
----------------------------------------------------------------------
.../RangerPDPKnoxDeploymentContributor.java | 74 --------------------
...gateway.deploy.ProviderDeploymentContributor | 18 -----
.../authorization/knox/RangerPDPKnoxFilter.java | 7 +-
.../RangerPDPKnoxDeploymentContributor.java | 74 ++++++++++++++++++++
...gateway.deploy.ProviderDeploymentContributor | 18 +++++
5 files changed, 95 insertions(+), 96 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fa072f66/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
deleted file mode 100644
index e927ba6..0000000
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ranger.authorization.knox.deploy;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-public class RangerPDPKnoxDeploymentContributor extends ProviderDeploymentContributorBase {
-
- private static final String FILTER_CLASSNAME = "org.apache.ranger.authorization.knox.RangerPDPKnoxFilter";
-
- @Override
- public String getRole() {
- return "authorization";
- }
-
- @Override
- public String getName() {
- // This MUST match a corresponding change in the topology file. For upgrade purposes this name remains as is, i.e. XASecure* and not Ranger*.
- return "XASecurePDPKnox";
- }
-
- @Override
- public void initializeContribution(DeploymentContext context) {
- super.initializeContribution(context);
- }
-
- @Override
- public void contributeProvider( DeploymentContext context, Provider provider ) {
- }
-
- @Override
- public void contributeFilter( DeploymentContext context, Provider provider, Service service,
- ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
- if (params == null) {
- params = new ArrayList<FilterParamDescriptor>();
- }
- // add resource role to params so that we can determine the acls to enforce at runtime
- params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) );
-
- // blindly add all the provider params as filter init params
- // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS
- Map<String, String> providerParams = provider.getParams();
- for(Entry<String, String> entry : providerParams.entrySet()) {
- params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
- }
-
- resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fa072f66/knox-agent/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/knox-agent/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
deleted file mode 100644
index c0c4576..0000000
--- a/knox-agent/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
+++ /dev/null
@@ -1,18 +0,0 @@
-##########################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-##########################################################################
-org.apache.ranger.authorization.knox.deploy.RangerPDPKnoxDeploymentContributor
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fa072f66/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
----------------------------------------------------------------------
diff --git a/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
index af4d947..c039ff2 100644
--- a/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
+++ b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
@@ -36,10 +36,9 @@ public class RangerPDPKnoxFilter implements Filter {
private static final Log LOG = LogFactory.getLog(RangerPDPKnoxFilter.class);
private static final String RANGER_PLUGIN_TYPE = "knox";
- private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-hdfs-plugin"};
private static final String RANGER_PDP_KNOX_FILTER_IMPL_CLASSNAME = "org.apache.ranger.authorization.knox.RangerPDPKnoxFilter";
-
- private RangerPDPKnoxFilter rangerPDPKnoxFilteImpl = null;
+
+ private Filter rangerPDPKnoxFilteImpl = null;
private static RangerPluginClassLoader rangerPluginClassLoader = null;
public RangerPDPKnoxFilter() {
@@ -67,7 +66,7 @@ public class RangerPDPKnoxFilter implements Filter {
activatePluginClassLoader();
- rangerPDPKnoxFilteImpl = (RangerPDPKnoxFilter) cls.newInstance();
+ rangerPDPKnoxFilteImpl = cls.newInstance();
} catch (Exception e) {
// check what need to be done
LOG.error("Error Enabling RangerKnoxPlugin", e);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fa072f66/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
new file mode 100644
index 0000000..e927ba6
--- /dev/null
+++ b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ranger.authorization.knox.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+public class RangerPDPKnoxDeploymentContributor extends ProviderDeploymentContributorBase {
+
+ private static final String FILTER_CLASSNAME = "org.apache.ranger.authorization.knox.RangerPDPKnoxFilter";
+
+ @Override
+ public String getRole() {
+ return "authorization";
+ }
+
+ @Override
+ public String getName() {
+ // This MUST match a corresponding change in the topology file. For upgrade purposes this name remains as is, i.e. XASecure* and not Ranger*.
+ return "XASecurePDPKnox";
+ }
+
+ @Override
+ public void initializeContribution(DeploymentContext context) {
+ super.initializeContribution(context);
+ }
+
+ @Override
+ public void contributeProvider( DeploymentContext context, Provider provider ) {
+ }
+
+ @Override
+ public void contributeFilter( DeploymentContext context, Provider provider, Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+ if (params == null) {
+ params = new ArrayList<FilterParamDescriptor>();
+ }
+ // add resource role to params so that we can determine the acls to enforce at runtime
+ params.add( resource.createFilterParam().name( "resource.role" ).value(resource.role() ) );
+
+ // blindly add all the provider params as filter init params
+ // this will include any {resource.role}-ACLS parameters to be enforced - such as NAMENODE-ACLS
+ Map<String, String> providerParams = provider.getParams();
+ for(Entry<String, String> entry : providerParams.entrySet()) {
+ params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+ }
+
+ resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params( params );
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fa072f66/ranger-knox-plugin-shim/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/ranger-knox-plugin-shim/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/ranger-knox-plugin-shim/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..c0c4576
--- /dev/null
+++ b/ranger-knox-plugin-shim/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,18 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+org.apache.ranger.authorization.knox.deploy.RangerPDPKnoxDeploymentContributor
[4/7] incubator-ranger git commit: RANGER-712 Create a sub-project to
serve as not only a repository for samples for ranger extensions but also a
template project for someone wanting to write extensions
Posted by ma...@apache.org.
RANGER-712 Create a sub-project to serve as not only a repository for samples for ranger extensions but also a template project for someone wanting to write extensions
(cherry picked from commit 433ab85239f3969c445903f992b982a66d455cf6)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/8aff4e1b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/8aff4e1b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/8aff4e1b
Branch: refs/heads/tag-policy
Commit: 8aff4e1b355298f7a136ee0675f1ccd214c8250f
Parents: 1a0f7e2
Author: Alok Lal <al...@apache.org>
Authored: Fri Oct 30 16:26:47 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Nov 5 13:58:53 2015 -0800
----------------------------------------------------------------------
.../conditionevaluator/RangerSimpleMatcher.java | 133 ---------------
.../contextenricher/RangerCountryProvider.java | 79 ---------
.../RangerFileBasedGeolocationProvider.java | 35 ----
.../contextenricher/RangerProjectProvider.java | 79 ---------
.../conditionevaluator/RangerSimpleMatcher.java | 133 +++++++++++++++
.../RangerSimpleMatcherTest.java | 146 ----------------
.../RangerFileBasedGeolocationProvider.java | 35 ++++
pom.xml | 1 +
ranger-examples/pom.xml | 45 +++++
.../RangerSampleSimpleMatcher.java | 170 +++++++++++++++++++
.../RangerSampleCountryProvider.java | 105 ++++++++++++
.../RangerSampleProjectProvider.java | 103 +++++++++++
.../RangerSampleSimpleMatcherTest.java | 139 +++++++++++++++
13 files changed, 731 insertions(+), 472 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java
deleted file mode 100644
index d9f6158..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.conditionevaluator;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.collections.MapUtils;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-
-public class RangerSimpleMatcher extends RangerAbstractConditionEvaluator {
-
- private static final Log LOG = LogFactory.getLog(RangerSimpleMatcher.class);
-
- public static final String CONTEXT_NAME = "CONTEXT_NAME";
-
- private boolean _allowAny = false;
- private String _contextName = null;
- private List<String> _values = new ArrayList<String>();
-
- @Override
- public void init() {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerSimpleMatcher.init(" + condition + ")");
- }
-
- super.init();
-
- if (condition == null) {
- LOG.debug("init: null policy condition! Will match always!");
- _allowAny = true;
- } else if (conditionDef == null) {
- LOG.debug("init: null policy condition definition! Will match always!");
- _allowAny = true;
- } else if (CollectionUtils.isEmpty(condition.getValues())) {
- LOG.debug("init: empty conditions collection on policy condition! Will match always!");
- _allowAny = true;
- } else if (MapUtils.isEmpty(conditionDef.getEvaluatorOptions())) {
- LOG.debug("init: Evaluator options were empty. Can't determine what value to use from context. Will match always.");
- _allowAny = true;
- } else if (StringUtils.isEmpty(conditionDef.getEvaluatorOptions().get(CONTEXT_NAME))) {
- LOG.debug("init: CONTEXT_NAME is not specified in evaluator options. Can't determine what value to use from context. Will match always.");
- _allowAny = true;
- } else {
- _contextName = conditionDef.getEvaluatorOptions().get(CONTEXT_NAME);
- for (String value : condition.getValues()) {
- _values.add(value);
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerSimpleMatcher.init(" + condition + "): countries[" + _values + "]");
- }
- }
-
- @Override
- public boolean isMatched(RangerAccessRequest request) {
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerSimpleMatcher.isMatched(" + request + ")");
- }
-
- boolean matched = false;
-
- if (_allowAny) {
- matched = true;
- } else {
- String requestValue = extractValue(request, _contextName);
- if (StringUtils.isNotBlank(requestValue)) {
- for (String policyValue : _values) {
- if (FilenameUtils.wildcardMatch(requestValue, policyValue)) {
- matched = true;
- break;
- }
- }
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerSimpleMatcher.isMatched(" + request+ "): " + matched);
- }
-
- return matched;
- }
-
- String extractValue(final RangerAccessRequest request, String key) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerSimpleMatcher.extractValue(" + request+ ")");
- }
-
- String value = null;
- if (request == null) {
- LOG.debug("isMatched: Unexpected: null request. Returning null!");
- } else if (request.getContext() == null) {
- LOG.debug("isMatched: Context map of request is null. Ok. Returning null!");
- } else if (CollectionUtils.isEmpty(request.getContext().entrySet())) {
- LOG.debug("isMatched: Missing context on request. Ok. Condition isn't applicable. Returning null!");
- } else if (!request.getContext().containsKey(key)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("isMatched: Unexpected: Context did not have data for condition[" + key + "]. Returning null!");
- }
- } else {
- value = (String)request.getContext().get(key);
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerSimpleMatcher.extractValue(" + request+ "): " + value);
- }
- return value;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerCountryProvider.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerCountryProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerCountryProvider.java
deleted file mode 100644
index 64f5023..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerCountryProvider.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.contextenricher;
-
-import java.util.Map;
-import java.util.Properties;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-
-
-public class RangerCountryProvider extends RangerAbstractContextEnricher {
- private static final Log LOG = LogFactory.getLog(RangerCountryProvider.class);
-
- private String contextName = "COUNTRY";
- private Properties userCountryMap = null;
-
- @Override
- public void init() {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerCountryProvider.init(" + enricherDef + ")");
- }
-
- super.init();
-
- contextName = getOption("contextName", "COUNTRY");
-
- String dataFile = getOption("dataFile", "/etc/ranger/data/userCountry.txt");
-
- userCountryMap = readProperties(dataFile);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerCountryProvider.init(" + enricherDef + ")");
- }
- }
-
- @Override
- public void enrich(RangerAccessRequest request) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerCountryProvider.enrich(" + request + ")");
- }
-
- if(request != null && userCountryMap != null) {
- Map<String, Object> context = request.getContext();
- String country = userCountryMap.getProperty(request.getUser());
-
- if(context != null && !StringUtils.isEmpty(country)) {
- request.getContext().put(contextName, country);
- } else {
- if(LOG.isDebugEnabled()) {
- LOG.debug("RangerCountryProvider.enrich(): skipping due to unavailable context or country. context=" + context + "; country=" + country);
- }
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerCountryProvider.enrich(" + request + ")");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedGeolocationProvider.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedGeolocationProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedGeolocationProvider.java
deleted file mode 100644
index ea599c7..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedGeolocationProvider.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.contextenricher;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-public class RangerFileBasedGeolocationProvider extends RangerAbstractGeolocationProvider {
-
- private static final Log LOG = LogFactory.getLog(RangerFileBasedGeolocationProvider.class);
-
- public static final String GEOLOCATION_SOURCE_LOADER_FILELOADER = "org.apache.ranger.plugin.store.file.GeolocationFileStore";
-
- @Override
- public String getGeoSourceLoader() {
- return GEOLOCATION_SOURCE_LOADER_FILELOADER;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerProjectProvider.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerProjectProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerProjectProvider.java
deleted file mode 100644
index 4df53cb..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerProjectProvider.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.contextenricher;
-
-import java.util.Map;
-import java.util.Properties;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-
-
-public class RangerProjectProvider extends RangerAbstractContextEnricher {
- private static final Log LOG = LogFactory.getLog(RangerProjectProvider.class);
-
- private String contextName = "PROJECT";
- private Properties userProjectMap = null;
-
- @Override
- public void init() {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerProjectProvider.init(" + enricherDef + ")");
- }
-
- super.init();
-
- contextName = getOption("contextName", "PROJECT");
-
- String dataFile = getOption("dataFile", "/etc/ranger/data/userProject.txt");
-
- userProjectMap = readProperties(dataFile);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerProjectProvider.init(" + enricherDef + ")");
- }
- }
-
- @Override
- public void enrich(RangerAccessRequest request) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerProjectProvider.enrich(" + request + ")");
- }
-
- if(request != null && userProjectMap != null) {
- Map<String, Object> context = request.getContext();
- String project = userProjectMap.getProperty(request.getUser());
-
- if(context != null && !StringUtils.isEmpty(project)) {
- request.getContext().put(contextName, project);
- } else {
- if(LOG.isDebugEnabled()) {
- LOG.debug("RangerProjectProvider.enrich(): skipping due to unavailable context or project. context=" + context + "; project=" + project);
- }
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerProjectProvider.enrich(" + request + ")");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java
new file mode 100644
index 0000000..7ad7252
--- /dev/null
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java
@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class RangerSimpleMatcher extends RangerAbstractConditionEvaluator {
+
+ private static final Log LOG = LogFactory.getLog(RangerSimpleMatcher.class);
+
+ public static final String CONTEXT_NAME = "CONTEXT_NAME";
+
+ private boolean _allowAny = false;
+ private String _contextName = null;
+ private List<String> _values = new ArrayList<String>();
+
+ @Override
+ public void init() {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSimpleMatcher.init(" + condition + ")");
+ }
+
+ super.init();
+
+ if (condition == null) {
+ LOG.debug("init: null policy condition! Will match always!");
+ _allowAny = true;
+ } else if (conditionDef == null) {
+ LOG.debug("init: null policy condition definition! Will match always!");
+ _allowAny = true;
+ } else if (CollectionUtils.isEmpty(condition.getValues())) {
+ LOG.debug("init: empty conditions collection on policy condition! Will match always!");
+ _allowAny = true;
+ } else if (MapUtils.isEmpty(conditionDef.getEvaluatorOptions())) {
+ LOG.debug("init: Evaluator options were empty. Can't determine what value to use from context. Will match always.");
+ _allowAny = true;
+ } else if (StringUtils.isEmpty(conditionDef.getEvaluatorOptions().get(CONTEXT_NAME))) {
+ LOG.debug("init: CONTEXT_NAME is not specified in evaluator options. Can't determine what value to use from context. Will match always.");
+ _allowAny = true;
+ } else {
+ _contextName = conditionDef.getEvaluatorOptions().get(CONTEXT_NAME);
+ for (String value : condition.getValues()) {
+ _values.add(value);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSimpleMatcher.init(" + condition + "): countries[" + _values + "]");
+ }
+ }
+
+ @Override
+ public boolean isMatched(RangerAccessRequest request) {
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSimpleMatcher.isMatched(" + request + ")");
+ }
+
+ boolean matched = false;
+
+ if (_allowAny) {
+ matched = true;
+ } else {
+ String requestValue = extractValue(request, _contextName);
+ if (StringUtils.isNotBlank(requestValue)) {
+ for (String policyValue : _values) {
+ if (FilenameUtils.wildcardMatch(requestValue, policyValue)) {
+ matched = true;
+ break;
+ }
+ }
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSimpleMatcher.isMatched(" + request+ "): " + matched);
+ }
+
+ return matched;
+ }
+
+ String extractValue(final RangerAccessRequest request, String key) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSimpleMatcher.extractValue(" + request+ ")");
+ }
+
+ String value = null;
+ if (request == null) {
+ LOG.debug("isMatched: Unexpected: null request. Returning null!");
+ } else if (request.getContext() == null) {
+ LOG.debug("isMatched: Context map of request is null. Ok. Returning null!");
+ } else if (CollectionUtils.isEmpty(request.getContext().entrySet())) {
+ LOG.debug("isMatched: Missing context on request. Ok. Condition isn't applicable. Returning null!");
+ } else if (!request.getContext().containsKey(key)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("isMatched: Unexpected: Context did not have data for condition[" + key + "]. Returning null!");
+ }
+ } else {
+ value = (String)request.getContext().get(key);
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSimpleMatcher.extractValue(" + request+ "): " + value);
+ }
+ return value;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcherTest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcherTest.java
deleted file mode 100644
index 8d0bc75..0000000
--- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcherTest.java
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.conditionevaluator;
-
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
-import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-import org.junit.Test;
-
-public class RangerSimpleMatcherTest {
-
- final Map<String, String> _conditionOptions = new HashMap<String, String>();
-
- {
- _conditionOptions.put(RangerSimpleMatcher.CONTEXT_NAME, RangerSimpleMatcher.CONTEXT_NAME);
- }
-
- @Test
- public void testIsMatched_happyPath() {
- // this documents some unexpected behavior of the ip matcher
- RangerSimpleMatcher ipMatcher = createMatcher(new String[]{"US", "C*"} );
- assertTrue(ipMatcher.isMatched(createRequest("US")));
- assertTrue(ipMatcher.isMatched(createRequest("CA")));
- assertTrue(ipMatcher.isMatched(createRequest("C---")));
- assertFalse(ipMatcher.isMatched(createRequest(" US ")));
- assertFalse(ipMatcher.isMatched(createRequest("Us")));
- assertFalse(ipMatcher.isMatched(createRequest("ca")));
- }
-
- @Test
- public void test_firewallings() {
-
- // create a request for some policyValue, say, country and use it to match against matcher initialized with all sorts of bad data
- RangerAccessRequest request = createRequest("AB");
-
- RangerSimpleMatcher matcher = new RangerSimpleMatcher();
- // Matcher initialized with null policy should behave sensibly! It matches everything!
- matcher.setConditionDef(null);
- matcher.setPolicyItemCondition(null);
- matcher.init();
- assertTrue(matcher.isMatched(request));
-
- RangerPolicyItemCondition policyItemCondition = mock(RangerPolicyItemCondition.class);
- matcher.setConditionDef(null);
- matcher.setPolicyItemCondition(policyItemCondition);
- matcher.init();
- assertTrue(matcher.isMatched(request));
-
- RangerPolicyConditionDef conditionDef = mock(RangerPolicyConditionDef.class);
- matcher.setConditionDef(conditionDef);
- matcher.setPolicyItemCondition(null);
- matcher.init();
- assertTrue(matcher.isMatched(request));
-
- // so should a policy item condition with initialized with null list of values
- when(policyItemCondition.getValues()).thenReturn(null);
- matcher.setConditionDef(conditionDef);
- matcher.setPolicyItemCondition(policyItemCondition);
- matcher.init();
- assertTrue(matcher.isMatched(request));
-
- // not null item condition with empty condition list
- List<String> values = new ArrayList<String>();
- when(policyItemCondition.getValues()).thenReturn(values);
- matcher.setConditionDef(conditionDef);
- matcher.setPolicyItemCondition(policyItemCondition);
- matcher.init();
- assertTrue(matcher.isMatched(request));
-
- // values as sensible items in it, however, the conditionDef has null evaluator option, so that too suppresses any check
- values.add("AB");
- when(policyItemCondition.getValues()).thenReturn(values);
- when(conditionDef.getEvaluatorOptions()).thenReturn(null);
- matcher.setConditionDef(conditionDef);
- matcher.setPolicyItemCondition(policyItemCondition);
- matcher.init();
- assertTrue(matcher.isMatched(request));
-
- // If evaluator option on the condition def is non-null then it starts to evaluate for real
- when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions);
- matcher.setConditionDef(conditionDef);
- matcher.setPolicyItemCondition(policyItemCondition);
- matcher.init();
- assertTrue(matcher.isMatched(request));
- }
-
- RangerSimpleMatcher createMatcher(String[] ipArray) {
- RangerSimpleMatcher matcher = new RangerSimpleMatcher();
-
- if (ipArray == null) {
- matcher.setConditionDef(null);
- matcher.setPolicyItemCondition(null);
- matcher.init();
- } else {
- RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class);
- List<String> addresses = Arrays.asList(ipArray);
- when(condition.getValues()).thenReturn(addresses);
-
- RangerPolicyConditionDef conditionDef = mock(RangerPolicyConditionDef.class);
-
- when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions);
- matcher.setConditionDef(conditionDef);
- matcher.setPolicyItemCondition(condition);
- matcher.init();
- }
-
- return matcher;
- }
-
- RangerAccessRequest createRequest(String value) {
- Map<String, Object> context = new HashMap<String, Object>();
- context.put(RangerSimpleMatcher.CONTEXT_NAME, value);
- RangerAccessRequest request = mock(RangerAccessRequest.class);
- when(request.getContext()).thenReturn(context);
- return request;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedGeolocationProvider.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedGeolocationProvider.java b/agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedGeolocationProvider.java
new file mode 100644
index 0000000..ea599c7
--- /dev/null
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedGeolocationProvider.java
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.contextenricher;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class RangerFileBasedGeolocationProvider extends RangerAbstractGeolocationProvider {
+
+ private static final Log LOG = LogFactory.getLog(RangerFileBasedGeolocationProvider.class);
+
+ public static final String GEOLOCATION_SOURCE_LOADER_FILELOADER = "org.apache.ranger.plugin.store.file.GeolocationFileStore";
+
+ @Override
+ public String getGeoSourceLoader() {
+ return GEOLOCATION_SOURCE_LOADER_FILELOADER;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index b7d0239..0648d67 100644
--- a/pom.xml
+++ b/pom.xml
@@ -104,6 +104,7 @@
<module>ranger-knox-plugin-shim</module>
<module>ranger-yarn-plugin-shim</module>
<module>ranger-storm-plugin-shim</module>
+ <module>ranger-examples</module>
</modules>
<properties>
<javac.source.version>1.7</javac.source.version>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/ranger-examples/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-examples/pom.xml b/ranger-examples/pom.xml
new file mode 100644
index 0000000..8090170
--- /dev/null
+++ b/ranger-examples/pom.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <parent>
+ <artifactId>ranger</artifactId>
+ <groupId>org.apache.ranger</groupId>
+ <version>0.5.0</version>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+
+ <artifactId>ranger-examples</artifactId>
+
+ <dependencies>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-core</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>security_plugins.ranger-plugins-common</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/ranger-examples/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcher.java
----------------------------------------------------------------------
diff --git a/ranger-examples/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcher.java b/ranger-examples/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcher.java
new file mode 100644
index 0000000..50ecb69
--- /dev/null
+++ b/ranger-examples/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcher.java
@@ -0,0 +1,170 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * This is a sample implementation of a condition Evaluator. It works in conjunction with the sample context enricher
+ * <code>RangerSampleProjectProvider</code>. This is how it would be specified in the service definition:
+ {
+ ...
+ ... service definition
+ ...
+ "policyConditions": [
+ {
+ "itemId": 1,
+ "name": "user-in-project",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher",
+ "evaluatorOptions": { CONTEXT_NAME=’PROJECT’},
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Project Matcher",
+ "description": "Projects"
+ }
+ }
+ *
+ * Name of this class is specified via the "evaluator" of the policy condition definition. Significant evaluator option
+ * for this evaluator is the CONTEXT_NAME which indicates the name under which it would look for value for the condition.
+ * It is also use to lookup the condition values specified in the policy. This example uses CONTEXT_NAME of PROJECT
+ * which matches the value under which context is enriched by its companion class <code>RangerSampleProjectProvider</code>.
+ *
+ * Note that the same Condition Evaluator can be used to process Context enrichment done by <code>RangerSampleCountryProvider</code>
+ * provided the CONTEXT_NAME evaluator option is set to COUNTRY which is same as the value used by its companion Context
+ * Enricher <code>RangerSampleCountryProvider</code>. Which serves as an example of how a single Condition Evaluator
+ * implementation can be used to model multiple policy conditions.
+ *
+ * For matching context value against policy values it uses <code>FilenameUtils.wildcardMatch()</code> which allows policy authors
+ * flexibility to specify policy conditions using wildcards. Take a look at
+ * {@link org.apache.ranger.plugin.conditionevaluator.RangerSampleSimpleMatcherTest#testIsMatched_happyPath() testIsMatched_happyPath}
+ * test for examples of what sorts of matching is afforded by this use.
+ *
+ */
+public class RangerSampleSimpleMatcher extends RangerAbstractConditionEvaluator {
+
+ private static final Log LOG = LogFactory.getLog(RangerSampleSimpleMatcher.class);
+
+ public static final String CONTEXT_NAME = "CONTEXT_NAME";
+
+ private boolean _allowAny = false;
+ private String _contextName = null;
+ private List<String> _values = new ArrayList<String>();
+
+ @Override
+ public void init() {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSampleSimpleMatcher.init(" + condition + ")");
+ }
+
+ super.init();
+
+ if (condition == null) {
+ LOG.debug("init: null policy condition! Will match always!");
+ _allowAny = true;
+ } else if (conditionDef == null) {
+ LOG.debug("init: null policy condition definition! Will match always!");
+ _allowAny = true;
+ } else if (CollectionUtils.isEmpty(condition.getValues())) {
+ LOG.debug("init: empty conditions collection on policy condition! Will match always!");
+ _allowAny = true;
+ } else if (MapUtils.isEmpty(conditionDef.getEvaluatorOptions())) {
+ LOG.debug("init: Evaluator options were empty. Can't determine what value to use from context. Will match always.");
+ _allowAny = true;
+ } else if (StringUtils.isEmpty(conditionDef.getEvaluatorOptions().get(CONTEXT_NAME))) {
+ LOG.debug("init: CONTEXT_NAME is not specified in evaluator options. Can't determine what value to use from context. Will match always.");
+ _allowAny = true;
+ } else {
+ _contextName = conditionDef.getEvaluatorOptions().get(CONTEXT_NAME);
+ for (String value : condition.getValues()) {
+ _values.add(value);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSampleSimpleMatcher.init(" + condition + "): values[" + _values + "]");
+ }
+ }
+
+ @Override
+ public boolean isMatched(RangerAccessRequest request) {
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSampleSimpleMatcher.isMatched(" + request + ")");
+ }
+
+ boolean matched = false;
+
+ if (_allowAny) {
+ matched = true;
+ } else {
+ String requestValue = extractValue(request, _contextName);
+ if (StringUtils.isNotBlank(requestValue)) {
+ for (String policyValue : _values) {
+ if (FilenameUtils.wildcardMatch(requestValue, policyValue)) {
+ matched = true;
+ break;
+ }
+ }
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSampleSimpleMatcher.isMatched(" + request+ "): " + matched);
+ }
+
+ return matched;
+ }
+
+ String extractValue(final RangerAccessRequest request, String key) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSampleSimpleMatcher.extractValue(" + request+ ")");
+ }
+
+ String value = null;
+ if (request == null) {
+ LOG.debug("isMatched: Unexpected: null request. Returning null!");
+ } else if (request.getContext() == null) {
+ LOG.debug("isMatched: Context map of request is null. Ok. Returning null!");
+ } else if (CollectionUtils.isEmpty(request.getContext().entrySet())) {
+ LOG.debug("isMatched: Missing context on request. Ok. Condition isn't applicable. Returning null!");
+ } else if (!request.getContext().containsKey(key)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("isMatched: Unexpected: Context did not have data for condition[" + key + "]. Returning null!");
+ }
+ } else {
+ value = (String)request.getContext().get(key);
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSampleSimpleMatcher.extractValue(" + request+ "): " + value);
+ }
+ return value;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleCountryProvider.java
----------------------------------------------------------------------
diff --git a/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleCountryProvider.java b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleCountryProvider.java
new file mode 100644
index 0000000..198dc5f
--- /dev/null
+++ b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleCountryProvider.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.contextenricher;
+
+import java.util.Map;
+import java.util.Properties;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+/**
+ * This is a sample implementation of a Context Enricher. It works in conjunction with a sample Condition Evaluator
+ * <code>RangerSampleSimpleMatcher</code>. It This is how it would be used in service definition:
+ {
+ ... service def
+ ...
+ "contextEnrichers": [
+ {
+ "itemId": 1, "name": "country-provider",
+ "enricher": "org.apache.ranger.plugin.contextenricher.RangerSampleCountryProvider",
+ "enricherOptions": { "contextName" : "COUNTRY", "dataFile":"/etc/ranger/data/userCountry.txt"}
+ }
+ ...
+ }
+
+ contextName: is used to specify the name under which the enricher would push value into context.
+ For purposes of this example the default value of this parameter, if unspecified is COUNTRY. This default
+ can be seen specified in <code>init()</code>.
+ dataFile: is the file which contains the lookup data that this particular enricher would use to
+ ascertain which value to insert into the context. For purposes of this example the default value of
+ this parameter, if unspecified is /etc/ranger/data/userCountry.txt. This default can be seen specified
+ in <code>init()</code>. Format of lookup data is in the form of standard java properties list.
+
+ @see <a href="http://docs.oracle.com/javase/6/docs/api/java/util/Properties.html#load(java.io.Reader)">Java Properties List</a>
+ *
+ * This Context Enricher is almost identical to another sample enricher <code>RangerSampleProjectProvider</code>.
+ */
+public class RangerSampleCountryProvider extends RangerAbstractContextEnricher {
+ private static final Log LOG = LogFactory.getLog(RangerSampleCountryProvider.class);
+
+ private String contextName = "COUNTRY";
+ private Properties userCountryMap = null;
+
+ @Override
+ public void init() {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSampleCountryProvider.init(" + enricherDef + ")");
+ }
+
+ super.init();
+
+ contextName = getOption("contextName", "COUNTRY");
+
+ String dataFile = getOption("dataFile", "/etc/ranger/data/userCountry.txt");
+
+ userCountryMap = readProperties(dataFile);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSampleCountryProvider.init(" + enricherDef + ")");
+ }
+ }
+
+ @Override
+ public void enrich(RangerAccessRequest request) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSampleCountryProvider.enrich(" + request + ")");
+ }
+
+ if(request != null && userCountryMap != null) {
+ Map<String, Object> context = request.getContext();
+ String country = userCountryMap.getProperty(request.getUser());
+
+ if(context != null && !StringUtils.isEmpty(country)) {
+ request.getContext().put(contextName, country);
+ } else {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("RangerSampleCountryProvider.enrich(): skipping due to unavailable context or country. context=" + context + "; country=" + country);
+ }
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSampleCountryProvider.enrich(" + request + ")");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
----------------------------------------------------------------------
diff --git a/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
new file mode 100644
index 0000000..d3de690
--- /dev/null
+++ b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
@@ -0,0 +1,103 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.contextenricher;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * This is a sample implementation of a Context Enricher. It works in conjunction with a sample Condition Evaluator
+ * <code>RangerSampleSimpleMatcher</code>. It This is how it would be used in service definition:
+ {
+ ... service def
+ ...
+ "contextEnrichers": [
+ {
+ "itemId": 1, "name": "project-provider",
+ "enricher": "org.apache.ranger.plugin.contextenricher.RangerSampleProjectProvider",
+ "enricherOptions": { "contextName" : "PROJECT", "dataFile":"/etc/ranger/data/userProject.txt"}
+ }
+ ...
+ }
+
+ contextName: is used to specify the name under which the enricher would push value into context.
+ For purposes of this example the default value of this parameter, if unspecified is PROJECT. This default
+ can be seen specified in <code>init()</code>.
+ dataFile: is the file which contains the lookup data that this particular enricher would use to
+ ascertain which value to insert into the context. For purposes of this example the default value of
+ this parameter, if unspecified is /etc/ranger/data/userProject.txt. This default can be seen specified
+ in <code>init()</code>. Format of lookup data is in the form of standard java properties list.
+
+ @see <a href="http://docs.oracle.com/javase/6/docs/api/java/util/Properties.html#load(java.io.Reader)">Java Properties List</a>
+ */
+public class RangerSampleProjectProvider extends RangerAbstractContextEnricher {
+ private static final Log LOG = LogFactory.getLog(RangerSampleProjectProvider.class);
+
+ private String contextName = "PROJECT";
+ private Properties userProjectMap = null;
+
+ @Override
+ public void init() {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSampleProjectProvider.init(" + enricherDef + ")");
+ }
+
+ super.init();
+
+ contextName = getOption("contextName", "PROJECT");
+
+ String dataFile = getOption("dataFile", "/etc/ranger/data/userProject.txt");
+
+ userProjectMap = readProperties(dataFile);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSampleProjectProvider.init(" + enricherDef + ")");
+ }
+ }
+
+ @Override
+ public void enrich(RangerAccessRequest request) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerSampleProjectProvider.enrich(" + request + ")");
+ }
+
+ if(request != null && userProjectMap != null) {
+ Map<String, Object> context = request.getContext();
+ String project = userProjectMap.getProperty(request.getUser());
+
+ if(context != null && !StringUtils.isEmpty(project)) {
+ request.getContext().put(contextName, project);
+ } else {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("RangerSampleProjectProvider.enrich(): skipping due to unavailable context or project. context=" + context + "; project=" + project);
+ }
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerSampleProjectProvider.enrich(" + request + ")");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8aff4e1b/ranger-examples/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcherTest.java
----------------------------------------------------------------------
diff --git a/ranger-examples/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcherTest.java b/ranger-examples/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcherTest.java
new file mode 100644
index 0000000..3e683ba
--- /dev/null
+++ b/ranger-examples/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcherTest.java
@@ -0,0 +1,139 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.conditionevaluator;
+
+
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.junit.Assert;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import java.util.*;
+
+public class RangerSampleSimpleMatcherTest {
+
+ final Map<String, String> _conditionOptions = new HashMap<String, String>();
+
+ {
+ _conditionOptions.put(RangerSampleSimpleMatcher.CONTEXT_NAME, RangerSampleSimpleMatcher.CONTEXT_NAME);
+ }
+
+ @Test
+ public void testIsMatched_happyPath() {
+ // this documents some unexpected behavior of the ip matcher
+ RangerSampleSimpleMatcher ipMatcher = createMatcher(new String[]{"US", "C*"} );
+ Assert.assertTrue(ipMatcher.isMatched(createRequest("US")));
+ Assert.assertTrue(ipMatcher.isMatched(createRequest("CA")));
+ Assert.assertTrue(ipMatcher.isMatched(createRequest("C---")));
+ Assert.assertFalse(ipMatcher.isMatched(createRequest(" US ")));
+ Assert.assertFalse(ipMatcher.isMatched(createRequest("Us")));
+ Assert.assertFalse(ipMatcher.isMatched(createRequest("ca")));
+ }
+
+ @Test
+ public void test_firewallings() {
+
+ // create a request for some policyValue, say, country and use it to match against matcher initialized with all sorts of bad data
+ RangerAccessRequest request = createRequest("AB");
+
+ RangerSampleSimpleMatcher matcher = new RangerSampleSimpleMatcher();
+ // Matcher initialized with null policy should behave sensibly! It matches everything!
+ matcher.setConditionDef(null);
+ matcher.setPolicyItemCondition(null);
+ matcher.init();
+ Assert.assertTrue(matcher.isMatched(request));
+
+ RangerPolicyItemCondition policyItemCondition = Mockito.mock(RangerPolicyItemCondition.class);
+ matcher.setConditionDef(null);
+ matcher.setPolicyItemCondition(policyItemCondition);
+ matcher.init();
+ Assert.assertTrue(matcher.isMatched(request));
+
+ RangerPolicyConditionDef conditionDef = Mockito.mock(RangerPolicyConditionDef.class);
+ matcher.setConditionDef(conditionDef);
+ matcher.setPolicyItemCondition(null);
+ matcher.init();
+ Assert.assertTrue(matcher.isMatched(request));
+
+ // so should a policy item condition with initialized with null list of values
+ Mockito.when(policyItemCondition.getValues()).thenReturn(null);
+ matcher.setConditionDef(conditionDef);
+ matcher.setPolicyItemCondition(policyItemCondition);
+ matcher.init();
+ Assert.assertTrue(matcher.isMatched(request));
+
+ // not null item condition with empty condition list
+ List<String> values = new ArrayList<String>();
+ Mockito.when(policyItemCondition.getValues()).thenReturn(values);
+ matcher.setConditionDef(conditionDef);
+ matcher.setPolicyItemCondition(policyItemCondition);
+ matcher.init();
+ Assert.assertTrue(matcher.isMatched(request));
+
+ // values as sensible items in it, however, the conditionDef has null evaluator option, so that too suppresses any check
+ values.add("AB");
+ Mockito.when(policyItemCondition.getValues()).thenReturn(values);
+ Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(null);
+ matcher.setConditionDef(conditionDef);
+ matcher.setPolicyItemCondition(policyItemCondition);
+ matcher.init();
+ Assert.assertTrue(matcher.isMatched(request));
+
+ // If evaluator option on the condition def is non-null then it starts to evaluate for real
+ Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions);
+ matcher.setConditionDef(conditionDef);
+ matcher.setPolicyItemCondition(policyItemCondition);
+ matcher.init();
+ Assert.assertTrue(matcher.isMatched(request));
+ }
+
+ RangerSampleSimpleMatcher createMatcher(String[] ipArray) {
+ RangerSampleSimpleMatcher matcher = new RangerSampleSimpleMatcher();
+
+ if (ipArray == null) {
+ matcher.setConditionDef(null);
+ matcher.setPolicyItemCondition(null);
+ matcher.init();
+ } else {
+ RangerPolicyItemCondition condition = Mockito.mock(RangerPolicyItemCondition.class);
+ List<String> addresses = Arrays.asList(ipArray);
+ Mockito.when(condition.getValues()).thenReturn(addresses);
+
+ RangerPolicyConditionDef conditionDef = Mockito.mock(RangerPolicyConditionDef.class);
+
+ Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions);
+ matcher.setConditionDef(conditionDef);
+ matcher.setPolicyItemCondition(condition);
+ matcher.init();
+ }
+
+ return matcher;
+ }
+
+ RangerAccessRequest createRequest(String value) {
+ Map<String, Object> context = new HashMap<String, Object>();
+ context.put(RangerSampleSimpleMatcher.CONTEXT_NAME, value);
+ RangerAccessRequest request = Mockito.mock(RangerAccessRequest.class);
+ Mockito.when(request.getContext()).thenReturn(context);
+ return request;
+ }
+}
[7/7] incubator-ranger git commit: RANGER-608: fix - denied access
due to lack of traverse access does not generate audit
Posted by ma...@apache.org.
RANGER-608: fix - denied access due to lack of traverse access does not generate audit
Signed-off-by: sneethiraj <sn...@apache.org>
(cherry picked from commit 0158e1a1c7ca7997e3865693f599e5caaa69f505)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e1153307
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e1153307
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e1153307
Branch: refs/heads/tag-policy
Commit: e1153307922475ae70766d72ca9e189e9150f59e
Parents: 3fdcfc4
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Nov 4 19:25:47 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Nov 5 14:00:42 2015 -0800
----------------------------------------------------------------------
.../hadoop/RangerHdfsAuthorizer.java | 86 ++++++++++++++------
1 file changed, 59 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e1153307/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index f8008cb..47577d6 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -199,9 +199,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
}
try {
- if(plugin != null && !ArrayUtils.isEmpty(inodes)) {
- auditHandler = new RangerHdfsAuditHandler(path);
+ boolean isTraverseOnlyCheck = access == null && parentAccess == null && ancestorAccess == null && subAccess == null;
+ INode ancestor = null;
+ INode parent = null;
+ INode inode = null;
+ if(plugin != null && !ArrayUtils.isEmpty(inodes)) {
if(ancestorIndex >= inodes.length) {
ancestorIndex = inodes.length - 1;
}
@@ -210,26 +213,28 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
authzStatus = AuthzStatus.ALLOW;
- INode ancestor = inodes.length > ancestorIndex && ancestorIndex >= 0 ? inodes[ancestorIndex] : null;
- INode parent = inodes.length > 1 ? inodes[inodes.length - 2] : null;
- INode inode = inodes[inodes.length - 1];
+ ancestor = inodes.length > ancestorIndex && ancestorIndex >= 0 ? inodes[ancestorIndex] : null;
+ parent = inodes.length > 1 ? inodes[inodes.length - 2] : null;
+ inode = inodes[inodes.length - 1]; // could be null while creating a new file
- boolean noAccessToCheck = access == null && parentAccess == null && ancestorAccess == null && subAccess == null;
+ auditHandler = new RangerHdfsAuditHandler(path, isTraverseOnlyCheck);
- if(noAccessToCheck) { // check for traverse (EXECUTE) access on the path (if path is a directory) or its parent (if path is a file)
- INode node = null;
- INodeAttributes nodeAttribs = null;
+ if(isTraverseOnlyCheck) {
+ INode nodeToCheck = inode;
+ INodeAttributes nodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
- if(inode != null && inode.isDirectory()) {
- node = inode;
- nodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
- } else if(parent != null) {
- node = parent;
- nodeAttribs = inodeAttrs.length > 1 ? inodeAttrs[inodeAttrs.length - 2] : null;
+ if(nodeToCheck == null || nodeToCheck.isFile()) {
+ if(parent != null) {
+ nodeToCheck = parent;
+ nodeAttribs = inodeAttrs.length > 1 ? inodeAttrs[inodeAttrs.length - 2] : null;
+ } else if(ancestor != null) {
+ nodeToCheck = ancestor;
+ nodeAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null;
+ }
}
- if(node != null) {
- authzStatus = isAccessAllowed(node, nodeAttribs, FsAction.EXECUTE, user, groups, fsOwner, superGroup, plugin, null);
+ if(nodeToCheck != null) {
+ authzStatus = isAccessAllowed(nodeToCheck, nodeAttribs, FsAction.EXECUTE, user, groups, fsOwner, superGroup, plugin, auditHandler);
}
}
@@ -306,27 +311,52 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
authzStatus = AuthzStatus.ALLOW;
} finally {
if(auditHandler != null) {
- FsAction action = access;
+ INode nodeChecked = inode;
+ FsAction action = access;
+
+ if(isTraverseOnlyCheck) {
+ if(nodeChecked == null || nodeChecked.isFile()) {
+ if(parent != null) {
+ nodeChecked = parent;
+ } else if(ancestor != null) {
+ nodeChecked = ancestor;
+ }
+ }
- if(action == null) {
+ action = FsAction.EXECUTE;
+ } else if(action == null) {
if(parentAccess != null) {
- action = parentAccess;
+ nodeChecked = parent;
+ action = parentAccess;
} else if(ancestorAccess != null) {
- action = ancestorAccess;
+ nodeChecked = ancestor;
+ action = ancestorAccess;
} else if(subAccess != null) {
action = subAccess;
- } else {
- action = FsAction.NONE;
}
}
- auditHandler.logHadoopEvent(path, action, authzStatus == AuthzStatus.ALLOW);
+ String pathChecked = nodeChecked != null ? nodeChecked.getFullPathName() : path;
+
+ auditHandler.logHadoopEvent(pathChecked, action, authzStatus == AuthzStatus.ALLOW);
}
}
}
if(authzStatus != AuthzStatus.ALLOW) {
- throw new RangerAccessControlException("Permission denied: principal{user=" + user + ",groups: " + groups + "}, access=" + access + ", " + path) ;
+ FsAction action = access;
+
+ if(action == null) {
+ if(parentAccess != null) {
+ action = parentAccess;
+ } else if(ancestorAccess != null) {
+ action = ancestorAccess;
+ } else {
+ action = FsAction.EXECUTE;
+ }
+ }
+
+ throw new RangerAccessControlException("Permission denied: user=" + user + ", access=" + action + ", inode=\"" + path + "\"") ;
}
} finally {
if(auditHandler != null) {
@@ -451,6 +481,7 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler {
private boolean isAuditEnabled = false;
private AuthzAuditEvent auditEvent = null;
private final String pathToBeValidated;
+ private final boolean auditOnlyIfDenied;
private static final String HadoopModuleName = RangerConfiguration.getInstance().get(RangerHadoopConstants.AUDITLOG_HADOOP_MODULE_ACL_NAME_PROP , RangerHadoopConstants.DEFAULT_HADOOP_MODULE_ACL_NAME) ;
private static final String excludeUserList = RangerConfiguration.getInstance().get(RangerHadoopConstants.AUDITLOG_HDFS_EXCLUDE_LIST_PROP, RangerHadoopConstants.AUDITLOG_EMPTY_STRING) ;
@@ -469,8 +500,9 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler {
}
}
- public RangerHdfsAuditHandler(String pathToBeValidated) {
+ public RangerHdfsAuditHandler(String pathToBeValidated, boolean auditOnlyIfDenied) {
this.pathToBeValidated = pathToBeValidated;
+ this.auditOnlyIfDenied = auditOnlyIfDenied;
}
@Override
@@ -527,7 +559,7 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler {
if(isAuditEnabled && auditEvent != null && !StringUtils.isEmpty(auditEvent.getAccessType())) {
String username = auditEvent.getUser();
- boolean skipLog = (username != null && excludeUsers != null && excludeUsers.contains(username)) ;
+ boolean skipLog = (username != null && excludeUsers != null && excludeUsers.contains(username)) || (auditOnlyIfDenied && auditEvent.getAccessResult() != 0);
if (! skipLog) {
super.logAuthzAudit(auditEvent);
[5/7] incubator-ranger git commit: Ranger-715:Fix issues reported by
coverity test in Ranger Plugin ClassLoader
Posted by ma...@apache.org.
Ranger-715:Fix issues reported by coverity test in Ranger Plugin ClassLoader
(cherry picked from commit 3e462d15fe1b141e7ec90ed07cf03af8d418ef62)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a61a17fc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a61a17fc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a61a17fc
Branch: refs/heads/tag-policy
Commit: a61a17fc034dc2009115424cccc1a9f877e08953
Parents: 8aff4e1
Author: rmani <rm...@hortonworks.com>
Authored: Mon Nov 2 16:33:00 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Nov 5 13:59:10 2015 -0800
----------------------------------------------------------------------
.../classloader/RangerPluginClassLoader.java | 34 +++++++++++++-------
1 file changed, 22 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a61a17fc/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
----------------------------------------------------------------------
diff --git a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
index eafcd27..23e16bf 100644
--- a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
+++ b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
@@ -22,11 +22,11 @@ package org.apache.ranger.plugin.classloader;
import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedExceptionAction;
import java.util.Enumeration;
-//import org.apache.commons.logging.Log;
-//import org.apache.commons.logging.LogFactory;
-
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -35,24 +35,34 @@ public class RangerPluginClassLoader extends URLClassLoader {
private static volatile RangerPluginClassLoader me = null;
private static MyClassLoader componentClassLoader = null;
- //private static ThreadLocal<MyClassLoader> componentClassLoader = new ThreadLocal<MyClassLoader>();
public RangerPluginClassLoader(String pluginType, Class<?> pluginClass ) throws Exception {
super(RangerPluginClassLoaderUtil.getInstance().getPluginFilesForServiceTypeAndPluginclass(pluginType, pluginClass), null);
- //componentClassLoader.set(new MyClassLoader(Thread.currentThread().getContextClassLoader()));
- componentClassLoader = new MyClassLoader(Thread.currentThread().getContextClassLoader());
+ componentClassLoader = AccessController.doPrivileged(
+ new PrivilegedAction<MyClassLoader>() {
+ public MyClassLoader run() {
+ return new MyClassLoader(Thread.currentThread().getContextClassLoader());
+ }
+ }
+ );
}
- public static RangerPluginClassLoader getInstance(String pluginType, Class<?> pluginClass ) throws Exception {
+ public static RangerPluginClassLoader getInstance(final String pluginType, final Class<?> pluginClass ) throws Exception {
RangerPluginClassLoader ret = me;
if ( ret == null) {
synchronized(RangerPluginClassLoader.class) {
ret = me;
if ( ret == null){
- me = ret = new RangerPluginClassLoader(pluginType,pluginClass);
- }
- }
- }
+ me = ret = AccessController.doPrivileged(
+ new PrivilegedExceptionAction<RangerPluginClassLoader>(){
+ public RangerPluginClassLoader run() throws Exception {
+ return new RangerPluginClassLoader(pluginType,pluginClass);
+ }
+ }
+ );
+ }
+ }
+ }
return ret;
}
@@ -263,7 +273,7 @@ public class RangerPluginClassLoader extends URLClassLoader {
}
}
- class MergeEnumeration implements Enumeration<URL> {
+ static class MergeEnumeration implements Enumeration<URL> {
Enumeration<URL> e1 = null;
Enumeration<URL> e2 = null;
[3/7] incubator-ranger git commit: RANGER-274 : unit test fix in
cleanup in tagFileStore
Posted by ma...@apache.org.
RANGER-274 : unit test fix in cleanup in tagFileStore
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
(cherry picked from commit 1b3e6c6dfd3b5aa844aed84f9ba50aa1a15a2a00)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1a0f7e2e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1a0f7e2e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1a0f7e2e
Branch: refs/heads/tag-policy
Commit: 1a0f7e2eb7fc8d7745cd5b5d53ba7e68b8f9d547
Parents: fa072f6
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Sat Oct 31 11:30:26 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Nov 5 13:58:32 2015 -0800
----------------------------------------------------------------------
.../ranger/plugin/store/TestTagStore.java | 51 +++++++++++---------
1 file changed, 27 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1a0f7e2e/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java
index 1bf35c6..aaace89 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestTagStore.java
@@ -21,17 +21,13 @@ package org.apache.ranger.plugin.store;
import static org.junit.Assert.*;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.OutputStreamWriter;
+import java.io.*;
import java.util.*;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import org.apache.commons.collections.CollectionUtils;
import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.*;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.model.*;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
@@ -51,21 +47,15 @@ public class TestTagStore {
static RangerService service = null;
static SearchFilter filter = null;
- static String tmpDir = null;
- static Path filePath = null;
-
- static Configuration config = new Configuration();
-
static final String serviceDefJsonFile = "/admin/service-defs/test-hive-servicedef.json";
static final String serviceName = "tag-unit-test-TestTagStore";
+ static File tagStoreDir = null;
static Gson gsonBuilder = null;
@BeforeClass
public static void setupTest() throws Exception {
- tmpDir = "file://" + System.getProperty("java.io.tmpdir");
-
String textTemplate = "<configuration>\n" +
" <property>\n" +
" <name>ranger.tag.store.file.dir</name>\n" +
@@ -77,20 +67,28 @@ public class TestTagStore {
" </property>\n" +
"</configuration>\n";
- String text = String.format(textTemplate, tmpDir, tmpDir);
+ File file = File.createTempFile("ranger-admin-test-site", ".xml") ;
+ file.deleteOnExit();
+
+ tagStoreDir = File.createTempFile("tagStore", "dir") ;
+
+ if (tagStoreDir.exists()) {
+ tagStoreDir.delete() ;
+ }
+
+ tagStoreDir.mkdirs() ;
- String fileName = tmpDir + "/ranger-admin-test-site.xml";
- filePath = new Path(fileName);
- FileSystem fs = filePath.getFileSystem(config);
+ String tagStoreDirName = tagStoreDir.getAbsolutePath() ;
- FSDataOutputStream outStream = fs.create(filePath, true);
+ String text = String.format(textTemplate, tagStoreDirName, tagStoreDirName);
+ FileOutputStream outStream = new FileOutputStream(file);
OutputStreamWriter writer = new OutputStreamWriter(outStream);
writer.write(text);
writer.close();
RangerConfiguration config = RangerConfiguration.getInstance();
- config.addResource(filePath);
+ config.addResource(new org.apache.hadoop.fs.Path(file.toURI()));
ServiceStore svcStore = new ServiceFileStore();
svcStore.init();
@@ -120,17 +118,22 @@ public class TestTagStore {
@AfterClass
public static void tearDownAfterClass() throws Exception {
-
- if (filePath != null) {
+ if (tagStoreDir != null) {
try {
- FileSystem fs = filePath.getFileSystem(config);
-
- fs.delete(filePath, true);
+ File[] filesInTagStoreDir = tagStoreDir.listFiles();
+ if (filesInTagStoreDir != null) {
+ for (File file : filesInTagStoreDir) {
+ if (file.isFile()) {
+ file.delete();
+ }
+ }
+ }
+ tagStoreDir.delete();
+ tagStoreDir = null;
} catch (Throwable t) {
// Ignore
}
}
-
}
@Test