You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/03/08 02:31:40 UTC
[2/2] incubator-ranger git commit: RANGER-699: updates per review
comments and fixes
RANGER-699: updates per review comments and fixes
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/dddc4d42
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/dddc4d42
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/dddc4d42
Branch: refs/heads/master
Commit: dddc4d42011adf28062853317908259e894964da
Parents: 5423ee4
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Fri Mar 4 02:22:48 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Mar 7 17:26:30 2016 -0800
----------------------------------------------------------------------
.../plugin/policyengine/RangerPolicyEngine.java | 4 +-
.../policyengine/RangerPolicyEngineImpl.java | 41 +++++-
.../RangerDefaultPolicyEvaluator.java | 27 +++-
.../policyevaluator/RangerPolicyEvaluator.java | 4 +-
.../RangerDefaultPolicyResourceMatcher.java | 20 +--
.../RangerPolicyResourceMatcher.java | 4 +-
.../RangerAbstractResourceMatcher.java | 6 +-
.../resourcematcher/RangerResourceMatcher.java | 2 +-
.../org/apache/ranger/rest/ServiceREST.java | 132 +++++++++++--------
.../org/apache/ranger/rest/ServiceRESTUtil.java | 106 +++++----------
10 files changed, 189 insertions(+), 157 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 29080b7..02ad9e9 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -54,7 +54,9 @@ public interface RangerPolicyEngine {
boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType);
- RangerPolicy getExactMatchPolicy(RangerAccessResource resource);
+ List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource);
+
+ List<RangerPolicy> getExactMatchPolicies(Map<String, RangerPolicyResource> resources);
List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 1dd1e7b..92481f6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -338,23 +338,50 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
@Override
- public RangerPolicy getExactMatchPolicy(RangerAccessResource resource) {
+ public List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + ")");
+ LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + resource + ")");
}
- RangerPolicy ret = null;
+ List<RangerPolicy> ret = null;
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
- if (evaluator.isSingleAndExactMatch(resource)) {
- ret = evaluator.getPolicy();
+ if (evaluator.isCompleteMatch(resource)) {
+ if(ret == null) {
+ ret = new ArrayList<RangerPolicy>();
+ }
- break;
+ ret.add(evaluator.getPolicy());
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + resource + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ public List<RangerPolicy> getExactMatchPolicies(Map<String, RangerPolicyResource> resources) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + resources + ")");
+ }
+
+ List<RangerPolicy> ret = null;
+
+ for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ if (evaluator.isCompleteMatch(resources)) {
+ if(ret == null) {
+ ret = new ArrayList<RangerPolicy>();
+ }
+
+ ret.add(evaluator.getPolicy());
}
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + "): " + ret);
+ LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + resources + "): " + ret);
}
return ret;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 6171015..9394341 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -283,19 +283,38 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
@Override
- public boolean isSingleAndExactMatch(RangerAccessResource resource) {
+ public boolean isCompleteMatch(RangerAccessResource resource) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.isSingleAndExactMatch(" + resource + ")");
+ LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + resource + ")");
}
boolean ret = false;
if(resourceMatcher != null) {
- ret = resourceMatcher.isSingleAndExactMatch(resource);
+ ret = resourceMatcher.isCompleteMatch(resource);
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.isSingleAndExactMatch(" + resource + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + resource + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + resources + ")");
+ }
+
+ boolean ret = false;
+
+ if(resourceMatcher != null) {
+ ret = resourceMatcher.isCompleteMatch(resources);
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + resources + "): " + ret);
}
return ret;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 9cb90f4..3f76755 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -56,7 +56,9 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator>
boolean isMatch(RangerAccessResource resource);
- boolean isSingleAndExactMatch(RangerAccessResource resource);
+ boolean isCompleteMatch(RangerAccessResource resource);
+
+ boolean isCompleteMatch(Map<String, RangerPolicyResource> resources);
boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 7c547f6..4742850 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -267,9 +267,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
@Override
- public boolean isSingleAndExactMatch(RangerAccessResource resource) {
+ public boolean isCompleteMatch(RangerAccessResource resource) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyResourceMatcher.isSingleAndExactMatch(" + resource + ")");
+ LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ")");
}
boolean ret = false;
@@ -291,9 +291,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
RangerResourceMatcher matcher = matchers == null ? null : matchers.get(resourceName);
if(StringUtils.isEmpty(resourceValue)) {
- ret = matcher == null || matcher.isSingleAndExactMatch(resourceValue);
+ ret = matcher == null || matcher.isCompleteMatch(resourceValue);
} else {
- ret = matcher != null && matcher.isSingleAndExactMatch(resourceValue);
+ ret = matcher != null && matcher.isCompleteMatch(resourceValue);
}
if(! ret) {
@@ -302,13 +302,13 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
} else {
if(LOG.isDebugEnabled()) {
- LOG.debug("isSingleAndExactMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
+ LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyResourceMatcher.isSingleAndExactMatch(" + resource + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + "): " + ret);
}
return ret;
@@ -500,9 +500,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
@Override
- public boolean isExactMatch(Map<String, RangerPolicyResource> resources) {
+ public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyResourceMatcher.isExactMatch(" + resources + ")");
+ LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ")");
}
boolean ret = false;
@@ -535,13 +535,13 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
} else {
if(LOG.isDebugEnabled()) {
- LOG.debug("isExactMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
+ LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyResourceMatcher.isExactMatch(" + resources + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + "): " + ret);
}
return ret;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
index bf46748..f743d55 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
@@ -36,13 +36,13 @@ public interface RangerPolicyResourceMatcher {
boolean isMatch(Map<String, RangerPolicyResource> resources);
- boolean isSingleAndExactMatch(RangerAccessResource resource);
+ boolean isCompleteMatch(RangerAccessResource resource);
boolean isHeadMatch(RangerAccessResource resource);
boolean isExactHeadMatch(RangerAccessResource resource);
- boolean isExactMatch(Map<String, RangerPolicyResource> resources);
+ boolean isCompleteMatch(Map<String, RangerPolicyResource> resources);
StringBuilder toString(StringBuilder sb);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index b97659f..5063eea 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -101,9 +101,9 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
}
@Override
- public boolean isSingleAndExactMatch(String resource) {
+ public boolean isCompleteMatch(String resource) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerAbstractResourceMatcher.isSingleAndExactMatch(" + resource + ")");
+ LOG.debug("==> RangerAbstractResourceMatcher.isCompleteMatch(" + resource + ")");
}
boolean ret = false;
@@ -125,7 +125,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerAbstractResourceMatcher.isSingleAndExactMatch(" + resource + "): " + ret);
+ LOG.debug("<== RangerAbstractResourceMatcher.isCompleteMatch(" + resource + "): " + ret);
}
return ret;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
index 609d59d..e4d3ce5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
@@ -31,5 +31,5 @@ public interface RangerResourceMatcher {
boolean isMatch(String resource);
- boolean isSingleAndExactMatch(String resource);
+ boolean isCompleteMatch(String resource);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 5e5d626..e1aef0b 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -66,18 +66,13 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
-import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.validation.RangerPolicyValidator;
import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
import org.apache.ranger.plugin.model.validation.RangerServiceValidator;
import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
-import org.apache.ranger.plugin.policyengine.RangerAccessResource;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyengine.*;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.plugin.store.PList;
@@ -839,15 +834,14 @@ public class ServiceREST {
String userName = grantRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource());
- RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
-
- boolean isAdmin = hasAdminAccess(policyEngine, userName, userGroups, resource);
+
+ boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
if(!isAdmin) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
}
- RangerPolicy policy = getExactMatchPolicyForResource(policyEngine, resource);
+ RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
if(policy != null) {
boolean policyUpdated = false;
@@ -932,18 +926,17 @@ public class ServiceREST {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")");
}
- String userName = revokeRequest.getGrantor();
- Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
- RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+ String userName = revokeRequest.getGrantor();
+ Set<String> userGroups = userMgr.getGroupsForUser(userName);
+ RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
- boolean isAdmin = hasAdminAccess(policyEngine, userName, userGroups, resource);
+ boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
if(!isAdmin) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
}
- RangerPolicy policy = getExactMatchPolicyForResource(policyEngine, resource);
+ RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
if(policy != null) {
boolean policyUpdated = false;
@@ -1048,42 +1041,24 @@ public class ServiceREST {
RangerPolicy ret = null;
if (policy != null && StringUtils.isNotBlank(policy.getService())) {
-
try {
- RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy);
-
- List<RangerPolicy> existingPolicies = svcStore.getPoliciesByResourceSignature(policy.getService(), resourceSignature.getSignature(), true);
+ // Check if applied policy contains any conditions
+ if (ServiceRESTUtil.containsRangerCondition(policy)) {
+ LOG.error("Applied policy contains condition(s); not supported:" + policy);
+ throw new Exception("Applied policy contains condition(s); not supported:" + policy);
+ }
- if (CollectionUtils.isEmpty(existingPolicies)) {
+ RangerPolicy existingPolicy = getExactMatchPolicyForResource(policy.getService(), policy.getResources());
+ if (existingPolicy == null) {
ret = createPolicy(policy);
-
- } else if (existingPolicies.size() == 1) {
-
- // Check if applied policy contains any conditions
- if (ServiceRESTUtil.containsRangerCondition(policy)) {
- LOG.error("Applied policy contains condition(s); not supported:" + policy);
- throw new Exception("Applied policy contains condition(s); not supported:" + policy);
- }
- RangerPolicy existingPolicy = existingPolicies.get(0);
-
- // If existing policy-items contains conditions, then we add/remove specified accesses to
- // existing policy-items as specified in applied policy, ignoring those conditions.
- // New policy-items will have no conditions.
-
- boolean applyResult = ServiceRESTUtil.processApplyPolicy(existingPolicy, policy);
-
- if (applyResult) {
- ret = updatePolicy(existingPolicy);
- } else {
- LOG.error("applyPolicy processing failed");
- throw new Exception("applyPolicy processing failed");
- }
-
} else {
- // there should be only one policy for the given resources
- throw new Exception("Invalid state: multiple policies exists for resource " + policy.getResources());
+ ServiceRESTUtil.processApplyPolicy(existingPolicy, policy);
+
+ ret = updatePolicy(existingPolicy);
}
+ } catch(WebApplicationException excp) {
+ throw excp;
} catch (Exception exception) {
LOG.error("Failed to apply policy:", exception);
throw restErrorUtil.createRESTException(exception.getMessage());
@@ -1544,16 +1519,18 @@ public class ServiceREST {
}
}
- private RangerPolicy getExactMatchPolicyForResource(RangerPolicyEngine policyEngine, RangerAccessResource resource) throws Exception {
+ private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource resource) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ")");
}
- RangerPolicy ret = policyEngine != null ? policyEngine.getExactMatchPolicy(resource) : null;
+ RangerPolicy ret = null;
+ RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+ List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource) : null;
- if(ret != null) {
+ if(CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
- ret = svcStore.getPolicy(ret.getId());
+ ret = svcStore.getPolicy(policies.get(0).getId());
}
if(LOG.isDebugEnabled()) {
@@ -1563,6 +1540,27 @@ public class ServiceREST {
return ret;
}
+ private RangerPolicy getExactMatchPolicyForResource(String serviceName, Map<String, RangerPolicyResource> resources) throws Exception {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resources + ")");
+ }
+
+ RangerPolicy ret = null;
+ RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+ List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resources) : null;
+
+ if(CollectionUtils.isNotEmpty(policies)) {
+ // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
+ ret = svcStore.getPolicy(policies.get(0).getId());
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resources + "): " + ret);
+ }
+
+ return ret;
+ }
+
@GET
@Path("/policies/eventTime")
@Produces({ "application/json", "application/xml" })
@@ -1683,7 +1681,7 @@ public class ServiceREST {
continue;
}
- RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+ RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
if (policyEngine != null) {
if(userGroups == null) {
@@ -1714,12 +1712,12 @@ public class ServiceREST {
if(!isAdmin && !isKeyAdmin) {
boolean isAllowed = false;
- RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+ RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
if (policyEngine != null) {
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- isAllowed = hasAdminAccess(policyEngine, userName, userGroups, resources);
+ isAllowed = hasAdminAccess(serviceName, userName, userGroups, resources);
}
if (!isAllowed) {
@@ -1747,9 +1745,11 @@ public class ServiceREST {
}
}
- private boolean hasAdminAccess(RangerPolicyEngine policyEngine, String userName, Set<String> userGroups, Map<String, RangerPolicyResource> resources) {
+ private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, Map<String, RangerPolicyResource> resources) {
boolean isAllowed = false;
+ RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
+
if(policyEngine != null) {
isAllowed = policyEngine.isAccessAllowed(resources, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
}
@@ -1757,9 +1757,11 @@ public class ServiceREST {
return isAllowed;
}
- private boolean hasAdminAccess(RangerPolicyEngine policyEngine, String userName, Set<String> userGroups, RangerAccessResource resource) {
+ private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, RangerAccessResource resource) {
boolean isAllowed = false;
+ RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
+
if(policyEngine != null) {
isAllowed = policyEngine.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
}
@@ -1767,7 +1769,7 @@ public class ServiceREST {
return isAllowed;
}
- private RangerPolicyEngine getPolicyEngine(String serviceName) {
+ private RangerPolicyEngine getDelegatedAdminPolicyEngine(String serviceName) {
if(RangerPolicyEngineCache.getInstance().getPolicyEngineOptions() == null) {
RangerPolicyEngineOptions options = new RangerPolicyEngineOptions();
@@ -1787,6 +1789,24 @@ public class ServiceREST {
return ret;
}
+ private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception {
+ RangerPolicyEngineOptions options = new RangerPolicyEngineOptions();
+
+ String propertyPrefix = "ranger.admin";
+
+ options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+ options.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
+ options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
+ options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
+ options.evaluateDelegateAdminOnly = false;
+
+ ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);
+
+ RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, options);
+
+ return ret;
+ }
+
@GET
@Path("/checksso")
@Produces(MediaType.TEXT_PLAIN)
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
index 7518363..dcae9b4 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
@@ -27,7 +27,6 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import java.util.ArrayList;
-import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -74,7 +73,9 @@ public class ServiceRESTUtil {
appliedPolicy.getPolicyItems().add(policyItem);
- policyUpdated = processApplyPolicy(policy, appliedPolicy) || policyUpdated;
+ processApplyPolicy(policy, appliedPolicy);
+
+ policyUpdated = true;
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.processGrantRequest() : " + policyUpdated);
@@ -114,7 +115,9 @@ public class ServiceRESTUtil {
appliedPolicy.getDenyPolicyItems().add(policyItem);
- policyUpdated = processApplyPolicy(policy, appliedPolicy);
+ processApplyPolicy(policy, appliedPolicy);
+
+ policyUpdated = true;
}
if (LOG.isDebugEnabled()) {
@@ -124,32 +127,26 @@ public class ServiceRESTUtil {
return policyUpdated;
}
- static public boolean processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) {
+ static public void processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.processApplyPolicy()");
}
- boolean ret = false;
-
- ret = processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW);
- ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY);
- ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
- ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
+ processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW);
+ processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY);
+ processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
+ processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.processApplyPolicy()");
}
-
- return ret;
}
- static public boolean processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) {
+ static private void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()");
}
- boolean ret = false;
-
List<RangerPolicy.RangerPolicyItem> appliedPolicyItems = null;
switch (policyItemType) {
@@ -166,8 +163,7 @@ public class ServiceRESTUtil {
appliedPolicyItems = appliedPolicy.getDenyExceptions();
break;
default:
- LOG.warn("Should not have come here..");
- return false;
+ LOG.warn("processApplyPolicyForItemType(): invalid policyItemType=" + policyItemType);
}
if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
@@ -190,14 +186,12 @@ public class ServiceRESTUtil {
// Add modified/new policyItems back to existing policy
mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems);
- ret = compactPolicy(existingPolicy);
+ compactPolicy(existingPolicy);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.processApplyPolicyForItemType()");
}
-
- return ret;
}
static private void extractUsersAndGroups(List<RangerPolicy.RangerPolicyItem> policyItems, Set<String> users, Set<String> groups) {
@@ -281,16 +275,15 @@ public class ServiceRESTUtil {
}
}
- static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List<RangerPolicy.RangerPolicyItem> userPolicyItems, String user) {
+ static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List<RangerPolicy.RangerPolicyItem> policyItems, String user) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()");
}
RangerPolicy.RangerPolicyItem ret = null;
- if (CollectionUtils.isNotEmpty(userPolicyItems)) {
-
- for (RangerPolicy.RangerPolicyItem policyItem : userPolicyItems) {
+ if (CollectionUtils.isNotEmpty(policyItems)) {
+ for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
List<String> users = policyItem.getUsers();
if (users.contains(user)) {
if (ret == null) {
@@ -302,7 +295,7 @@ public class ServiceRESTUtil {
}
addAccesses(ret, policyItem.getAccesses());
- // Remove this user/group from existingPolicyItem
+ // Remove this user from existingPolicyItem
users.remove(user);
}
}
@@ -315,16 +308,15 @@ public class ServiceRESTUtil {
return ret;
}
- static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List<RangerPolicy.RangerPolicyItem> groupPolicyItems, String group) {
+ static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List<RangerPolicy.RangerPolicyItem> policyItems, String group) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()");
}
RangerPolicy.RangerPolicyItem ret = null;
- if (CollectionUtils.isNotEmpty(groupPolicyItems)) {
-
- for (RangerPolicy.RangerPolicyItem policyItem : groupPolicyItems) {
+ if (CollectionUtils.isNotEmpty(policyItems)) {
+ for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
List<String> groups = policyItem.getGroups();
if (groups.contains(group)) {
if (ret == null) {
@@ -336,7 +328,7 @@ public class ServiceRESTUtil {
}
addAccesses(ret, policyItem.getAccesses());
- // Remove this user/group from existingPolicyItem
+ // Remove this group from existingPolicyItem
groups.remove(group);
}
}
@@ -541,14 +533,14 @@ public class ServiceRESTUtil {
for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
String accessType = access.getType();
- int numOfItems = policyItem.getAccesses().size();
+ int numOfAccesses = policyItem.getAccesses().size();
- for (int i = 0; i < numOfItems; i++) {
+ for (int i = 0; i < numOfAccesses; i++) {
RangerPolicy.RangerPolicyItemAccess itemAccess = policyItem.getAccesses().get(i);
if (StringUtils.equals(itemAccess.getType(), accessType)) {
policyItem.getAccesses().remove(i);
- numOfItems--;
+ numOfAccesses--;
i--;
ret = true;
@@ -562,42 +554,11 @@ public class ServiceRESTUtil {
return ret;
}
- static private boolean compactPolicy(RangerPolicy policy) {
- boolean ret = true; // Always true for now
-
- List<?>[] policyItemsList = new List<?>[] { policy.getPolicyItems(),
- policy.getDenyPolicyItems(),
- policy.getAllowExceptions(),
- policy.getDenyExceptions()
- };
-
- for(List<?> policyItemsObj : policyItemsList) {
- @SuppressWarnings("unchecked")
- List<RangerPolicy.RangerPolicyItem> policyItems = (List<RangerPolicy.RangerPolicyItem>)policyItemsObj;
-
- int numOfItems = policyItems.size();
-
- for(int i = 0; i < numOfItems; i++) {
- RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i);
-
- // remove the policy item if 1) there are no users and groups OR 2) if there are no accessTypes and not a delegate-admin
- if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) ||
- (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) {
- policyItems.remove(i);
- numOfItems--;
- i--;
-
- ret = true;
- }
- }
- }
-
+ static private void compactPolicy(RangerPolicy policy) {
policy.setPolicyItems(mergePolicyItems(policy.getPolicyItems()));
policy.setDenyPolicyItems(mergePolicyItems(policy.getDenyPolicyItems()));
policy.setAllowExceptions(mergePolicyItems(policy.getAllowExceptions()));
policy.setDenyExceptions(mergePolicyItems(policy.getDenyExceptions()));
-
- return ret;
}
static private List<RangerPolicy.RangerPolicyItem> mergePolicyItems(List<RangerPolicy.RangerPolicyItem> policyItems) {
@@ -607,6 +568,11 @@ public class ServiceRESTUtil {
Map<String, RangerPolicy.RangerPolicyItem> matchedPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem>();
for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
+ if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) ||
+ (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) {
+ continue;
+ }
+
if (policyItem.getConditions().size() > 1) {
ret.add(policyItem);
continue;
@@ -620,19 +586,15 @@ public class ServiceRESTUtil {
accesses.add("delegateAdmin");
}
- StringBuilder allAccessesString = new StringBuilder();
-
- for (String access = accesses.first(); access != null; access = accesses.higher(access)) {
- allAccessesString.append(access);
- }
+ String allAccessesString = accesses.toString();
- RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString.toString());
+ RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString);
if (matchingPolicyItem != null) {
addDistinctItems(policyItem.getUsers(), matchingPolicyItem.getUsers());
addDistinctItems(policyItem.getGroups(), matchingPolicyItem.getGroups());
} else {
- matchedPolicyItems.put(allAccessesString.toString(), policyItem);
+ matchedPolicyItems.put(allAccessesString, policyItem);
}
}