You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/01/07 20:32:23 UTC
[24/27] incubator-ranger git commit: - RangerAccessResult updated to
support Allowed/Denied/PartiallyDenied result
- RangerAccessResult updated to support Allowed/Denied/PartiallyDenied
result
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3c52e0ed
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3c52e0ed
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3c52e0ed
Branch: refs/heads/stack
Commit: 3c52e0ed8a29fcdbb9d7c8e145a0a42580e20a29
Parents: 59417d3
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Jan 1 23:58:22 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Wed Jan 7 11:18:37 2015 -0800
----------------------------------------------------------------------
.../plugin/policyengine/RangerAccessResult.java | 60 +++++--
.../plugin/policyengine/RangerPolicyEngine.java | 7 +-
.../policyengine/RangerPolicyEngineImpl.java | 176 ++++++++++++-------
.../RangerDefaultPolicyEvaluator.java | 3 +-
4 files changed, 159 insertions(+), 87 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index 0735bd2..3c04139 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -21,24 +21,27 @@ package org.apache.ranger.plugin.policyengine;
public class RangerAccessResult {
- private RangerAccessRequest request;
- private boolean isAllowed;
- private boolean isAudited;
- private long policyId;
- private String reason;
+ public enum Result { ALLOWED, DENIED, PARTIALLY_DENIED };
+
+ private RangerAccessRequest request = null;
+ private Result result = null;
+ private RangerResource deniedResource = null;
+ private boolean isAudited = false;
+ private long policyId = -1;
+ private String reason = null;
public RangerAccessResult(RangerAccessRequest request) {
- this(request, false, false, -1, null);
+ this(request, Result.DENIED, false, -1, null);
}
- public RangerAccessResult(RangerAccessRequest request, boolean isAllowed, boolean isAudited) {
- this(request, isAllowed, isAudited, -1, null);
+ public RangerAccessResult(RangerAccessRequest request, Result result, boolean isAudited) {
+ this(request, result, isAudited, -1, null);
}
- public RangerAccessResult(RangerAccessRequest request, boolean isAllowed, boolean isAudited, long policyId, String reason) {
+ public RangerAccessResult(RangerAccessRequest request, Result result, boolean isAudited, long policyId, String reason) {
this.request = request;
- this.isAllowed = isAllowed;
+ this.result = result;
this.isAudited = isAudited;
this.policyId = policyId;
this.reason = reason;
@@ -52,17 +55,31 @@ public class RangerAccessResult {
}
/**
- * @return the isAllowed
+ * @return the result
+ */
+ public Result getResult() {
+ return result;
+ }
+
+ /**
+ * @param result the result to set
*/
- public boolean isAllowed() {
- return isAllowed;
+ public void setResult(Result result) {
+ this.result = result;
}
/**
- * @param isAllowed the isAllowed to set
+ * @return the deniedResource
*/
- public void setAllowed(boolean isAllowed) {
- this.isAllowed = isAllowed;
+ public RangerResource getDeniedResource() {
+ return deniedResource;
+ }
+
+ /**
+ * @param deniedResource the deniedResource to set
+ */
+ public void setDeniedResource(RangerResource deniedResource) {
+ this.deniedResource = deniedResource;
}
/**
@@ -107,6 +124,14 @@ public class RangerAccessResult {
this.reason = reason;
}
+ public void addDeniedResource(String resourceType, String resourceValue) {
+ if(deniedResource == null) {
+ deniedResource = new RangerResourceImpl();
+ }
+
+ ((RangerResourceImpl)deniedResource).addElement(resourceType, resourceValue);
+ }
+
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
@@ -120,7 +145,8 @@ public class RangerAccessResult {
sb.append("RangerAccessResult={");
sb.append("request={").append(request).append("} ");
- sb.append("isAllowed={").append(isAllowed).append("} ");
+ sb.append("result={").append(result).append("} ");
+ sb.append("deniedResource={").append(deniedResource).append("} ");
sb.append("isAudited={").append(isAudited).append("} ");
sb.append("policyId={").append(policyId).append("} ");
sb.append("reason={").append(reason).append("} ");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index cf2a5f3..271e190 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -21,10 +21,15 @@ package org.apache.ranger.plugin.policyengine;
import java.util.List;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+
public interface RangerPolicyEngine {
+ void setPolicies(RangerServiceDef serviceDef, List<RangerPolicy> policies);
+
RangerAccessResult isAccessAllowed(RangerAccessRequest request);
- void isAccessAllowed(List<RangerAccessRequest> requests, List<RangerAccessResult> results);
+ List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests);
void auditAccess(RangerAccessResult result);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index b2324c5..33b2ec7 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,130 +20,118 @@
package org.apache.ranger.plugin.policyengine;
import java.util.ArrayList;
-import java.util.Collections;
import java.util.List;
-import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.manager.ServiceDefManager;
import org.apache.ranger.plugin.manager.ServiceManager;
import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result;
+import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
- private String svcName = null;
private List<RangerPolicyEvaluator> policyEvaluators = null;
public RangerPolicyEngineImpl() {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngine()");
+ LOG.debug("==> RangerPolicyEngineImpl()");
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngine()");
+ LOG.debug("<== RangerPolicyEngineImpl()");
}
}
- public void init(String serviceName) throws Exception {
+ @Override
+ public void setPolicies(RangerServiceDef serviceDef, List<RangerPolicy> policies) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngine.init(" + serviceName + ")");
+ LOG.debug("==> RangerPolicyEngineImpl.setPolicies(" + serviceDef + ", " + policies + ")");
}
- svcName = serviceName;
- policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
-
- ServiceManager svcMgr = new ServiceManager();
- RangerService service = svcMgr.getByName(svcName);
-
- if(service == null) {
- LOG.error(svcName + ": service not found");
- } else {
- ServiceDefManager sdMgr = new ServiceDefManager();
-
- RangerServiceDef serviceDef = sdMgr.getByName(service.getType());
-
- if(serviceDef == null) {
- String msg = service.getType() + ": service-def not found";
-
- LOG.error(msg);
-
- throw new Exception(msg);
- }
+ if(serviceDef != null && policies != null) {
+ List<RangerPolicyEvaluator> evaluators = new ArrayList<RangerPolicyEvaluator>();
- List<RangerPolicy> policies = svcMgr.getPolicies(service.getId());
-
- if(policies != null) {
- for(RangerPolicy policy : policies) {
- RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef);
+ for(RangerPolicy policy : policies) {
+ RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef);
- if(evaluator != null) {
- policyEvaluators.add(evaluator);
- }
+ if(evaluator != null) {
+ evaluators.add(evaluator);
}
}
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies in service '" + svcName + "'");
- }
+
+ this.policyEvaluators = evaluators;
+ } else {
+ LOG.error("RangerPolicyEngineImpl.setPolicies(): invalid arguments - null serviceDef/policies");
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngine.init(" + serviceName + ")");
+ LOG.debug("<== RangerPolicyEngineImpl.setPolicies(" + serviceDef + ", " + policies + ")");
}
}
- private RangerPolicyEvaluator getPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef) {
- RangerPolicyEvaluator ret = null;
-
- // TODO: instantiate policy-matcher
-
- return ret;
- }
-
@Override
public RangerAccessResult isAccessAllowed(RangerAccessRequest request) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")");
+ }
+
RangerAccessResult ret = null;
- for(RangerPolicyEvaluator evaluator : policyEvaluators) {
- ret = evaluator.evaluate(request);
-
- if(ret != null) {
- break;
+ List<RangerPolicyEvaluator> evaluators = policyEvaluators;
+
+ if(request != null && evaluators != null) {
+ for(RangerPolicyEvaluator evaluator : evaluators) {
+ ret = evaluator.evaluate(request);
+
+ if(ret != null) {
+ break;
+ }
}
}
if(ret == null) {
ret = new RangerAccessResult(request);
- ret.setAllowed(Boolean.FALSE);
+ ret.setResult(Result.DENIED);
ret.setAudited(Boolean.FALSE);
}
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret);
+ }
+
return ret;
}
@Override
- public void isAccessAllowed(List<RangerAccessRequest> requests, List<RangerAccessResult> results) {
- if(requests != null && results != null) {
- results.clear();
-
- for(int i = 0; i < requests.size(); i++) {
- RangerAccessRequest request = requests.get(i);
- RangerAccessResult result = isAccessAllowed(request);
-
- results.add(result);
+ public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")");
+ }
+
+ List<RangerAccessResult> ret = new ArrayList<RangerAccessResult>();
+
+ if(requests != null) {
+ for(RangerAccessRequest request : requests) {
+ RangerAccessResult result = isAccessAllowed(request);
+
+ ret.add(result);
}
}
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret);
+ }
+
+ return ret;
}
@Override
@@ -158,6 +146,60 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
+ public void init(String svcName) throws Exception {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.init(" + svcName + ")");
+ }
+
+ ServiceManager svcMgr = new ServiceManager();
+ ServiceDefManager sdMgr = new ServiceDefManager();
+
+ RangerServiceDef serviceDef = null;
+ List<RangerPolicy> policies = null;
+
+ RangerService service = svcMgr.getByName(svcName);
+
+ if(service == null) {
+ String msg = svcName + ": service not found";
+
+ LOG.error(msg);
+
+ throw new Exception(msg);
+ } else {
+ serviceDef = sdMgr.getByName(service.getType());
+
+ if(serviceDef == null) {
+ String msg = service.getType() + ": service-def not found";
+
+ LOG.error(msg);
+
+ throw new Exception(msg);
+ }
+
+ policies = svcMgr.getPolicies(service.getId());
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.init(): found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies in service '" + svcName + "'");
+ }
+ }
+
+ setPolicies(serviceDef, policies);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.init(" + svcName + ")");
+ }
+ }
+
+ private RangerPolicyEvaluator getPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef) {
+ RangerPolicyEvaluator ret = null;
+
+ ret = new RangerDefaultPolicyEvaluator(); // TODO: configurable evaluator class?
+
+ ret.init(policy, serviceDef);
+
+ return ret;
+ }
+
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
@@ -170,8 +212,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
public StringBuilder toString(StringBuilder sb) {
sb.append("RangerPolicyEngineImpl={");
- sb.append("svcName={").append(svcName).append("} ");
-
sb.append("policyEvaluators={");
if(policyEvaluators != null) {
for(RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2e7d691..28cca2e 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -35,6 +35,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result;
import org.apache.ranger.plugin.policyengine.RangerResource;
import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
@@ -95,7 +96,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
ret = new RangerAccessResult(request);
ret.setPolicyId(policy.getId());
- ret.setAllowed(access.getIsAllowed());
+ ret.setResult(access.getIsAllowed() ? Result.ALLOWED : Result.DENIED);
ret.setAudited(access.getIsAudited());
break;