You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/04/02 18:38:13 UTC

[ranger] branch master updated: RANGER-3147: enhance resource-trie to enable finding evaluators for a given resource and its children - Part 3

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new b48d220  RANGER-3147: enhance resource-trie to enable finding evaluators for a given resource and its children - Part 3
b48d220 is described below

commit b48d2202373604c1363cf79cdc512fed1d50e5d4
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Fri Apr 2 10:53:03 2021 -0700

    RANGER-3147: enhance resource-trie to enable finding evaluators for a given resource and its children - Part 3
---
 .../plugin/policyengine/RangerResourceTrie.java    |  2 +
 .../resourcematcher/RangerPathResourceMatcher.java | 28 ++++++-
 .../policyengine/test_policyengine_aws.json        | 94 ++++++++++++++++++++++
 3 files changed, 120 insertions(+), 4 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 2db1db0..7c37e05 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -1149,6 +1149,8 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
         }
 
         void collectChildEvaluators(Character sep, int startIdx, Set<U> childEvaluators) {
+            setupIfNeeded(getParent());
+
             final int sepPos = startIdx < str.length() ? str.indexOf(sep, startIdx) : -1;
 
             if (sepPos == -1) { // ex: startIdx=5, path(str)=/tmp/test, path(a child) could be: /tmp/test.txt, /tmp/test/, /tmp/test/a, /tmp/test/a/b
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index c60e7bc..43297d6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -283,6 +283,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 		}
 		@Override
 		boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("==> StringResourceMatcher.isMatch(resourceValue=" + resourceValue + ", evalContext=" + evalContext + ")");
+			}
 			String expandedValue = getExpandedValue(evalContext);
 			boolean ret = function.apply(resourceValue, expandedValue);
 			if (!ret) {
@@ -298,6 +301,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 					}
 				}
 			}
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("<== StringResourceMatcher.isMatch(resourceValue=" + resourceValue + ", expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+			}
 			return ret;
 		}
 
@@ -314,6 +320,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 		}
 		@Override
 		boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("==> WildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ", evalContext=" + evalContext + ")");
+			}
 			String expandedValue = getExpandedValue(evalContext);
 			boolean ret = function.apply(resourceValue, expandedValue, ioCase);
 			if (!ret) {
@@ -329,6 +338,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 					}
 				}
 			}
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("<== WildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ", expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+			}
 			return ret;
 		}
 	}
@@ -344,6 +356,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 		}
 		@Override
 		boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("==> RecursiveWildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ", evalContext=" + evalContext + ")");
+			}
 			String expandedValue = getExpandedValue(evalContext);
 			boolean ret = function.apply(resourceValue, expandedValue, pathSeparatorChar, ioCase);
 			if (!ret) {
@@ -359,6 +374,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 					}
 				}
 			}
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("<== RecursiveWildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ", expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+			}
 			return ret;
 		}
 	}
@@ -386,6 +404,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 
 		@Override
 		boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("==> RecursivePathResourceMatcher.isMatch(resourceValue=" + resourceValue + ", evalContext=" + evalContext + ")");
+			}
 			final String noSeparator;
 			if (getNeedsDynamicEval()) {
 				String expandedPolicyValue = getExpandedValue(evalContext);
@@ -414,14 +435,13 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 								resourceValue = resourceValue.substring(0, resourceValue.length() - 1);
 							}
 							ret = primaryFunction.apply(resourceValue, shorterExpandedValue);
-							if (!ret) {
-								final String shortedExpandedValueWithSeparator = getNeedsDynamicEval() ? shorterExpandedValue + pathSeparatorChar : shorterExpandedValue;
-								ret = fallbackFunction.apply(resourceValue, shortedExpandedValueWithSeparator);
-							}
 						}
 					}
 				}
 			}
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("<== RecursivePathResourceMatcher.isMatch(resourceValue=" + resourceValue + ", expandedValueWithoutTrailingSeparatorChar=" + noSeparator + ") : result:[" + ret + "]");
+			}
 
 			return ret;
 		}
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_aws.json b/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
index 3e77506..118bef5 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
@@ -71,10 +71,104 @@
       "policyItems":[
         {"accesses":[{"type":"read","isAllowed":true}, {"type":"write","isAllowed":true}, {"type":"execute","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
       ]
+    },
+
+    {"id":100,"name":"allow-read-to-/tmp/{USER}}", "isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/tmp/{USER}"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+      ]
+    },
+    {"id":200,"name":"allow-all-to-/tmp/{USER}/subdir}","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/tmp/{USER}/subdir"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}, {"type":"write","isAllowed":true}, {"type":"execute","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+      ]
+    },
+    {"id":300,"name":"allow-read-to-/user/dir}","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/user/dir"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":["scott"],"groups":[],"delegateAdmin":false}
+      ]
+    },
+    {"id":400,"name":"allow-all-to-/user/dir/subdir}","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/user/dir/subdir"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}, {"type":"write","isAllowed":true}, {"type":"execute","isAllowed":true}],"users":["scott"],"groups":[],"delegateAdmin":false}
+      ]
+    },
+    {"id":500,"name":"allow-read-to-/user/{USER}/a*}", "isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/user/{USER}/*"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+      ]
     }
   ],
 
   "tests":[
+    {"name":"ALLOW 'write /tmp/scott' for u=scott for scope SELF_OR_CHILD",
+      "request":{
+        "resource":{"elements":{"path":"/tmp/scott"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+        "accessType":"write","user":"scott","userGroups":[],"requestData":"write /tmp/scott"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId": 200}
+    },
+    {"name":"DENY 'ANY /tmp/scott' for u=joe for scope SELF_OR_CHILD",
+      "request":{
+        "resource":{"elements":{"path":"/tmp/scott"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+        "accessType":"","user":"joe","userGroups":[],"requestData":"ANY /tmp/scott"
+      },
+      "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+    },
+    {"name":"ALLOW 'ANY /tmp/scott' for u=scott for scope SELF",
+      "request":{
+        "resource":{"elements":{"path":"/tmp/scott"}},
+        "accessType":"","user":"scott","userGroups":[],"requestData":"ANY /tmp/scott"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId": 100}
+    },
+    {"name":"DENY 'ANY /tmp/scott' for u=joe for scope SELF",
+      "request":{
+        "resource":{"elements":{"path":"/tmp/scott"}},
+        "accessType":"","user":"joe","userGroups":[],"requestData":"ANY /tmp/scott"
+      },
+      "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+    },
+    {"name":"ALLOW 'write /user/dir' for u=scott for scope SELF_OR_CHILD",
+      "request":{
+        "resource":{"elements":{"path":"/user/dir"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+        "accessType":"write","user":"scott","userGroups":[],"requestData":"write /user/dir"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId": 400}
+    },
+    {"name":"ALLOW 'ANY /user/dir' for u=scott for scope SELF",
+      "request":{
+        "resource":{"elements":{"path":"/user/dir"}},
+        "accessType":"","user":"scott","userGroups":[],"requestData":"ANY /user/dir"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId": 300}
+    },
+    {"name":"DENY 'ANY /user/dir' for u=joe for scope SELF_OR_CHILD",
+      "request":{
+        "resource":{"elements":{"path":"/user/dir"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+        "accessType":"","user":"joe","userGroups":[],"requestData":"ANY /user/dir"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId": -1}
+    },
+    {"name":"ALLOW 'read /user/scott' for u=scott for scope SELF_OR_CHILD",
+      "request":{
+        "resource":{"elements":{"path":"/user/scott"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+        "accessType":"read","user":"scott","userGroups":[],"requestData":"read /tmp/scott"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId": 500}
+    },
+    {"name":"DENY 'read /user/scott' for u=scott for scope SELF",
+      "request":{
+        "resource":{"elements":{"path":"/user/scott"}},
+        "accessType":"read","user":"scott","userGroups":[],"requestData":"read /tmp/scott"
+      },
+      "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+    },
     {"name":"ALLOW 'ANY /' for u=user1",
       "request":{
         "resource":{"elements":{"path":"/"}}, "resourceMatchingScope": "SELF_OR_CHILD",