You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/04/02 18:38:13 UTC
[ranger] branch master updated: RANGER-3147: enhance resource-trie
to enable finding evaluators for a given resource and its children - Part 3
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b48d220 RANGER-3147: enhance resource-trie to enable finding evaluators for a given resource and its children - Part 3
b48d220 is described below
commit b48d2202373604c1363cf79cdc512fed1d50e5d4
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Fri Apr 2 10:53:03 2021 -0700
RANGER-3147: enhance resource-trie to enable finding evaluators for a given resource and its children - Part 3
---
.../plugin/policyengine/RangerResourceTrie.java | 2 +
.../resourcematcher/RangerPathResourceMatcher.java | 28 ++++++-
.../policyengine/test_policyengine_aws.json | 94 ++++++++++++++++++++++
3 files changed, 120 insertions(+), 4 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 2db1db0..7c37e05 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -1149,6 +1149,8 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
}
void collectChildEvaluators(Character sep, int startIdx, Set<U> childEvaluators) {
+ setupIfNeeded(getParent());
+
final int sepPos = startIdx < str.length() ? str.indexOf(sep, startIdx) : -1;
if (sepPos == -1) { // ex: startIdx=5, path(str)=/tmp/test, path(a child) could be: /tmp/test.txt, /tmp/test/, /tmp/test/a, /tmp/test/a/b
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index c60e7bc..43297d6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -283,6 +283,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
}
@Override
boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> StringResourceMatcher.isMatch(resourceValue=" + resourceValue + ", evalContext=" + evalContext + ")");
+ }
String expandedValue = getExpandedValue(evalContext);
boolean ret = function.apply(resourceValue, expandedValue);
if (!ret) {
@@ -298,6 +301,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
}
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== StringResourceMatcher.isMatch(resourceValue=" + resourceValue + ", expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+ }
return ret;
}
@@ -314,6 +320,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
}
@Override
boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> WildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ", evalContext=" + evalContext + ")");
+ }
String expandedValue = getExpandedValue(evalContext);
boolean ret = function.apply(resourceValue, expandedValue, ioCase);
if (!ret) {
@@ -329,6 +338,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
}
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== WildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ", expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+ }
return ret;
}
}
@@ -344,6 +356,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
}
@Override
boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RecursiveWildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ", evalContext=" + evalContext + ")");
+ }
String expandedValue = getExpandedValue(evalContext);
boolean ret = function.apply(resourceValue, expandedValue, pathSeparatorChar, ioCase);
if (!ret) {
@@ -359,6 +374,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
}
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RecursiveWildcardResourceMatcher.isMatch(resourceValue=" + resourceValue + ", expandedValue=" + expandedValue + ") : result:[" + ret + "]");
+ }
return ret;
}
}
@@ -386,6 +404,9 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
@Override
boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RecursivePathResourceMatcher.isMatch(resourceValue=" + resourceValue + ", evalContext=" + evalContext + ")");
+ }
final String noSeparator;
if (getNeedsDynamicEval()) {
String expandedPolicyValue = getExpandedValue(evalContext);
@@ -414,14 +435,13 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
resourceValue = resourceValue.substring(0, resourceValue.length() - 1);
}
ret = primaryFunction.apply(resourceValue, shorterExpandedValue);
- if (!ret) {
- final String shortedExpandedValueWithSeparator = getNeedsDynamicEval() ? shorterExpandedValue + pathSeparatorChar : shorterExpandedValue;
- ret = fallbackFunction.apply(resourceValue, shortedExpandedValueWithSeparator);
- }
}
}
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RecursivePathResourceMatcher.isMatch(resourceValue=" + resourceValue + ", expandedValueWithoutTrailingSeparatorChar=" + noSeparator + ") : result:[" + ret + "]");
+ }
return ret;
}
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_aws.json b/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
index 3e77506..118bef5 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_aws.json
@@ -71,10 +71,104 @@
"policyItems":[
{"accesses":[{"type":"read","isAllowed":true}, {"type":"write","isAllowed":true}, {"type":"execute","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
]
+ },
+
+ {"id":100,"name":"allow-read-to-/tmp/{USER}}", "isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/tmp/{USER}"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+ {"id":200,"name":"allow-all-to-/tmp/{USER}/subdir}","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/tmp/{USER}/subdir"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}, {"type":"write","isAllowed":true}, {"type":"execute","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+ {"id":300,"name":"allow-read-to-/user/dir}","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/user/dir"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":["scott"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+ {"id":400,"name":"allow-all-to-/user/dir/subdir}","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/user/dir/subdir"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}, {"type":"write","isAllowed":true}, {"type":"execute","isAllowed":true}],"users":["scott"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+ {"id":500,"name":"allow-read-to-/user/{USER}/a*}", "isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/user/{USER}/*"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false}
+ ]
}
],
"tests":[
+ {"name":"ALLOW 'write /tmp/scott' for u=scott for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/tmp/scott"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+ "accessType":"write","user":"scott","userGroups":[],"requestData":"write /tmp/scott"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 200}
+ },
+ {"name":"DENY 'ANY /tmp/scott' for u=joe for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/tmp/scott"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+ "accessType":"","user":"joe","userGroups":[],"requestData":"ANY /tmp/scott"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+ },
+ {"name":"ALLOW 'ANY /tmp/scott' for u=scott for scope SELF",
+ "request":{
+ "resource":{"elements":{"path":"/tmp/scott"}},
+ "accessType":"","user":"scott","userGroups":[],"requestData":"ANY /tmp/scott"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 100}
+ },
+ {"name":"DENY 'ANY /tmp/scott' for u=joe for scope SELF",
+ "request":{
+ "resource":{"elements":{"path":"/tmp/scott"}},
+ "accessType":"","user":"joe","userGroups":[],"requestData":"ANY /tmp/scott"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+ },
+ {"name":"ALLOW 'write /user/dir' for u=scott for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/user/dir"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+ "accessType":"write","user":"scott","userGroups":[],"requestData":"write /user/dir"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 400}
+ },
+ {"name":"ALLOW 'ANY /user/dir' for u=scott for scope SELF",
+ "request":{
+ "resource":{"elements":{"path":"/user/dir"}},
+ "accessType":"","user":"scott","userGroups":[],"requestData":"ANY /user/dir"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 300}
+ },
+ {"name":"DENY 'ANY /user/dir' for u=joe for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/user/dir"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+ "accessType":"","user":"joe","userGroups":[],"requestData":"ANY /user/dir"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId": -1}
+ },
+ {"name":"ALLOW 'read /user/scott' for u=scott for scope SELF_OR_CHILD",
+ "request":{
+ "resource":{"elements":{"path":"/user/scott"}}, "resourceMatchingScope": "SELF_OR_CHILD",
+ "accessType":"read","user":"scott","userGroups":[],"requestData":"read /tmp/scott"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId": 500}
+ },
+ {"name":"DENY 'read /user/scott' for u=scott for scope SELF",
+ "request":{
+ "resource":{"elements":{"path":"/user/scott"}},
+ "accessType":"read","user":"scott","userGroups":[],"requestData":"read /tmp/scott"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId": -1}
+ },
{"name":"ALLOW 'ANY /' for u=user1",
"request":{
"resource":{"elements":{"path":"/"}}, "resourceMatchingScope": "SELF_OR_CHILD",