You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/01/07 20:32:17 UTC
[18/27] incubator-ranger git commit: RANGER-203: Added
RangerMutableResource interface with methods to update resource element
values. Removed RangerAccessResult.deniedResources;
this will not be needed after the result class is updated to capture policy
RANGER-203: Added RangerMutableResource interface with methods to update
resource element values. Removed RangerAccessResult.deniedResources;
this will not be needed after the result class is updated to capture
policy-id/audit-flag for each leaf-level element.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3cfe45b7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3cfe45b7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3cfe45b7
Branch: refs/heads/stack
Commit: 3cfe45b75ffa99079c547c193e58ed2a689d9103
Parents: 3c52e0e
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Fri Jan 2 18:43:01 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Wed Jan 7 11:18:37 2015 -0800
----------------------------------------------------------------------
.../plugin/policyengine/RangerAccessResult.java | 24 ----
.../policyengine/RangerMutableResource.java | 30 +++++
.../plugin/policyengine/RangerResource.java | 11 +-
.../plugin/policyengine/RangerResourceImpl.java | 127 ++++++-------------
.../RangerDefaultPolicyEvaluator.java | 15 ++-
5 files changed, 87 insertions(+), 120 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index 3c04139..1eadc05 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -25,7 +25,6 @@ public class RangerAccessResult {
private RangerAccessRequest request = null;
private Result result = null;
- private RangerResource deniedResource = null;
private boolean isAudited = false;
private long policyId = -1;
private String reason = null;
@@ -69,20 +68,6 @@ public class RangerAccessResult {
}
/**
- * @return the deniedResource
- */
- public RangerResource getDeniedResource() {
- return deniedResource;
- }
-
- /**
- * @param deniedResource the deniedResource to set
- */
- public void setDeniedResource(RangerResource deniedResource) {
- this.deniedResource = deniedResource;
- }
-
- /**
* @return the auditAccess
*/
public boolean isAudited() {
@@ -124,14 +109,6 @@ public class RangerAccessResult {
this.reason = reason;
}
- public void addDeniedResource(String resourceType, String resourceValue) {
- if(deniedResource == null) {
- deniedResource = new RangerResourceImpl();
- }
-
- ((RangerResourceImpl)deniedResource).addElement(resourceType, resourceValue);
- }
-
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
@@ -146,7 +123,6 @@ public class RangerAccessResult {
sb.append("request={").append(request).append("} ");
sb.append("result={").append(result).append("} ");
- sb.append("deniedResource={").append(deniedResource).append("} ");
sb.append("isAudited={").append(isAudited).append("} ");
sb.append("policyId={").append(policyId).append("} ");
sb.append("reason={").append(reason).append("} ");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
new file mode 100644
index 0000000..da254c9
--- /dev/null
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import java.util.Collection;
+
+public interface RangerMutableResource extends RangerResource {
+ void setOwnerUser(String ownerUser);
+
+ void setElement(String type, String value);
+
+ void setLeafElement(String type, Collection<String> value);
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java
index 9e10e40..df5abcb 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java
@@ -19,17 +19,18 @@
package org.apache.ranger.plugin.policyengine;
-import java.util.List;
+import java.util.Collection;
public interface RangerResource {
public abstract String getOwnerUser();
public abstract boolean elementExists(String type);
- public abstract boolean elementIsSingleValued(String type);
-
public abstract String getElementValue(String type);
- public abstract List<String> getElementValues(String type);
+ public abstract boolean isLeafElement(String type);
+
+ public abstract String getLeafElementType();
-}
\ No newline at end of file
+ public abstract Collection<String> getLeafElementValues();
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java
index da5010b..97a49b8 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java
@@ -19,18 +19,16 @@
package org.apache.ranger.plugin.policyengine;
-import java.util.ArrayList;
+import java.util.Collection;
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
-
-public class RangerResourceImpl implements RangerResource {
+public class RangerResourceImpl implements RangerMutableResource {
private String ownerUser = null;
- private Map<String, Object> elements = null;
+ private Map<String, String> elements = null;
+ private String leafElementType = null;
+ private Collection<String> leafElementValues = null;
public RangerResourceImpl() {
@@ -43,34 +41,24 @@ public class RangerResourceImpl implements RangerResource {
@Override
public boolean elementExists(String type) {
- return elements != null && elements.containsKey(type);
+ return ((elements != null && elements.containsKey(type)) ||
+ (leafElementType != null && leafElementType.equals(type) && leafElementValues != null && !leafElementType.isEmpty()));
}
@Override
- public boolean elementIsSingleValued(String type) {
- Object val = (elements != null && elements.containsKey(type)) ? elements.get(type) : null;
-
- return val == null || (val instanceof String) || (((List<?>)val).size() <= 1);
+ public boolean isLeafElement(String type) {
+ return leafElementType != null && leafElementType.equals(type);
}
@Override
public String getElementValue(String type) {
String ret = null;
- if(elements != null) {
- Object value = elements.get(type);
-
- if(value != null) {
- if(value instanceof String) {
- ret = (String)value;
- } else { // value must be a List<String>
- @SuppressWarnings("unchecked")
- List<String> list = (List<String>)value;
-
- if(list != null && list.size() > 0) {
- ret = list.get(0);
- }
- }
+ if(elements != null && elements.containsKey(type)) {
+ ret = elements.get(type);
+ } else if(leafElementType != null && leafElementType.equals(type)) {
+ if(leafElementValues != null && !leafElementValues.isEmpty()) {
+ ret = leafElementValues.iterator().next();
}
}
@@ -78,76 +66,35 @@ public class RangerResourceImpl implements RangerResource {
}
@Override
- public List<String> getElementValues(String type) {
- List<String> ret = null;
-
- if(elements != null) {
- Object value = elements.get(type);
-
- if(value != null) {
- if(value instanceof String) {
- ret = new ArrayList<String>();
- ret.add((String)value);
- } else { // value must be a List<String>
- @SuppressWarnings("unchecked")
- List<String> tmpList = (List<String>)value;
-
- ret = tmpList;
- }
- }
- }
+ public String getLeafElementType() {
+ return leafElementType;
+ }
- return ret;
+ @Override
+ public Collection<String> getLeafElementValues() {
+ return leafElementValues;
}
+ @Override
public void setOwnerUser(String ownerUser) {
this.ownerUser = ownerUser;
}
+ @Override
public void setElement(String type, String value) {
+ // TODO: verify that leafElementType != type
if(elements == null) {
- elements = new HashMap<String, Object>();
- }
-
- elements.put(type, value);
- }
-
- public void setElement(String type, List<String> value) {
- if(elements == null) {
- elements = new HashMap<String, Object>();
+ elements = new HashMap<String, String>();
}
elements.put(type, value);
}
- public void addElement(String type, String value) {
- if(elements == null) {
- elements = new HashMap<String, Object>();
- }
-
- Object val = elements.get(type);
-
- if(val == null) {
- elements.put(type, value);
- } else {
- List<String> list = null;
-
- if(val instanceof String) { // convert to a list-value
- list = new ArrayList<String>();
-
- elements.put(type, list);
-
- list.add((String)val);
- } else { // value must be a List<String>
- @SuppressWarnings("unchecked")
- List<String> tmpList = (List<String>)val;
-
- list = tmpList;
- }
-
- list.add(value);
- }
-
+ @Override
+ public void setLeafElement(String type, Collection<String> value) {
+ // TODO: verify that elements doesn't have an entry for type
+ leafElementType = type;
+ leafElementValues = value;
}
@Override
@@ -166,10 +113,18 @@ public class RangerResourceImpl implements RangerResource {
sb.append("elements={");
if(elements != null) {
- for(Map.Entry<String, Object> e : elements.entrySet()) {
- sb.append(e.getKey()).append("={");
- sb.append(e.getValue());
- sb.append("} ");
+ for(Map.Entry<String, String> e : elements.entrySet()) {
+ sb.append(e.getKey()).append("=").append(e.getValue()).append("; ");
+ }
+ }
+ sb.append("} ");
+
+ sb.append("leafElementType={").append(leafElementType).append("} ");
+
+ sb.append("leafElementValues={");
+ if(leafElementValues != null) {
+ for(String s : leafElementValues) {
+ sb.append(s).append("; ");
}
}
sb.append("} ");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3cfe45b7/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 28cca2e..4911f40 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -86,6 +86,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
RangerAccessResult ret = null;
RangerPolicy policy = getPolicy();
+ /*
+ * TODO: handle partial-deny cases, especially for plug-ins that can deal with
+ * allowing access to part of the requested resource - like HBase returning
+ * columns for which the user has access to
+ */
if(request != null && policy != null && matchResource(request.getResource())) {
for(RangerPolicyItem policyItem : policy.getPolicyItems()) {
RangerPolicyItemAccess access = getAccess(policyItem, request.getAccessType());
@@ -126,14 +131,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
for(ResourceDefMatcher matcher : matchers) {
String resourceType = matcher.getResourceType();
- if(resource.elementIsSingleValued(resourceType)) {
- String resourceValue = resource.getElementValue(resourceType);
+ if(resource.isLeafElement(resourceType)) {
+ Collection<String> resourceValues = resource.getLeafElementValues();
- ret = matcher.isMatch(resourceValue);
+ ret = matcher.isMatch(resourceValues);
} else {
- List<String> resourceValues = resource.getElementValues(resourceType);
+ String resourceValue = resource.getElementValue(resourceType);
- ret = matcher.isMatch(resourceValues);
+ ret = matcher.isMatch(resourceValue);
}
if(! ret) {