You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2018/03/02 19:34:26 UTC
[2/2] ranger git commit: RANGER-1999: Ranger policy engine updates to
support list-of-values in access reource
RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/6cc62086
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/6cc62086
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/6cc62086
Branch: refs/heads/master
Commit: 6cc62086795a212516b69fd09a1c2ef7a6761e5d
Parents: d3fffd0
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Feb 28 13:00:03 2018 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Mar 2 11:33:26 2018 -0800
----------------------------------------------------------------------
.../ranger/authorization/utils/StringUtil.java | 16 +++
.../policyengine/RangerAccessResource.java | 4 +-
.../policyengine/RangerAccessResourceImpl.java | 16 +--
.../RangerAccessResourceReadOnly.java | 8 +-
.../policyengine/RangerMutableResource.java | 2 +-
.../RangerDefaultPolicyResourceMatcher.java | 32 +++--
.../RangerAbstractResourceMatcher.java | 13 +-
.../RangerDefaultResourceMatcher.java | 25 +++-
.../resourcematcher/RangerResourceMatcher.java | 2 +-
.../plugin/resourcematcher/ResourceMatcher.java | 13 ++
.../ranger/plugin/service/RangerBasePlugin.java | 3 +-
.../ranger/plugin/util/RangerResourceTrie.java | 130 ++++++++++++++-----
.../plugin/policyengine/TestPolicyEngine.java | 7 +
.../RangerAbstractResourceMatcherTest.java | 2 +-
.../policyengine/test_policyengine_atlas.json | 120 +++++++++++++++++
.../hive/authorizer/RangerHiveResource.java | 10 +-
.../perftest/v2/RangerPolicyFactory.java | 2 +-
.../org/apache/ranger/rest/ServiceREST.java | 17 +--
18 files changed, 344 insertions(+), 78 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java b/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
index 2835cdd..2bb834d 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
@@ -23,7 +23,9 @@ import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.GregorianCalendar;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import java.util.TimeZone;
public class StringUtil {
@@ -273,4 +275,18 @@ public class StringUtil {
return utc.getTime();
}
+
+ public static Map<String, Object> toStringObjectMap(Map<String, String> map) {
+ Map<String, Object> ret = null;
+
+ if (map != null) {
+ ret = new HashMap<>(map.size());
+
+ for (Map.Entry<String, String> e : map.entrySet()) {
+ ret.put(e.getKey(), e.getValue());
+ }
+ }
+
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
index 2ee616a..e2ed3f2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
@@ -33,7 +33,7 @@ public interface RangerAccessResource {
boolean exists(String name);
- String getValue(String name);
+ Object getValue(String name);
RangerServiceDef getServiceDef();
@@ -45,7 +45,7 @@ public interface RangerAccessResource {
String getCacheKey();
- Map<String, String> getAsMap();
+ Map<String, Object> getAsMap();
RangerAccessResource getReadOnlyCopy();
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
index 5800486..93810ae 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
@@ -31,7 +31,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
public class RangerAccessResourceImpl implements RangerMutableResource {
private String ownerUser;
- private Map<String, String> elements;
+ private Map<String, Object> elements;
private String stringifiedValue;
private String stringifiedCacheKeyValue;
private String leafName;
@@ -41,11 +41,11 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
this(null, null);
}
- public RangerAccessResourceImpl(Map<String, String> elements) {
+ public RangerAccessResourceImpl(Map<String, Object> elements) {
this(elements, null);
}
- public RangerAccessResourceImpl(Map<String, String> elements, String ownerUser) {
+ public RangerAccessResourceImpl(Map<String, Object> elements, String ownerUser) {
this.elements = elements;
this.ownerUser = ownerUser;
}
@@ -61,8 +61,8 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
}
@Override
- public String getValue(String name) {
- String ret = null;
+ public Object getValue(String name) {
+ Object ret = null;
if(elements != null && elements.containsKey(name)) {
ret = elements.get(name);
@@ -88,7 +88,7 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
}
@Override
- public void setValue(String name, String value) {
+ public void setValue(String name, Object value) {
if(value == null) {
if(elements != null) {
elements.remove(name);
@@ -200,7 +200,7 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
}
@Override
- public Map<String, String> getAsMap() {
+ public Map<String, Object> getAsMap() {
return elements == null ? Collections.EMPTY_MAP : Collections.unmodifiableMap(elements);
}
@@ -251,7 +251,7 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
sb.append("elements={");
if(elements != null) {
- for(Map.Entry<String, String> e : elements.entrySet()) {
+ for(Map.Entry<String, Object> e : elements.entrySet()) {
sb.append(e.getKey()).append("=").append(e.getValue()).append("; ");
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
index 18bb1f4..30abf91 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
@@ -29,7 +29,7 @@ public class RangerAccessResourceReadOnly implements RangerAccessResource {
private final RangerAccessResource source;
private final Set<String> keys;
- private final Map<String, String> map;
+ private final Map<String, Object> map;
public RangerAccessResourceReadOnly(final RangerAccessResource source) {
this.source = source;
@@ -42,7 +42,7 @@ public class RangerAccessResourceReadOnly implements RangerAccessResource {
}
this.keys = Collections.unmodifiableSet(sourceKeys);
- Map<String, String> sourceMap = source.getAsMap();
+ Map<String, Object> sourceMap = source.getAsMap();
if (MapUtils.isEmpty(sourceMap)) {
sourceMap = new HashMap<>();
@@ -54,7 +54,7 @@ public class RangerAccessResourceReadOnly implements RangerAccessResource {
public boolean exists(String name) { return source.exists(name); }
- public String getValue(String name) { return source.getValue(name); }
+ public Object getValue(String name) { return source.getValue(name); }
public RangerServiceDef getServiceDef() { return source.getServiceDef(); }
@@ -66,7 +66,7 @@ public class RangerAccessResourceReadOnly implements RangerAccessResource {
public String getCacheKey() { return source.getCacheKey(); }
- public Map<String, String> getAsMap() { return map; }
+ public Map<String, Object> getAsMap() { return map; }
public RangerAccessResource getReadOnlyCopy() { return this; }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
index 9fcefbe..7f83f96 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
@@ -25,6 +25,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
public interface RangerMutableResource extends RangerAccessResource {
void setOwnerUser(String ownerUser);
- void setValue(String type, String value);
+ void setValue(String type, Object value);
void setServiceDef(RangerServiceDef serviceDef);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 415263e..c1b29d3 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -274,13 +274,21 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
- String resourceValue = resource.getValue(resourceName);
+ Object resourceValue = resource.getValue(resourceName);
RangerResourceMatcher matcher = getResourceMatcher(resourceName);
- if (StringUtils.isEmpty(resourceValue)) {
- ret = matcher == null || matcher.isCompleteMatch(resourceValue, evalContext);
- } else {
- ret = matcher != null && matcher.isCompleteMatch(resourceValue, evalContext);
+ if (resourceValue == null) {
+ ret = matcher == null || matcher.isCompleteMatch(null, evalContext);
+ } else if (resourceValue instanceof String) {
+ String strValue = (String) resourceValue;
+
+ if (StringUtils.isEmpty(strValue)) {
+ ret = matcher == null || matcher.isCompleteMatch(strValue, evalContext);
+ } else {
+ ret = matcher != null && matcher.isCompleteMatch(strValue, evalContext);
+ }
+ } else { // return false for any other type of resourceValue
+ ret = false;
}
if (!ret) {
@@ -447,12 +455,18 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
- String resourceValue = resource.getValue(resourceName);
- if (resourceValue != null) {
+ Object resourceValue = resource.getValue(resourceName);
+ if (resourceValue instanceof String) {
+ String strValue = (String) resourceValue;
+
if (policyResources == null) {
policyResources = new HashMap<>();
}
- policyResources.put(resourceName, new RangerPolicyResource(resourceValue));
+ policyResources.put(resourceName, new RangerPolicyResource(strValue));
+ } else if (resourceValue != null) { // return false for any other type of resourceValue
+ policyResources = null;
+
+ break;
}
}
final boolean ret = MapUtils.isNotEmpty(policyResources) && isMatch(policyResources, evalContext);
@@ -572,7 +586,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
for (RangerResourceDef resourceDef : hierarchy) {
RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
- String resourceValue = resource.getValue(resourceDef.getName());
+ Object resourceValue = resource.getValue(resourceDef.getName());
if (matcher != null) {
if (resourceValue != null) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index acd599a..8f6facd 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -271,8 +271,17 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
return sb;
}
- boolean isAllValuesRequested(String resource) {
- boolean result = StringUtils.isEmpty(resource) || WILDCARD_ASTERISK.equals(resource);
+ boolean isAllValuesRequested(Object resource) {
+ final boolean result;
+
+ if (resource == null) {
+ result = true;
+ } else if (resource instanceof String) {
+ result = StringUtils.isEmpty((String) resource) || WILDCARD_ASTERISK.equals(resource);
+ } else { // return false for any other type of resourceValue
+ result = false;
+ }
+
if (LOG.isDebugEnabled()) {
LOG.debug("isAllValuesRequested(" + resource + "): " + result);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
index a7399ee..8a44471 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
@@ -23,6 +23,7 @@ package org.apache.ranger.plugin.resourcematcher;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import java.util.Collection;
import java.util.Map;
@@ -30,7 +31,7 @@ public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher
private static final Log LOG = LogFactory.getLog(RangerDefaultResourceMatcher.class);
@Override
- public boolean isMatch(String resource, Map<String, Object> evalContext) {
+ public boolean isMatch(Object resource, Map<String, Object> evalContext) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultResourceMatcher.isMatch(" + resource + ", " + evalContext + ")");
}
@@ -41,10 +42,24 @@ public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher
if(allValuesRequested || isMatchAny) {
ret = isMatchAny;
} else {
- for (ResourceMatcher resourceMatcher : resourceMatchers.getResourceMatchers()) {
- ret = resourceMatcher.isMatch(resource, evalContext);
- if (ret) {
- break;
+ if (resource instanceof String) {
+ String strValue = (String) resource;
+
+ for (ResourceMatcher resourceMatcher : resourceMatchers.getResourceMatchers()) {
+ ret = resourceMatcher.isMatch(strValue, evalContext);
+ if (ret) {
+ break;
+ }
+ }
+ } else if (resource instanceof Collection) {
+ @SuppressWarnings("unchecked")
+ Collection<String> collValue = (Collection<String>) resource;
+
+ for (ResourceMatcher resourceMatcher : resourceMatchers.getResourceMatchers()) {
+ ret = resourceMatcher.isMatchAny(collValue, evalContext);
+ if (ret) {
+ break;
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
index 8183ded..0cb3e0f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
@@ -33,7 +33,7 @@ public interface RangerResourceMatcher {
boolean isMatchAny();
- boolean isMatch(String resource, Map<String, Object> evalContext);
+ boolean isMatch(Object resource, Map<String, Object> evalContext);
boolean isCompleteMatch(String resource, Map<String, Object> evalContext);
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
index eab9dbc..35856a9 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
@@ -24,6 +24,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.util.StringTokenReplacer;
import java.io.Serializable;
+import java.util.Collection;
import java.util.Comparator;
import java.util.Map;
@@ -46,6 +47,18 @@ abstract class ResourceMatcher {
return tokenReplacer != null;
}
+ public boolean isMatchAny(Collection<String> resourceValues, Map<String, Object> evalContext) {
+ if (resourceValues != null) {
+ for (String resourceValue : resourceValues) {
+ if (isMatch(resourceValue, evalContext)) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
@Override
public String toString() {
return this.getClass().getName() + "(" + this.value + ")";
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index aad7834..725ed74 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.admin.client.RangerAdminRESTClient;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
@@ -401,7 +402,7 @@ public class RangerBasePlugin {
if(request != null && resultProcessor != null) {
RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();
- accessRequest.setResource(new RangerAccessResourceImpl(request.getResource()));
+ accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
accessRequest.setUser(request.getGrantor());
accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
accessRequest.setAction(action);
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
index f6c1e4d..e7e8cf5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
@@ -30,6 +30,7 @@ import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
@@ -46,6 +47,7 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
private final boolean optWildcard;
private final String wildcardChars;
private final TrieNode root;
+ private final Comparator<T> comparator;
public RangerResourceTrie(RangerServiceDef.RangerResourceDef resourceDef, List<T> evaluators) {
this(resourceDef, evaluators, null);
@@ -77,6 +79,7 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
this.optWildcard = RangerAbstractResourceMatcher.getOptionWildCard(matcherOptions);
this.wildcardChars = optWildcard ? DEFAULT_WILDCARD_CHARS + tokenReplaceSpecialChars : "" + tokenReplaceSpecialChars;
this.root = new TrieNode(Character.valueOf((char)0));
+ this.comparator = comparator;
for(T evaluator : evaluators) {
Map<String, RangerPolicyResource> policyResources = evaluator.getPolicyResource();
@@ -120,40 +123,21 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
return resourceName;
}
- public List<T> getEvaluatorsForResource(String resource) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerResourceTrie.getEvaluatorsForResource(" + resource + ")");
- }
-
- List<T> ret = null;
-
- TrieNode curr = root;
-
- final int len = resource.length();
- for(int i = 0; i < len; i++) {
- Character ch = getLookupChar(resource.charAt(i));
- TrieNode child = curr.getChild(ch);
+ public List<T> getEvaluatorsForResource(Object resource) {
+ if (resource instanceof String) {
+ return getEvaluatorsForResource((String) resource);
+ } else if (resource instanceof Collection) {
+ if (CollectionUtils.isEmpty((Collection) resource)) { // treat empty collection same as empty-string
+ return getEvaluatorsForResource("");
+ } else {
+ @SuppressWarnings("unchecked")
+ Collection<String> resources = (Collection<String>) resource;
- if(child == null) {
- ret = curr.getWildcardEvaluators();
- curr = null; // so that curr.getEvaluators() will not be called below
- break;
+ return getEvaluatorsForResources(resources);
}
-
- curr = child;
}
- if(ret == null) {
- if(curr != null) {
- ret = curr.getEvaluators();
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerResourceTrie.getEvaluatorsForResource(" + resource + "): evaluatorCount=" + (ret == null ? 0 : ret.size()));
- }
-
- return ret;
+ return null;
}
public TrieData getTrieData() {
@@ -202,6 +186,92 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
}
}
+ private List<T> getEvaluatorsForResource(String resource) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerResourceTrie.getEvaluatorsForResource(" + resource + ")");
+ }
+
+ List<T> ret = null;
+ TrieNode curr = root;
+
+ final int len = resource.length();
+ for(int i = 0; i < len; i++) {
+ Character ch = getLookupChar(resource.charAt(i));
+ TrieNode child = curr.getChild(ch);
+
+ if(child == null) {
+ ret = curr.getWildcardEvaluators();
+ curr = null; // so that curr.getEvaluators() will not be called below
+ break;
+ }
+
+ curr = child;
+ }
+
+ if(ret == null) {
+ if(curr != null) {
+ ret = curr.getEvaluators();
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerResourceTrie.getEvaluatorsForResource(" + resource + "): evaluatorCount=" + (ret == null ? 0 : ret.size()));
+ }
+
+ return ret;
+ }
+
+ private List<T> getEvaluatorsForResources(Collection<String> resources) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerResourceTrie.getEvaluatorsForResources(" + resources + ")");
+ }
+
+ List<T> ret = null;
+ Map<Long, T> evaluatorsMap = null;
+
+ for (String resource : resources) {
+ List<T> resourceEvaluators = getEvaluatorsForResource(resource);
+
+ if (CollectionUtils.isEmpty(resourceEvaluators)) {
+ continue;
+ }
+
+ if (evaluatorsMap == null) {
+ if (ret == null) { // first resource: don't create map yet
+ ret = resourceEvaluators;
+ } else if (ret != resourceEvaluators) { // if evaluator list is same as earlier resources, retain the list, else create a map
+ evaluatorsMap = new HashMap();
+
+ for (T evaluator : ret) {
+ evaluatorsMap.put(evaluator.getId(), evaluator);
+ }
+
+ ret = null;
+ }
+ }
+
+ if (evaluatorsMap != null) {
+ for (T evaluator : resourceEvaluators) {
+ evaluatorsMap.put(evaluator.getId(), evaluator);
+ }
+ }
+ }
+
+ if (ret == null && evaluatorsMap != null) {
+ ret = new ArrayList<>(evaluatorsMap.values());
+
+ if (comparator != null) {
+ Collections.sort(ret, comparator);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerResourceTrie.getEvaluatorsForResources(" + resources + "): evaluatorCount=" + (ret == null ? 0 : ret.size()));
+ }
+
+ return ret;
+ }
+
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index bcd1577..f8c692b 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -302,6 +302,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(resourceFiles);
}
+ @Test
+ public void testPolicyEngine_atlas() {
+ String[] resourceFiles = { "/policyengine/test_policyengine_atlas.json" };
+
+ runTestsFromResourceFiles(resourceFiles);
+ }
+
private void runTestsFromResourceFiles(String[] resourceNames) {
for(String resourceName : resourceNames) {
InputStream inStream = this.getClass().getResourceAsStream(resourceName);
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
index e2c7c27..e31437f 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
@@ -42,7 +42,7 @@ public class RangerAbstractResourceMatcherTest {
static class AbstractMatcherWrapper extends RangerAbstractResourceMatcher {
@Override
- public boolean isMatch(String resource, Map<String, Object> evalContext) {
+ public boolean isMatch(Object resource, Map<String, Object> evalContext) {
fail("This method is not expected to be used by test!");
return false;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/test/resources/policyengine/test_policyengine_atlas.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_atlas.json b/agents-common/src/test/resources/policyengine/test_policyengine_atlas.json
new file mode 100644
index 0000000..1f7c93b
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_atlas.json
@@ -0,0 +1,120 @@
+{
+ "serviceName":"atlasdev",
+
+ "serviceDef":{
+ "name":"atlas",
+ "id":3,
+ "resources":[
+ {"name":"entity-type","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Entity Type","description":"Entity Type"},
+ {"name":"entity-classification","level":2,"parent":"entity-type","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Entity Classification","description":"Entity Classification"},
+ {"name":"entity","level":2,"parent":"entity-classification","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Entity ID","description":"Entity ID"}
+ ],
+ "accessTypes":[
+ {"name":"entity-read","label":"Read Entity"},
+ {"name":"entity-create","label":"Create Entity"},
+ {"name":"entity-update","label":"Update Entity"},
+ {"name":"entity-delete","label":"Delete Entity"},
+ {"name":"entity-read-classification","label":"Read Entity Classification"},
+ {"name":"entity-add-classification","label":"Add Entity Classification"},
+ {"name":"entity-update-classification","label":"Update Entity Classification"},
+ {"name":"entity-remove-classification","label":"Remove Entity Classification"}
+ ]
+ },
+
+ "policies":[
+ {"id":1,"name":"policy for DataSets","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"entity-type":{"values":["DataSet"]},"entity-classification":{"values":["*"]},"entity":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"entity-read", "isAllowed":true}],"users":[],"groups":["data-stewards"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":2,"name":"policy for hive_table","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"entity-type":{"values":["hive_table"]},"entity-classification":{"values":["*"]},"entity":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"entity-read", "isAllowed":true}],"users":[],"groups":["hive-admins"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":10,"name":"policy for PII classification","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"entity-type":{"values":["hive_table"]},"entity-classification":{"values":["PII"]},"entity":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"entity-read", "isAllowed":true}],"users":[],"groups":["privacy-officers"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":20,"name":"policy for EMAIL_PII classification","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"entity-type":{"values":["hive_table"]},"entity-classification":{"values":["EMAIL_PII"]},"entity":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"entity-read", "isAllowed":true}],"users":[],"groups":["email-admins"],"delegateAdmin":false}
+ ]
+ }
+ ],
+
+ "tests":[
+ {"name":"DataSet read by a data-steward",
+ "request":{
+ "resource":{"elements":{"entity-type":"DataSet", "entity-classification":[]}, "entity":"default@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["data-stewards"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"DataSet read by a hive-admin",
+ "request":{
+ "resource":{"elements":{"entity-type":"DataSet", "entity-classification":""}, "entity":"default@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["hive-admins"]
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"hive_table read by a data-steward",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":""}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["data-stewards"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"hive_table read by a hive-admin",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":""}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["hive-admins"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"PII hive_table read by a privacy-officer",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":["PII"]}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["privacy-officers"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":10}
+ }
+ ,
+ {"name":"PII hive_table read by a email-admin",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":["PII"]}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["email-admins"]
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"EMAIL_PII hive_table read by a privacy-officer",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":["PII", "EMAIL_PII"]}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["privacy-officers"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":10}
+ }
+ ,
+ {"name":"EMAIL_PII hive_table read by a email-admin",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":["PII", "EMAIL_PII"]}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["email-admins"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":20}
+ }
+ ]
+}
+
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
index e4eafc6..48b8cb2 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
@@ -89,22 +89,22 @@ public class RangerHiveResource extends RangerAccessResourceImpl {
}
public String getDatabase() {
- return getValue(KEY_DATABASE);
+ return (String) getValue(KEY_DATABASE);
}
public String getTable() {
- return getValue(KEY_TABLE);
+ return (String) getValue(KEY_TABLE);
}
public String getUdf() {
- return getValue(KEY_UDF);
+ return (String) getValue(KEY_UDF);
}
public String getColumn() {
- return getValue(KEY_COLUMN);
+ return (String) getValue(KEY_COLUMN);
}
public String getUrl() {
- return getValue(KEY_URL);
+ return (String) getValue(KEY_URL);
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
index 0008808..cef7bd9 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
@@ -179,7 +179,7 @@ public class RangerPolicyFactory {
return accessRequest;
}
- private static ImmutableMap<String, String> createResourceElements(boolean shouldEvaluateToTrue) {
+ private static ImmutableMap<String, Object> createResourceElements(boolean shouldEvaluateToTrue) {
String database = String.format("db_%s", System.nanoTime());
String table = String.format("table_%s", System.nanoTime());
String column = String.format("column_%s", System.nanoTime());
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 5b7d085..cb7ca52 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -58,6 +58,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.biz.AssetMgr;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.ServiceDBStore;
@@ -506,7 +507,7 @@ public class ServiceREST {
List<RangerPolicy> ret = new ArrayList<>();
List<RangerService> services = new ArrayList<>();
- Map<String, String> resource = new HashMap<>();
+ Map<String, Object> resource = new HashMap<>();
String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource);
@@ -542,7 +543,7 @@ public class ServiceREST {
return ret;
}
- private String validateResourcePoliciesRequest(String serviceDefName, String serviceName, HttpServletRequest request, List<RangerService> services, Map<String, String> resource) {
+ private String validateResourcePoliciesRequest(String serviceDefName, String serviceName, HttpServletRequest request, List<RangerService> services, Map<String, Object> resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.validatePoliciesForResourceRequest(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
}
@@ -1065,7 +1066,7 @@ public class ServiceREST {
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource());
+ RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1098,7 +1099,7 @@ public class ServiceREST {
if(! CollectionUtils.isEmpty(resourceNames)) {
for(String resourceName : resourceNames) {
- RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName));
+ RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
@@ -1162,7 +1163,7 @@ public class ServiceREST {
String userName = grantRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource());
+ RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
XXService xService = daoManager.getXXService().findByName(serviceName);
@@ -1210,7 +1211,7 @@ public class ServiceREST {
if(! CollectionUtils.isEmpty(resourceNames)) {
for(String resourceName : resourceNames) {
- RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName));
+ RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
@@ -1277,7 +1278,7 @@ public class ServiceREST {
String userName = revokeRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
+ RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1338,7 +1339,7 @@ public class ServiceREST {
String userName = revokeRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
+ RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
boolean isAllowed = false;
boolean isKeyAdmin = bizUtil.isKeyAdmin();