You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pegasus.apache.org by "acelyc111 (via GitHub)" <gi...@apache.org> on 2023/06/12 03:38:49 UTC
[GitHub] [incubator-pegasus] acelyc111 commented on a diff in pull request #1518: feat(Ranger): refactor the logic when ranger performs ACL
acelyc111 commented on code in PR #1518:
URL: https://github.com/apache/incubator-pegasus/pull/1518#discussion_r1226051323
##########
src/runtime/ranger/ranger_resource_policy_manager.cpp:
##########
@@ -599,34 +582,45 @@ dsn::error_code ranger_resource_policy_manager::sync_policies_to_app_envs()
req->__set_app_name(app.app_name);
req->__set_keys(
{dsn::replication::replica_envs::REPLICA_ACCESS_CONTROLLER_RANGER_POLICIES});
- bool is_policy_matched = false;
+ std::vector<matched_database_table_policy> matched_database_table_policies;
for (const auto &policy : table_policies->second) {
// If this table does not match any database, its Ranger policies will be cleaned up.
if (policy.database_names.count(database_name) == 0 &&
policy.database_names.count("*") == 0) {
continue;
}
+ if (policy.table_names.count(table_name) == 0 && policy.table_names.count("*") == 0) {
Review Comment:
Add some comments please.
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,151 @@ bool policy_item::match(const access_type &ac_type, const std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name) != 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string &user_name) const
+policy_check_status acl_policies::policies_check(const access_type &ac_type,
+ const std::string &user_name,
+ const policy_check_type &check_type) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ if (check_type == policy_check_type::kAllow) {
+ return do_policies_check(
+ check_type, ac_type, user_name, allow_policies, allow_policies_exclude);
+ }
+ CHECK(check_type == policy_check_type::kDeny, "");
+ return do_policies_check(check_type, ac_type, user_name, deny_policies, deny_policies_exclude);
+}
+
+policy_check_status
+acl_policies::do_policies_check(const policy_check_type &check_type,
+ const access_type &ac_type,
+ const std::string &user_name,
+ const std::vector<policy_item> &policies,
+ const std::vector<policy_item> &exclude_policies) const
+{
+ for (const auto &policy : policies) {
+ // 1. Doesn't match an allow_policies or a deny_policies.
+ if (!policy.match(ac_type, user_name)) {
continue;
}
- bool in_deny_policies_exclude = false;
- for (const auto &deny_policy_exclude : deny_policies_exclude) {
- if (deny_policy_exclude.match(ac_type, user_name)) {
- in_deny_policies_exclude = true;
- break;
+ // 2. Matches a policy.
+ for (const auto &policy_exclude : exclude_policies) {
+ if (policy_exclude.match(ac_type, user_name)) {
+ // 2.1. Matches an allow/deny_policies_exclude.
+ return policy_check_status::kPending;
}
}
- // 1.2. Not in any 'deny_policies_exclude', it's not allowed.
- if (!in_deny_policies_exclude) {
- return false;
+ // 2.2. Doesn't match any allow/deny_exclude_policies.
+ if (check_type == policy_check_type::kAllow) {
+ return policy_check_status::kAllowed;
+ } else {
+ return policy_check_status::kDenied;
}
}
+ // 3. Doesn't match any policy.
+ return policy_check_status::kNotMatched;
+}
- // 2. Check if it is allowed.
- for (const auto &allow_policy : allow_policies) {
- // 2.1. In 'allow_policies'.
- if (!allow_policy.match(ac_type, user_name)) {
+access_control_result
+check_ranger_resource_policy_allowed(const std::vector<ranger_resource_policy> &policies,
+ const access_type &ac_type,
+ const std::string &user_name,
+ bool need_match_database,
+ const std::string &database_name,
+ const std::string &default_database_name)
+{
+ // Check if it is denied by any policy in current resource.
+ for (const auto &policy : policies) {
+ if (need_match_database) {
+ // Lagacy table not match any database.
+ if (database_name.empty() && policy.database_names.count("*") == 0 &&
+ policy.database_names.count(default_database_name) == 0) {
+ continue;
+ }
+ // New table not match any database.
+ if (!database_name.empty() && policy.database_names.count("*") == 0 &&
+ policy.database_names.count(database_name) == 0) {
+ continue;
+ }
+ }
+ auto check_status =
+ policy.policies.policies_check(ac_type, user_name, policy_check_type::kDeny);
+ // In a 'deny_policies' and not in any 'deny_policies_exclude'.
+ if (policy_check_status::kDenied == check_status) {
+ return access_control_result::kDenied;
+ }
+ // In a 'deny_policies' and in a 'deny_policies_exclude' or not match.
+ if (policy_check_status::kPending == check_status ||
+ policy_check_status::kNotMatched == check_status) {
continue;
}
- for (const auto &allow_policy_exclude : allow_policies_exclude) {
- // 2.2. In some 'allow_policies_exclude', it's not allowed.
- if (allow_policy_exclude.match(ac_type, user_name)) {
- return false;
+ }
+
+ // Check if it is allowed by any policy in current resource.
+ for (const auto &policy : policies) {
+ if (need_match_database) {
+ // Lagacy table not match any database.
+ if (database_name.empty() && policy.database_names.count("*") == 0 &&
+ policy.database_names.count(default_database_name) == 0) {
+ continue;
}
+ // New table not match any database.
+ if (!database_name.empty() && policy.database_names.count("*") == 0 &&
+ policy.database_names.count(database_name) == 0) {
+ continue;
+ }
+ }
+ auto check_status =
+ policy.policies.policies_check(ac_type, user_name, policy_check_type::kAllow);
+ // In a 'allow_policies' and not in any 'allow_policies_exclude'.
+ if (policy_check_status::kAllowed == check_status) {
+ return access_control_result::kAllowed;
+ }
+ // In a 'deny_policies' and in a 'deny_policies_exclude' or not match.
+ if (policy_check_status::kPending == check_status ||
+ policy_check_status::kNotMatched == check_status) {
+ continue;
+ }
+ }
Review Comment:
It's duplicate, how about encapsulate it as a function?
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,151 @@ bool policy_item::match(const access_type &ac_type, const std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name) != 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string &user_name) const
+policy_check_status acl_policies::policies_check(const access_type &ac_type,
+ const std::string &user_name,
+ const policy_check_type &check_type) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ if (check_type == policy_check_type::kAllow) {
+ return do_policies_check(
+ check_type, ac_type, user_name, allow_policies, allow_policies_exclude);
+ }
+ CHECK(check_type == policy_check_type::kDeny, "");
+ return do_policies_check(check_type, ac_type, user_name, deny_policies, deny_policies_exclude);
+}
+
+policy_check_status
+acl_policies::do_policies_check(const policy_check_type &check_type,
+ const access_type &ac_type,
+ const std::string &user_name,
+ const std::vector<policy_item> &policies,
+ const std::vector<policy_item> &exclude_policies) const
+{
+ for (const auto &policy : policies) {
+ // 1. Doesn't match an allow_policies or a deny_policies.
+ if (!policy.match(ac_type, user_name)) {
continue;
}
- bool in_deny_policies_exclude = false;
- for (const auto &deny_policy_exclude : deny_policies_exclude) {
- if (deny_policy_exclude.match(ac_type, user_name)) {
- in_deny_policies_exclude = true;
- break;
+ // 2. Matches a policy.
+ for (const auto &policy_exclude : exclude_policies) {
Review Comment:
rename `policy_exclude` to `exclude_policy`
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,151 @@ bool policy_item::match(const access_type &ac_type, const std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name) != 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string &user_name) const
+policy_check_status acl_policies::policies_check(const access_type &ac_type,
+ const std::string &user_name,
+ const policy_check_type &check_type) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ if (check_type == policy_check_type::kAllow) {
+ return do_policies_check(
+ check_type, ac_type, user_name, allow_policies, allow_policies_exclude);
+ }
+ CHECK(check_type == policy_check_type::kDeny, "");
+ return do_policies_check(check_type, ac_type, user_name, deny_policies, deny_policies_exclude);
+}
+
+policy_check_status
+acl_policies::do_policies_check(const policy_check_type &check_type,
+ const access_type &ac_type,
+ const std::string &user_name,
+ const std::vector<policy_item> &policies,
+ const std::vector<policy_item> &exclude_policies) const
+{
+ for (const auto &policy : policies) {
+ // 1. Doesn't match an allow_policies or a deny_policies.
+ if (!policy.match(ac_type, user_name)) {
continue;
}
- bool in_deny_policies_exclude = false;
- for (const auto &deny_policy_exclude : deny_policies_exclude) {
- if (deny_policy_exclude.match(ac_type, user_name)) {
- in_deny_policies_exclude = true;
- break;
+ // 2. Matches a policy.
+ for (const auto &policy_exclude : exclude_policies) {
+ if (policy_exclude.match(ac_type, user_name)) {
+ // 2.1. Matches an allow/deny_policies_exclude.
+ return policy_check_status::kPending;
}
}
- // 1.2. Not in any 'deny_policies_exclude', it's not allowed.
- if (!in_deny_policies_exclude) {
- return false;
+ // 2.2. Doesn't match any allow/deny_exclude_policies.
+ if (check_type == policy_check_type::kAllow) {
+ return policy_check_status::kAllowed;
+ } else {
+ return policy_check_status::kDenied;
}
}
+ // 3. Doesn't match any policy.
+ return policy_check_status::kNotMatched;
+}
- // 2. Check if it is allowed.
- for (const auto &allow_policy : allow_policies) {
- // 2.1. In 'allow_policies'.
- if (!allow_policy.match(ac_type, user_name)) {
+access_control_result
+check_ranger_resource_policy_allowed(const std::vector<ranger_resource_policy> &policies,
+ const access_type &ac_type,
+ const std::string &user_name,
+ bool need_match_database,
Review Comment:
use a enum instead of boolean.
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,151 @@ bool policy_item::match(const access_type &ac_type, const std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name) != 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string &user_name) const
+policy_check_status acl_policies::policies_check(const access_type &ac_type,
+ const std::string &user_name,
+ const policy_check_type &check_type) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ if (check_type == policy_check_type::kAllow) {
+ return do_policies_check(
+ check_type, ac_type, user_name, allow_policies, allow_policies_exclude);
+ }
+ CHECK(check_type == policy_check_type::kDeny, "");
+ return do_policies_check(check_type, ac_type, user_name, deny_policies, deny_policies_exclude);
+}
+
+policy_check_status
+acl_policies::do_policies_check(const policy_check_type &check_type,
+ const access_type &ac_type,
+ const std::string &user_name,
+ const std::vector<policy_item> &policies,
+ const std::vector<policy_item> &exclude_policies) const
+{
+ for (const auto &policy : policies) {
+ // 1. Doesn't match an allow_policies or a deny_policies.
+ if (!policy.match(ac_type, user_name)) {
continue;
}
- bool in_deny_policies_exclude = false;
- for (const auto &deny_policy_exclude : deny_policies_exclude) {
- if (deny_policy_exclude.match(ac_type, user_name)) {
- in_deny_policies_exclude = true;
- break;
+ // 2. Matches a policy.
+ for (const auto &policy_exclude : exclude_policies) {
+ if (policy_exclude.match(ac_type, user_name)) {
+ // 2.1. Matches an allow/deny_policies_exclude.
+ return policy_check_status::kPending;
}
}
- // 1.2. Not in any 'deny_policies_exclude', it's not allowed.
- if (!in_deny_policies_exclude) {
- return false;
+ // 2.2. Doesn't match any allow/deny_exclude_policies.
+ if (check_type == policy_check_type::kAllow) {
+ return policy_check_status::kAllowed;
+ } else {
+ return policy_check_status::kDenied;
}
}
+ // 3. Doesn't match any policy.
+ return policy_check_status::kNotMatched;
+}
- // 2. Check if it is allowed.
- for (const auto &allow_policy : allow_policies) {
- // 2.1. In 'allow_policies'.
- if (!allow_policy.match(ac_type, user_name)) {
+access_control_result
+check_ranger_resource_policy_allowed(const std::vector<ranger_resource_policy> &policies,
+ const access_type &ac_type,
+ const std::string &user_name,
+ bool need_match_database,
+ const std::string &database_name,
+ const std::string &default_database_name)
+{
+ // Check if it is denied by any policy in current resource.
+ for (const auto &policy : policies) {
+ if (need_match_database) {
+ // Lagacy table not match any database.
+ if (database_name.empty() && policy.database_names.count("*") == 0 &&
+ policy.database_names.count(default_database_name) == 0) {
+ continue;
+ }
+ // New table not match any database.
+ if (!database_name.empty() && policy.database_names.count("*") == 0 &&
+ policy.database_names.count(database_name) == 0) {
+ continue;
+ }
+ }
+ auto check_status =
+ policy.policies.policies_check(ac_type, user_name, policy_check_type::kDeny);
+ // In a 'deny_policies' and not in any 'deny_policies_exclude'.
Review Comment:
comments add: or not match any policies?
##########
src/runtime/ranger/ranger_resource_policy_manager.cpp:
##########
@@ -599,34 +582,45 @@ dsn::error_code ranger_resource_policy_manager::sync_policies_to_app_envs()
req->__set_app_name(app.app_name);
req->__set_keys(
{dsn::replication::replica_envs::REPLICA_ACCESS_CONTROLLER_RANGER_POLICIES});
- bool is_policy_matched = false;
+ std::vector<matched_database_table_policy> matched_database_table_policies;
for (const auto &policy : table_policies->second) {
// If this table does not match any database, its Ranger policies will be cleaned up.
if (policy.database_names.count(database_name) == 0 &&
policy.database_names.count("*") == 0) {
continue;
}
+ if (policy.table_names.count(table_name) == 0 && policy.table_names.count("*") == 0) {
+ continue;
+ }
+ matched_database_table_policy _matched_database_table_policy(
Review Comment:
Don't name a variable with a "_" prefix, it's a naming rule for member variables.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org
For additional commands, e-mail: dev-help@pegasus.apache.org