You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/05/25 21:19:44 UTC
[2/2] incubator-ranger git commit: Initial set of Policy-Engine
changes for evaluating tag-policies and changes after second round of review.
Revamped tag-policy evaluation,
merged with 5e9ff8a commit-id in tag-policy branch.
Initial set of Policy-Engine changes for evaluating tag-policies and changes after second round of review. Revamped tag-policy evaluation, merged with 5e9ff8a commit-id in tag-policy branch.
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d61bce5c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d61bce5c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d61bce5c
Branch: refs/heads/tag-policy
Commit: d61bce5c4431a5dda9a5b21aeaa320690795ec99
Parents: 5e9ff8a
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon May 18 14:34:21 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon May 25 11:41:18 2015 -0700
----------------------------------------------------------------------
.../RangerTagAttributeEvaluator.java | 49 +++
.../RangerAbstractContextEnricher.java | 26 ++
.../contextenricher/RangerContextEnricher.java | 9 +
.../RangerFileBasedTagProvider.java | 111 ++++++
.../ranger/plugin/model/RangerPolicy.java | 20 +-
.../plugin/policyengine/RangerAccessResult.java | 18 +-
.../plugin/policyengine/RangerPolicyEngine.java | 10 +-
.../policyengine/RangerPolicyEngineImpl.java | 343 ++++++++++++++++---
.../policyengine/RangerPolicyEngineOptions.java | 1 +
.../policyengine/RangerPolicyRepository.java | 128 ++++---
.../RangerDefaultPolicyEvaluator.java | 9 +
.../policyevaluator/RangerPolicyEvaluator.java | 4 +-
.../ranger/plugin/service/RangerBasePlugin.java | 4 +
.../plugin/store/AbstractServiceStore.java | 100 ++----
.../ranger/plugin/store/AbstractTagStore.java | 37 +-
.../org/apache/ranger/plugin/store/PList.java | 45 +--
.../plugin/store/RangerPolicyPaginatedList.java | 62 ----
.../store/RangerServiceDefPaginatedList.java | 61 ----
.../store/RangerServicePaginatedList.java | 62 ----
.../ranger/plugin/store/ServiceStore.java | 13 +-
.../apache/ranger/plugin/store/TagStore.java | 5 +
.../plugin/policyengine/TestPolicyEngine.java | 46 ++-
.../policyengine/test_policyengine_hdfs.json | 84 +++++
.../org/apache/ranger/biz/ServiceDBStore.java | 60 ++--
.../org/apache/ranger/rest/ServiceREST.java | 34 +-
.../apache/ranger/biz/TestServiceDBStore.java | 20 +-
.../org/apache/ranger/rest/TestServiceREST.java | 15 +-
27 files changed, 892 insertions(+), 484 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
new file mode 100644
index 0000000..324ae4c
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+public class RangerTagAttributeEvaluator extends RangerAbstractConditionEvaluator {
+ private static final Log LOG = LogFactory.getLog(RangerTagAttributeEvaluator.class);
+
+ @Override
+ public void init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerTagAttributeEvaluator.init(" + condition + ")");
+ }
+
+ super.init();
+ }
+
+ @Override
+ public boolean isMatched(RangerAccessRequest request) {
+ // TODO
+ // Set up environment: selected parts of request
+ // Invoke python interpreter
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerTagAttributeEvaluator.isMatched()");
+ }
+ return true;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
index 0e18494..922cfea 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
@@ -27,6 +27,8 @@ import java.util.Properties;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef;
@@ -34,6 +36,10 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri
private static final Log LOG = LogFactory.getLog(RangerAbstractContextEnricher.class);
protected RangerContextEnricherDef enricherDef;
+ protected String serviceName;
+ protected RangerServiceDef serviceDef;
+ protected String componentServiceName;
+ protected RangerServiceDef componentServiceDef;
private Map<String, String> options = null;
@@ -55,6 +61,26 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri
}
}
+ @Override
+ public void setContextServiceName(String serviceName) {
+ this.serviceName = serviceName;
+ }
+
+ @Override
+ public void setContextServiceDef(RangerServiceDef serviceDef) {
+ this.serviceDef = serviceDef;
+ }
+
+ @Override
+ public void setContextComponentServiceName(String componentServiceName) {
+ this.componentServiceName = componentServiceName;
+ }
+
+ @Override
+ public void setContextComponentServiceDef(RangerServiceDef componentServiceDef) {
+ this.componentServiceDef = componentServiceDef;
+ }
+
public String getOption(String name) {
String ret = null;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java
index 073225b..a614a0f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerContextEnricher.java
@@ -20,12 +20,21 @@
package org.apache.ranger.plugin.contextenricher;
+import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
public interface RangerContextEnricher {
void setContextEnricherDef(RangerContextEnricherDef enricherDef);
+ void setContextServiceName(String serviceName);
+
+ void setContextServiceDef(RangerServiceDef serviceDef);
+
+ void setContextComponentServiceName(String componentServiceName);
+
+ void setContextComponentServiceDef(RangerServiceDef componentServiceDef);
+
void init();
void enrich(RangerAccessRequest request);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java
new file mode 100644
index 0000000..3b5520e
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.contextenricher;
+
+import java.lang.reflect.Type;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.reflect.TypeToken;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerResource;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+
+
+public class RangerFileBasedTagProvider extends RangerAbstractContextEnricher {
+ private static final Log LOG = LogFactory.getLog(RangerFileBasedTagProvider.class);
+
+ private Properties resourceTagsMap = null;
+ String dataFile = null;
+ private Gson gsonBuilder = null;
+
+ @Override
+ public void init() {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerFileBasedTagProvider.init()");
+ }
+
+ super.init();
+
+ dataFile = getOption("dataFile", "/etc/ranger/data/resourceTags.txt");
+
+ resourceTagsMap = readProperties(dataFile);
+
+ gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
+ .setPrettyPrinting()
+ .create();
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerFileBasedTagProvider.init()");
+ }
+ }
+
+ @Override
+ public void enrich(RangerAccessRequest request) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerFileBasedTagProvider.enrich(" + request + ")");
+ }
+
+ if(request != null && resourceTagsMap != null) {
+ Map<String, Object> context = request.getContext();
+ /*
+ This needs to know about :
+ - componentServiceDef (to filter on component-type which is required for getting matchers), and
+ - serviceName (to filter on cluster-specific tags)
+ */
+ // Provider is file-based.
+ // tags are a JSON strings
+
+ String requestedResource = request.getResource().getAsString(componentServiceDef);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("RangerFileBasedTagProvider.enrich(): requestedResource = '"+ requestedResource +"'");
+ }
+ String tagsJsonString = resourceTagsMap.getProperty(requestedResource);
+
+ if(!StringUtils.isEmpty(tagsJsonString) && context != null) {
+ try {
+ Type listType = new TypeToken<List<RangerResource.RangerResourceTag>>() {
+ }.getType();
+ List<RangerResource.RangerResourceTag> tagList = gsonBuilder.fromJson(tagsJsonString, listType);
+
+ context.put(RangerPolicyEngine.KEY_CONTEXT_TAGS, tagList);
+ } catch (Exception e) {
+ LOG.error("RangerFileBasedTagProvider.enrich(): error parsing file " + this.dataFile + "exception=" + e);
+ }
+ } else {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("RangerFileBasedTagProvider.enrich(): skipping due to unavailable context or tags. context=" + context + "; tags=" + tagsJsonString);
+ }
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerFileBasedTagProvider.enrich(" + request + ")");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index 4001e7e..d634ea7 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -41,6 +41,8 @@ import org.codehaus.jackson.map.annotate.JsonSerialize;
@XmlRootElement
@XmlAccessorType(XmlAccessType.FIELD)
public class RangerPolicy extends RangerBaseModelObject implements java.io.Serializable {
+ public static final int FINAL_ACCESS_DECIDER_POLICY_TYPE = 1;
+
private static final long serialVersionUID = 1L;
private String service = null;
@@ -54,7 +56,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
/**
- * @param type
+ * @param
*/
public RangerPolicy() {
this(null, null, null, null, null, null, null);
@@ -106,7 +108,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
/**
- * @param type the type to set
+ * @param service the type to set
*/
public void setService(String service) {
this.service = service;
@@ -176,7 +178,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
/**
- * @param isEnabled the isEnabled to set
+ * @param isAuditEnabled the isEnabled to set
*/
public void setIsAuditEnabled(Boolean isAuditEnabled) {
this.isAuditEnabled = isAuditEnabled == null ? Boolean.TRUE : isAuditEnabled;
@@ -190,7 +192,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
/**
- * @param configs the resources to set
+ * @param resources the resources to set
*/
public void setResources(Map<String, RangerPolicyResource> resources) {
if(this.resources == null) {
@@ -238,6 +240,14 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
}
+ public boolean isFinalDecider() {
+ boolean isFinalDecidingPolicy = true;
+
+ if (getPolicyType() == null || getPolicyType() != FINAL_ACCESS_DECIDER_POLICY_TYPE) {
+ isFinalDecidingPolicy = false;
+ }
+ return isFinalDecidingPolicy;
+ }
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
@@ -832,7 +842,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
/**
- * @param value the value to set
+ * @param values the value to set
*/
public void setValues(List<String> values) {
if (CollectionUtils.isEmpty(values)) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index 3a1fa1d..934f502 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -23,9 +23,9 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
public class RangerAccessResult {
- private String serviceName = null;
- private RangerServiceDef serviceDef = null;
- private RangerAccessRequest request = null;
+ private final String serviceName;
+ private final RangerServiceDef serviceDef;
+ private final RangerAccessRequest request;
private boolean isAccessDetermined = false;
private boolean isAllowed = false;
@@ -34,7 +34,7 @@ public class RangerAccessResult {
private long policyId = -1;
private String reason = null;
- public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request) {
+ public RangerAccessResult(final String serviceName, final RangerServiceDef serviceDef, final RangerAccessRequest request) {
this.serviceName = serviceName;
this.serviceDef = serviceDef;
this.request = request;
@@ -46,6 +46,14 @@ public class RangerAccessResult {
this.reason = null;
}
+ public void setAccessResultFrom(final RangerAccessResult other) {
+ this.isAccessDetermined = other.getIsAccessDetermined();
+ this.isAllowed = other.getIsAllowed();
+ this.policyId = other.getPolicyId();
+ this.reason = other.getReason();
+ }
+
+
/**
* @return the serviceName
*/
@@ -129,7 +137,7 @@ public class RangerAccessResult {
}
/**
- * @return the policyId
+ * @param policyId the policyId to set
*/
public void setPolicyId(long policyId) {
this.policyId = policyId;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 0a0b210..bc4b9a7 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -29,10 +29,12 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
public interface RangerPolicyEngine {
- public static final String GROUP_PUBLIC = "public";
- public static final String ANY_ACCESS = "_any";
- public static final String ADMIN_ACCESS = "_admin";
- public static final long UNKNOWN_POLICY = -1;
+ String GROUP_PUBLIC = "public";
+ String ANY_ACCESS = "_any";
+ String ADMIN_ACCESS = "_admin";
+
+ String KEY_CONTEXT_TAGS = "TAGS";
+ String KEY_CONTEXT_TAG_OBJECT = "TAG_OBJECT";
String getServiceName();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 4219875..0dc7981 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,44 +20,81 @@
package org.apache.ranger.plugin.policyengine;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerResource;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.ServicePolicies;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
private final RangerPolicyRepository policyRepository;
-
+ private final RangerPolicyRepository tagPolicyRepository;
+
+ private final List<RangerContextEnricher> allContextEnrichers;
public RangerPolicyEngineImpl(ServicePolicies servicePolicies) {
this(servicePolicies, null);
}
public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl(" + servicePolicies + ", " + options + ")");
}
- if(options == null) {
+ if (options == null) {
options = new RangerPolicyEngineOptions();
}
policyRepository = new RangerPolicyRepository(servicePolicies, options);
- if(LOG.isDebugEnabled()) {
+ ServicePolicies.TagPolicies tagPolicies = servicePolicies.getTagPolicies();
+
+ if (!options.disableTagPolicyEvaluation
+ && tagPolicies != null
+ && !StringUtils.isEmpty(tagPolicies.getServiceName())
+ && tagPolicies.getServiceDef() != null
+ && !CollectionUtils.isEmpty(tagPolicies.getPolicies())) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName());
+ }
+ tagPolicyRepository = new RangerPolicyRepository(tagPolicies, options, servicePolicies.getServiceName(),
+ servicePolicies.getServiceDef());
+
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl : No tag-policy-repository for service " + servicePolicies.getServiceName());
+ }
+ tagPolicyRepository = null;
+ }
+
+ List<RangerContextEnricher> tmpList;
+
+ List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
+ List<RangerContextEnricher> resourceContextEnrichers = policyRepository.getContextEnrichers();
+
+ if (CollectionUtils.isEmpty(tagContextEnrichers)) {
+ tmpList = resourceContextEnrichers;
+ } else if (CollectionUtils.isEmpty(resourceContextEnrichers)) {
+ tmpList = tagContextEnrichers;
+ } else {
+ tmpList = new ArrayList<RangerContextEnricher>(tagContextEnrichers);
+ tmpList.addAll(resourceContextEnrichers);
+ }
+
+ this.allContextEnrichers = tmpList;
+
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl()");
}
}
@@ -84,57 +121,57 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public void enrichContext(RangerAccessRequest request) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.enrichContext(" + request + ")");
}
- List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers();
+ List<RangerContextEnricher> enrichers = allContextEnrichers;
- if(request != null && !CollectionUtils.isEmpty(enrichers)) {
- for(RangerContextEnricher enricher : enrichers) {
+ if (request != null && !CollectionUtils.isEmpty(enrichers)) {
+ for (RangerContextEnricher enricher : enrichers) {
enricher.enrich(request);
}
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.enrichContext(" + request + ")");
}
}
@Override
public void enrichContext(Collection<RangerAccessRequest> requests) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.enrichContext(" + requests + ")");
}
- List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers();
+ List<RangerContextEnricher> enrichers = allContextEnrichers;
- if(!CollectionUtils.isEmpty(requests) && !CollectionUtils.isEmpty(enrichers)) {
- for(RangerContextEnricher enricher : enrichers) {
- for(RangerAccessRequest request : requests) {
+ if (!CollectionUtils.isEmpty(requests) && !CollectionUtils.isEmpty(enrichers)) {
+ for (RangerContextEnricher enricher : enrichers) {
+ for (RangerAccessRequest request : requests) {
enricher.enrich(request);
}
}
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.enrichContext(" + requests + ")");
}
}
@Override
public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")");
}
RangerAccessResult ret = isAccessAllowedNoAudit(request);
- if(resultProcessor != null) {
+ if (resultProcessor != null) {
resultProcessor.processResult(ret);
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret);
}
@@ -143,25 +180,26 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")");
}
-
+
Collection<RangerAccessResult> ret = new ArrayList<RangerAccessResult>();
- if(requests != null) {
- for(RangerAccessRequest request : requests) {
+ if (requests != null) {
+ for (RangerAccessRequest request : requests) {
+
RangerAccessResult result = isAccessAllowedNoAudit(request);
ret.add(result);
}
}
- if(resultProcessor != null) {
+ if (resultProcessor != null) {
resultProcessor.processResults(ret);
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret);
}
@@ -170,21 +208,21 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = false;
- for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType);
- if(ret) {
+ if (ret) {
break;
}
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
@@ -194,21 +232,21 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = false;
- for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType);
- if(ret) {
+ if (ret) {
break;
}
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
@@ -217,21 +255,21 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public RangerPolicy getExactMatchPolicy(RangerAccessResource resource) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + ")");
}
RangerPolicy ret = null;
- for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
- if(evaluator.isSingleAndExactMatch(resource)) {
+ for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ if (evaluator.isSingleAndExactMatch(resource)) {
ret = evaluator.getPolicy();
break;
}
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + "): " + ret);
}
@@ -240,23 +278,23 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + ")");
}
List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
- for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
RangerPolicy policy = evaluator.getPolicy();
boolean isAccessAllowed = isAccessAllowed(policy.getResources(), user, userGroups, accessType);
- if(isAccessAllowed) {
+ if (isAccessAllowed) {
ret.add(policy);
}
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + "): policyCount=" + ret.size());
}
@@ -264,41 +302,160 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
protected RangerAccessResult isAccessAllowedNoAudit(RangerAccessRequest request) {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")");
}
RangerAccessResult ret = createAccessResult(request);
- if(ret != null && request != null) {
+ if (ret != null && request != null) {
+
+ if (tagPolicyRepository != null) {
+
+ RangerAccessResult tagAccessResult = isAccessAllowedForTagPolicies(request);
+
+ if (tagAccessResult.getIsAccessDetermined()) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + "): " + tagAccessResult);
+ }
+
+ return tagAccessResult;
+ }
+ }
+
List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators();
- if(evaluators != null) {
+ if (evaluators != null) {
+
boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret);
- for(RangerPolicyEvaluator evaluator : evaluators) {
+ for (RangerPolicyEvaluator evaluator : evaluators) {
evaluator.evaluate(request, ret);
- // stop once allowed==true && auditedDetermined==true
- if(ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
+ // stop once isAccessDetermined==true && isAuditedDetermined==true
+ if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
break;
}
}
- if(! foundInCache) {
+ if (!foundInCache) {
policyRepository.storeAuditEnabledInCache(request, ret);
}
}
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + "): " + ret);
}
return ret;
}
+ protected RangerAccessResult isAccessAllowedForTagPolicies(final RangerAccessRequest request) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")");
+ }
+
+ RangerAccessResult result = createAccessResult(request);
+
+ Map<String, Object> context = request.getContext();
+ Object contextObj;
+
+ if (context != null && (contextObj = context.get(KEY_CONTEXT_TAGS)) != null) {
+
+ @SuppressWarnings("unchecked")
+ List<RangerResource.RangerResourceTag> resourceTags = (List<RangerResource.RangerResourceTag>) contextObj;
+
+ List<RangerPolicyEvaluator> evaluators;
+
+ if (!CollectionUtils.isEmpty(evaluators = tagPolicyRepository.getPolicyEvaluators())) {
+
+ boolean someTagPolicyDeniedAccess = false;
+ boolean someTagPolicyAllowedAccess = false;
+ boolean someTagPolicyRequiredAudit = false;
+ RangerAccessResult allowedAccessResult = createAccessResult(request);
+ RangerAccessResult deniedAccessResult = createAccessResult(request);
+
+ List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>();
+
+ for (RangerResource.RangerResourceTag resourceTag : resourceTags) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + resourceTag.getName() + ")");
+ }
+
+ RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(resourceTag, getServiceDef().getName(), request);
+ RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest);
+
+ for (RangerPolicyEvaluator evaluator : evaluators) {
+
+ evaluator.evaluate(tagEvalRequest, tagEvalResult);
+
+ if (evaluator.isFinalDecider() ||
+ (tagEvalResult.getIsAccessDetermined() && tagEvalResult.getIsAuditedDetermined())) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval for tag-policy-id=" + tagEvalResult.getPolicyId() + " for tag (" + resourceTag.getName() + ") with authorization=" + tagEvalResult.getIsAllowed());
+ }
+ break;
+ }
+ }
+
+ if (tagEvalResult.getIsAuditedDetermined()) {
+ someTagPolicyRequiredAudit = true;
+ // And generate an audit event
+ if (tagEvalResult.getIsAccessDetermined()) {
+ RangerTagAuditEvent event = new RangerTagAuditEvent(resourceTag.getName(), tagEvalResult);
+ tagAuditEvents.add(event);
+ }
+ }
+
+ if (tagEvalResult.getIsAccessDetermined()) {
+ if (tagEvalResult.getIsAllowed()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: access allowed");
+ }
+ someTagPolicyAllowedAccess = true;
+ allowedAccessResult.setAccessResultFrom(tagEvalResult);
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: access denied");
+ }
+ someTagPolicyDeniedAccess = true;
+ deniedAccessResult.setAccessResultFrom(tagEvalResult);
+ }
+ }
+ }
+
+ if (someTagPolicyDeniedAccess) {
+ result.setAccessResultFrom(deniedAccessResult);
+ } else if (someTagPolicyAllowedAccess) {
+ result.setAccessResultFrom(allowedAccessResult);
+ }
+
+ if (someTagPolicyRequiredAudit) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: at least one tag-policy requires audit");
+ }
+ result.setIsAudited(true);
+ RangerTagAuditEvent.processTagEvents(tagAuditEvents, someTagPolicyDeniedAccess);
+ // Set processed list into result
+ // result.setAuxilaryAuditInfo(tagAuditEvents);
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : result=" + result);
+ LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : auditEventList=" + tagAuditEvents);
+ }
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")" );
+ }
+
+ return result;
+ }
+
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
@@ -319,3 +476,83 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return sb;
}
}
+class RangerTagResource extends RangerAccessResourceImpl {
+ private static final String KEY_TAG = "tag";
+
+
+ public RangerTagResource(String tag) {
+ super.setValue(KEY_TAG, tag);
+ }
+}
+
+class RangerTagAccessRequest extends RangerAccessRequestImpl {
+ public RangerTagAccessRequest(RangerResource.RangerResourceTag resourceTag, String componentName, RangerAccessRequest request) {
+ super.setResource(new RangerTagResource(resourceTag.getName()));
+ super.setUser(request.getUser());
+ super.setUserGroups(request.getUserGroups());
+ super.setAction(request.getAction());
+ super.setAccessType(componentName + ":" + request.getAccessType());
+ super.setAccessTime(request.getAccessTime());
+ super.setRequestData(request.getRequestData());
+
+ Map<String, Object> requestContext = request.getContext();
+ if (requestContext == null) {
+ requestContext = new HashMap<String, Object>();
+ }
+ requestContext.put(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT, resourceTag);
+ super.setContext(requestContext);
+
+ super.setClientType(request.getClientType());
+ super.setClientIPAddress(request.getClientIPAddress());
+ super.setSessionId(request.getSessionId());
+ }
+}
+
+
+class RangerTagAuditEvent {
+ private final String tagName;
+ private final RangerAccessResult result;
+
+ RangerTagAuditEvent(String tagName, RangerAccessResult result) {
+ this.tagName = tagName;
+ this.result = result;
+ }
+ @Override
+ public String toString( ) {
+ StringBuilder sb = new StringBuilder();
+
+ toString(sb);
+
+ return sb.toString();
+ }
+
+ public void toString(StringBuilder sb) {
+ sb.append("RangerTagAuditEvent={");
+
+ sb.append("tagName={").append(this.tagName).append("} ");
+ sb.append("isAccessDetermined={").append(this.result.getIsAccessDetermined()).append("}");
+ sb.append("isAllowed={").append(this.result.getIsAllowed()).append("}");
+ sb.append("policyId={").append(this.result.getPolicyId()).append("}");
+ sb.append("reason={").append(this.result.getReason()).append("}");
+
+ sb.append("}");
+
+ }
+
+ static void processTagEvents(List<RangerTagAuditEvent> tagAuditEvents, final boolean deniedAccess) {
+ // Process tagAuditEvents to delete unwanted events
+
+ if (CollectionUtils.isEmpty(tagAuditEvents)) return;
+
+ List<RangerTagAuditEvent> unwantedEvents = new ArrayList<RangerTagAuditEvent> ();
+ if (deniedAccess) {
+ for (RangerTagAuditEvent auditEvent : tagAuditEvents) {
+ RangerAccessResult result = auditEvent.result;
+ if (result.getIsAllowed()) {
+ unwantedEvents.add(auditEvent);
+ }
+ }
+ tagAuditEvents.removeAll(unwantedEvents);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index a5c1dfb..dcd1b3c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -27,4 +27,5 @@ public class RangerPolicyEngineOptions {
public boolean cacheAuditResults = true;
public boolean disableContextEnrichers = false;
public boolean disableCustomConditions = false;
+ public boolean disableTagPolicyEvaluation = true;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 6a355ff..c1c71f0 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -45,19 +45,84 @@ public class RangerPolicyRepository {
private final RangerServiceDef serviceDef;
private final List<RangerPolicy> policies;
private final long policyVersion;
- private final List<RangerContextEnricher> contextEnrichers;
- private final List<RangerPolicyEvaluator> policyEvaluators;
+ private List<RangerContextEnricher> contextEnrichers;
+ private List<RangerPolicyEvaluator> policyEvaluators;
private final Map<String, Boolean> accessAuditCache;
- private static int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024;
+ private final String componentServiceName;
+ private final RangerServiceDef componentServiceDef;
RangerPolicyRepository(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) {
super();
- serviceName = servicePolicies.getServiceName();
- serviceDef = servicePolicies.getServiceDef();
- policies = Collections.unmodifiableList(servicePolicies.getPolicies());
- policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion().longValue() : -1;
+ this.componentServiceName = this.serviceName = servicePolicies.getServiceName();
+ this.componentServiceDef = this.serviceDef = servicePolicies.getServiceDef();
+ this.policies = Collections.unmodifiableList(servicePolicies.getPolicies());
+ this.policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1;
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyRepository : building resource-policy-repository for service " + serviceName);
+ }
+
+ String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize";
+
+ if (options.cacheAuditResults) {
+ final int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024;
+
+ int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE);
+ accessAuditCache = Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize));
+ } else {
+ accessAuditCache = null;
+ }
+
+ init(options);
+
+ }
+
+ RangerPolicyRepository(ServicePolicies.TagPolicies tagPolicies, RangerPolicyEngineOptions options, String componentServiceName,
+ RangerServiceDef componentServiceDef) {
+ super();
+ this.serviceName = tagPolicies.getServiceName();
+ this.serviceDef = tagPolicies.getServiceDef();
+ this.componentServiceName = componentServiceName;
+ this.componentServiceDef = componentServiceDef;
+ this.policies = Collections.unmodifiableList(tagPolicies.getPolicies());
+ this.policyVersion = tagPolicies.getPolicyVersion() != null ? tagPolicies.getPolicyVersion() : -1;
+ this.accessAuditCache = null;
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyRepository : building tag-policy-repository for tag service " + serviceName);
+ }
+
+ init(options);
+
+ }
+
+ public String getServiceName() { return serviceName; }
+
+ public RangerServiceDef getServiceDef() {
+ return serviceDef;
+ }
+
+ public List<RangerPolicy> getPolicies() {
+ return policies;
+ }
+
+ public long getPolicyVersion() {
+ return policyVersion;
+ }
+
+ public List<RangerContextEnricher> getContextEnrichers() { return contextEnrichers; }
+
+ public List<RangerPolicyEvaluator> getPolicyEvaluators() {
+ return policyEvaluators;
+ }
+
+ public RangerServiceDef getComponentServiceDef() { return this.componentServiceDef; }
+
+ public String getComponentServiceName() { return this.componentServiceName; }
+
+ private void init(RangerPolicyEngineOptions options) {
List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
if (!options.disableContextEnrichers && !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) {
@@ -69,14 +134,14 @@ public class RangerPolicyRepository {
RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef);
if(contextEnricher != null) {
- contextEnrichers.add(contextEnricher);
+ contextEnrichers.add(contextEnricher);
}
}
}
this.contextEnrichers = Collections.unmodifiableList(contextEnrichers);
List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
- for (RangerPolicy policy : servicePolicies.getPolicies()) {
+ for (RangerPolicy policy : policies) {
if (!policy.getIsEnabled()) {
continue;
}
@@ -90,39 +155,6 @@ public class RangerPolicyRepository {
Collections.sort(policyEvaluators);
this.policyEvaluators = Collections.unmodifiableList(policyEvaluators);
- String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize";
-
- if(options.cacheAuditResults) {
- int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE);
-
- accessAuditCache = Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize));
- } else {
- accessAuditCache = null;
- }
- }
-
- public String getServiceName() {
- return serviceName;
- }
-
- public RangerServiceDef getServiceDef() {
- return serviceDef;
- }
-
- public List<RangerPolicy> getPolicies() {
- return policies;
- }
-
- public long getPolicyVersion() {
- return policyVersion;
- }
-
- public List<RangerContextEnricher> getContextEnrichers() {
- return contextEnrichers;
- }
-
- public List<RangerPolicyEvaluator> getPolicyEvaluators() {
- return policyEvaluators;
}
private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) {
@@ -148,6 +180,10 @@ public class RangerPolicyRepository {
if(ret != null) {
ret.setContextEnricherDef(enricherDef);
+ ret.setContextServiceName(serviceName);
+ ret.setContextServiceDef(serviceDef);
+ ret.setContextComponentServiceName(componentServiceName);
+ ret.setContextComponentServiceDef(componentServiceDef);
ret.init();
}
@@ -162,7 +198,7 @@ public class RangerPolicyRepository {
LOG.debug("==> RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + ", " + options + ")");
}
- RangerPolicyEvaluator ret = null;
+ RangerPolicyEvaluator ret;
if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_DEFAULT)) {
ret = new RangerDefaultPolicyEvaluator();
@@ -210,7 +246,7 @@ public class RangerPolicyRepository {
LOG.debug("==> RangerPolicyRepository.storeAuditEnabledInCache()");
}
- if ((ret.getIsAuditedDetermined() == true)) {
+ if ((ret.getIsAuditedDetermined())) {
String strResource = request.getResource().getAsString(getServiceDef());
Boolean value = ret.getIsAudited() ? Boolean.TRUE : Boolean.FALSE;
@@ -240,6 +276,10 @@ public class RangerPolicyRepository {
sb.append("serviceName={").append(serviceName).append("} ");
sb.append("serviceDef={").append(serviceDef).append("} ");
+ sb.append("componentServiceName={").append(componentServiceName).append("} ");
+ sb.append("componentServiceDef={").append(componentServiceDef).append("} ");
+
+
sb.append("policyEvaluators={");
if (policyEvaluators != null) {
for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index ede91f0..fe98c4b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -226,6 +226,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean matchResult = false;
boolean isHeadMatchAttempted = false;
boolean headMatchResult = false;
+ final boolean isPolicyFinalDecider = isFinalDecider();
if (!result.getIsAuditedDetermined()) {
// Need to match request.resource first. If it matches (or head matches), then only more progress can be made
@@ -270,6 +271,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
evaluatePolicyItemsForAccess(policy, request, result);
}
}
+ if ((matchResult || headMatchResult) && !result.getIsAccessDetermined() && isPolicyFinalDecider) {
+ result.setIsAllowed(false);
+ result.setPolicyId(getPolicy().getId());
+ }
}
if(LOG.isDebugEnabled()) {
@@ -870,4 +875,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
+ @Override
+ public boolean isFinalDecider() {
+ return getPolicy().isFinalDecider();
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 9fe523a..b018f3a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -56,4 +56,6 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator>
boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType);
boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType);
-}
+
+ boolean isFinalDecider();
+ }
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 75ba6b9..fc5b954 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -123,6 +123,10 @@ public class RangerBasePlugin {
propertyPrefix
+ ".policyengine.option.disable.custom.conditions",
false);
+ policyEngineOptions.disableTagPolicyEvaluation = RangerConfiguration
+ .getInstance().getBoolean(
+ propertyPrefix
+ + ".policyengine.option.disable.tagpolicy.evaluation", false);
RangerAdminClient admin = createAdminClient(propertyPrefix);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java
index 2f75e38..155971f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java
@@ -56,7 +56,6 @@ public abstract class AbstractServiceStore implements ServiceStore {
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDefDBStore.updateTagServiceDefForAccessTypes()");
}
- return;
}
@Override
@@ -65,94 +64,43 @@ public abstract class AbstractServiceStore implements ServiceStore {
}
@Override
- public RangerServiceDefPaginatedList getPaginatedServiceDefs(SearchFilter filter) throws Exception {
+ public PList<RangerServiceDef> getPaginatedServiceDefs(SearchFilter filter) throws Exception {
List<RangerServiceDef> resultList = getServiceDefs(filter);
- RangerServiceDefPaginatedList ret = new RangerServiceDefPaginatedList();
-
- ret.setResultSize(resultList.size());
- ret.setPageSize(resultList.size());
- ret.setSortBy(filter.getSortBy());
- ret.setSortType(filter.getSortType());
- ret.setStartIndex(0);
- ret.setTotalCount(resultList.size());
-
- ret.setServiceDefs(resultList);
-
- return ret;
+ return new PList<RangerServiceDef>(resultList, 0, resultList.size(),
+ (long)resultList.size(), resultList.size(), filter.getSortType(), filter.getSortBy());
}
@Override
- public RangerServicePaginatedList getPaginatedServices(SearchFilter filter) throws Exception {
+ public PList<RangerService> getPaginatedServices(SearchFilter filter) throws Exception {
List<RangerService> resultList = getServices(filter);
- RangerServicePaginatedList ret = new RangerServicePaginatedList();
-
- ret.setResultSize(resultList.size());
- ret.setPageSize(resultList.size());
- ret.setSortBy(filter.getSortBy());
- ret.setSortType(filter.getSortType());
- ret.setStartIndex(0);
- ret.setTotalCount(resultList.size());
-
- ret.setServices(resultList);
-
- return ret;
+ return new PList<RangerService>(resultList, 0, resultList.size(), (long)resultList.size(),
+ resultList.size(), filter.getSortType(), filter.getSortBy());
}
@Override
- public RangerPolicyPaginatedList getPaginatedPolicies(SearchFilter filter) throws Exception {
+ public PList<RangerPolicy> getPaginatedPolicies(SearchFilter filter) throws Exception {
List<RangerPolicy> resultList = getPolicies(filter);
- RangerPolicyPaginatedList ret = new RangerPolicyPaginatedList();
-
- ret.setResultSize(resultList.size());
- ret.setPageSize(resultList.size());
- ret.setSortBy(filter.getSortBy());
- ret.setSortType(filter.getSortType());
- ret.setStartIndex(0);
- ret.setTotalCount(resultList.size());
-
- ret.setPolicies(resultList);
-
- return ret;
+ return new PList<RangerPolicy>(resultList, 0, resultList.size(), (long)resultList.size(),
+ resultList.size(), filter.getSortType(), filter.getSortBy());
}
@Override
- public RangerPolicyPaginatedList getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception {
+ public PList<RangerPolicy> getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception {
List<RangerPolicy> resultList = getServicePolicies(serviceId, filter);
- RangerPolicyPaginatedList ret = new RangerPolicyPaginatedList();
-
- ret.setResultSize(resultList.size());
- ret.setPageSize(resultList.size());
- ret.setSortBy(filter.getSortBy());
- ret.setSortType(filter.getSortType());
- ret.setStartIndex(0);
- ret.setTotalCount(resultList.size());
-
- ret.setPolicies(resultList);
-
- return ret;
+ return new PList<RangerPolicy>(resultList, 0, resultList.size(), (long)resultList.size(),
+ resultList.size(), filter.getSortType(), filter.getSortBy());
}
@Override
- public RangerPolicyPaginatedList getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception {
+ public PList<RangerPolicy> getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception {
List<RangerPolicy> resultList = getServicePolicies(serviceName, filter);
- RangerPolicyPaginatedList ret = new RangerPolicyPaginatedList();
-
- ret.setResultSize(resultList.size());
- ret.setPageSize(resultList.size());
- ret.setSortBy(filter.getSortBy());
- ret.setSortType(filter.getSortType());
- ret.setStartIndex(0);
- ret.setTotalCount(resultList.size());
-
- ret.setPolicies(resultList);
-
- return ret;
-
+ return new PList<RangerPolicy>(resultList, 0, resultList.size(), (long)resultList.size(),
+ resultList.size(), filter.getSortType(), filter.getSortBy());
}
@Override
@@ -189,17 +137,17 @@ public abstract class AbstractServiceStore implements ServiceStore {
}
protected void preCreate(RangerBaseModelObject obj) throws Exception {
- obj.setId(new Long(0));
+ obj.setId(0L);
obj.setGuid(UUID.randomUUID().toString());
obj.setCreateTime(new Date());
obj.setUpdateTime(obj.getCreateTime());
- obj.setVersion(new Long(1));
+ obj.setVersion(1L);
}
protected void preCreate(RangerService service) throws Exception {
preCreate((RangerBaseModelObject)service);
- service.setPolicyVersion(new Long(0));
+ service.setPolicyVersion(0L);
service.setPolicyUpdateTime(service.getCreateTime());
}
@@ -211,7 +159,7 @@ public abstract class AbstractServiceStore implements ServiceStore {
protected void preUpdate(RangerBaseModelObject obj) throws Exception {
if(obj.getId() == null) {
- obj.setId(new Long(0));
+ obj.setId(0L);
}
if(obj.getGuid() == null) {
@@ -225,9 +173,9 @@ public abstract class AbstractServiceStore implements ServiceStore {
Long version = obj.getVersion();
if(version == null) {
- version = new Long(1);
+ version = 1L;
} else {
- version = new Long(version.longValue() + 1);
+ version = version + 1;
}
obj.setVersion(version);
@@ -323,7 +271,7 @@ public abstract class AbstractServiceStore implements ServiceStore {
String serviceDefName = serviceDef.getName();
- RangerServiceDef tagServiceDef = null;
+ RangerServiceDef tagServiceDef;
try {
tagServiceDef = this.getServiceDef(EmbeddedServiceDefsUtil.instance().getTagServiceDefId());
} catch (Exception e) {
@@ -438,7 +386,7 @@ public abstract class AbstractServiceStore implements ServiceStore {
return;
}
- RangerServiceDef tagServiceDef = null;
+ RangerServiceDef tagServiceDef;
try {
tagServiceDef = this.getServiceDef(EmbeddedServiceDefsUtil.instance().getTagServiceDefId());
} catch (Exception e) {
@@ -464,6 +412,6 @@ public abstract class AbstractServiceStore implements ServiceStore {
}
protected long getNextVersion(Long currentVersion) {
- return currentVersion == null ? 1L : currentVersion.longValue() + 1;
+ return currentVersion == null ? 1L : currentVersion + 1;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
index 9be733d..558014b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
@@ -20,7 +20,9 @@
package org.apache.ranger.plugin.store;
import org.apache.ranger.plugin.model.RangerBaseModelObject;
-import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.model.RangerResource;
+import org.apache.ranger.plugin.model.RangerTagDef;
+import org.apache.ranger.plugin.util.SearchFilter;
import java.util.Date;
import java.util.List;
@@ -28,11 +30,11 @@ import java.util.UUID;
public abstract class AbstractTagStore implements TagStore {
protected void preCreate(RangerBaseModelObject obj) throws Exception {
- obj.setId(new Long(0));
+ obj.setId(0L);
obj.setGuid(UUID.randomUUID().toString());
obj.setCreateTime(new Date());
obj.setUpdateTime(obj.getCreateTime());
- obj.setVersion(new Long(1));
+ obj.setVersion(1L);
}
protected void postCreate(RangerBaseModelObject obj) throws Exception {
@@ -40,7 +42,7 @@ public abstract class AbstractTagStore implements TagStore {
protected void preUpdate(RangerBaseModelObject obj) throws Exception {
if(obj.getId() == null) {
- obj.setId(new Long(0));
+ obj.setId(0L);
}
if(obj.getGuid() == null) {
@@ -54,9 +56,9 @@ public abstract class AbstractTagStore implements TagStore {
Long version = obj.getVersion();
if(version == null) {
- version = new Long(1);
+ version = 1L;
} else {
- version = new Long(version.longValue() + 1);
+ version = version + 1;
}
obj.setVersion(version);
@@ -85,4 +87,27 @@ public abstract class AbstractTagStore implements TagStore {
}
return ret;
}
+
+ @Override
+ public PList<RangerTagDef> getPaginatedTagDefs(SearchFilter filter) throws Exception {
+ List<RangerTagDef> list = getTagDefs(filter);
+
+ return new PList<RangerTagDef>(list, 0, list.size(),
+ (long)list.size(), list.size(), filter.getSortType(), filter.getSortBy());
+ }
+
+ public PList<RangerResource> getPaginatedResources(String tagServiceName, String serviceType) throws Exception {
+ List<RangerResource> list = getResources(tagServiceName, serviceType);
+
+ return new PList<RangerResource>(list, 0, list.size(),
+ (long)list.size(), list.size(), null, null);
+ }
+
+ public PList<RangerResource> getPaginatedResources(SearchFilter filter) throws Exception {
+ List<RangerResource> list = getResources(filter);
+
+ return new PList<RangerResource>(list, 0, list.size(),
+ (long)list.size(), list.size(), filter.getSortType(), filter.getSortBy());
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java
index 8c3e0a9..2402fea 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/PList.java
@@ -21,7 +21,8 @@ package org.apache.ranger.plugin.store;
import java.util.List;
-public abstract class PList implements java.io.Serializable {
+public class PList<T> implements java.io.Serializable {
+
private static final long serialVersionUID = 1L;
/**
@@ -51,35 +52,39 @@ public abstract class PList implements java.io.Serializable {
protected long queryTimeMS = System.currentTimeMillis();
-
+ protected List<T> list;
/**
* Default constructor. This will set all the attributes to default value.
*/
public PList() {
- }
-
- /**
- * Initialize with existing list
- *
- * @param objectList
- */
- public PList(@SuppressWarnings("rawtypes") List objectList) {
- int size = 0;
- if (objectList != null) {
- size = objectList.size();
- }
-
startIndex = 0;
- pageSize = size;
- totalCount = size;
- resultSize = size;
+ pageSize = 0;
+ totalCount = 0;
+ resultSize = 0;
sortType = null;
sortBy = null;
}
- abstract public int getListSize();
+ public PList(List<T> list, int startIndex, int pageSize, long totalCount, int resultSize, String sortType, String sortBy) {
+ this.list = list;
+ this.startIndex = startIndex;
+ this.pageSize = pageSize;
+ this.totalCount = totalCount;
+ this.resultSize = resultSize;
+ this.sortType = sortType;
+ this.sortBy = sortBy;
+
+ }
+
+ public int getListSize() {
+ return list == null ? 0 : list.size();
+ }
- abstract public List<?> getList();
+ public void setList(List<T> list) {this.list = list;}
+
+ public List<T> getList() {
+ return list;
+ }
/**
* This method sets the value to the member attribute <b>startIndex</b>. You
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerPolicyPaginatedList.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerPolicyPaginatedList.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerPolicyPaginatedList.java
deleted file mode 100644
index 9573886..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerPolicyPaginatedList.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.store;
-
-import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerServiceDef;
-
-import java.util.ArrayList;
-import java.util.List;
-
-public class RangerPolicyPaginatedList extends PList {
- private static final long serialVersionUID = 1L;
-
- List<RangerPolicy> policies = new ArrayList<RangerPolicy>();
-
- public RangerPolicyPaginatedList() {
- super();
- }
-
- public RangerPolicyPaginatedList(List<RangerPolicy> objList) {
- super(objList);
- this.policies = objList;
- }
-
- public List<RangerPolicy> getPolicies() {
- return policies;
- }
-
- public void setPolicies(List<RangerPolicy> policies) {
- this.policies = policies;
- }
-
- @Override
- public int getListSize() {
- if (policies != null) {
- return policies.size();
- }
- return 0;
- }
-
- @Override
- public List<?> getList() {
- return policies;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceDefPaginatedList.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceDefPaginatedList.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceDefPaginatedList.java
deleted file mode 100644
index 7366ac8..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceDefPaginatedList.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.store;
-
-import org.apache.ranger.plugin.model.RangerServiceDef;
-
-import java.util.ArrayList;
-import java.util.List;
-
-public class RangerServiceDefPaginatedList extends PList {
- private static final long serialVersionUID = 1L;
-
- List<RangerServiceDef> serviceDefs = new ArrayList<RangerServiceDef>();
-
- public RangerServiceDefPaginatedList() {
- super();
- }
-
- public RangerServiceDefPaginatedList(List<RangerServiceDef> objList) {
- super(objList);
- this.serviceDefs = objList;
- }
-
- public List<RangerServiceDef> getServiceDefs() {
- return serviceDefs;
- }
-
- public void setServiceDefs(List<RangerServiceDef> serviceDefs) {
- this.serviceDefs = serviceDefs;
- }
-
- @Override
- public int getListSize() {
- if (serviceDefs != null) {
- return serviceDefs.size();
- }
- return 0;
- }
-
- @Override
- public List<?> getList() {
- return serviceDefs;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServicePaginatedList.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServicePaginatedList.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServicePaginatedList.java
deleted file mode 100644
index 6194bb8..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServicePaginatedList.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.store;
-
-import org.apache.ranger.plugin.model.RangerService;
-import org.apache.ranger.plugin.model.RangerServiceDef;
-
-import java.util.ArrayList;
-import java.util.List;
-
-public class RangerServicePaginatedList extends PList {
- private static final long serialVersionUID = 1L;
-
- List<RangerService> services = new ArrayList<RangerService>();
-
- public RangerServicePaginatedList() {
- super();
- }
-
- public RangerServicePaginatedList(List<RangerService> objList) {
- super(objList);
- this.services = objList;
- }
-
- public List<RangerService> getServices() {
- return services;
- }
-
- public void setServices(List<RangerService> services) {
- this.services = services;
- }
-
- @Override
- public int getListSize() {
- if (services != null) {
- return services.size();
- }
- return 0;
- }
-
- @Override
- public List<?> getList() {
- return services;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
index 0915cf5..cbf6022 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
@@ -46,7 +46,8 @@ public interface ServiceStore {
List<RangerServiceDef> getServiceDefs(SearchFilter filter) throws Exception;
- RangerServiceDefPaginatedList getPaginatedServiceDefs(SearchFilter filter) throws Exception;
+
+ PList<RangerServiceDef> getPaginatedServiceDefs(SearchFilter filter) throws Exception;
RangerService createService(RangerService service) throws Exception;
@@ -60,7 +61,7 @@ public interface ServiceStore {
List<RangerService> getServices(SearchFilter filter) throws Exception;
- RangerServicePaginatedList getPaginatedServices(SearchFilter filter) throws Exception;
+ PList<RangerService> getPaginatedServices(SearchFilter filter) throws Exception;
RangerPolicy createPolicy(RangerPolicy policy) throws Exception;
@@ -72,17 +73,19 @@ public interface ServiceStore {
List<RangerPolicy> getPolicies(SearchFilter filter) throws Exception;
- RangerPolicyPaginatedList getPaginatedPolicies(SearchFilter filter) throws Exception;
+
+ PList<RangerPolicy> getPaginatedPolicies(SearchFilter filter) throws Exception;
List<RangerPolicy> getPoliciesByResourceSignature(String serviceName, String policySignature, Boolean isPolicyEnabled) throws Exception;
List<RangerPolicy> getServicePolicies(Long serviceId, SearchFilter filter) throws Exception;
- RangerPolicyPaginatedList getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception;
+
+ PList<RangerPolicy> getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception;
List<RangerPolicy> getServicePolicies(String serviceName, SearchFilter filter) throws Exception;
- RangerPolicyPaginatedList getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception;
+ PList<RangerPolicy> getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception;
ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long lastKnownVersion) throws Exception;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
index 87e2b6f..991e913 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
@@ -44,6 +44,7 @@ public interface TagStore {
List<RangerTagDef> getTagDefs(SearchFilter filter) throws Exception;
+ PList<RangerTagDef> getPaginatedTagDefs(SearchFilter filter) throws Exception;
RangerResource createResource(RangerResource resource) throws Exception;
@@ -55,5 +56,9 @@ public interface TagStore {
List<RangerResource> getResources(String tagServiceName, String serviceType) throws Exception;
+ PList<RangerResource> getPaginatedResources(String tagServiceName, String serviceType) throws Exception;
+
List<RangerResource> getResources(SearchFilter filter) throws Exception;
+ PList<RangerResource> getPaginatedResources(SearchFilter filter) throws Exception;
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index ed67e8e..42da42d 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -19,13 +19,7 @@
package org.apache.ranger.plugin.policyengine;
-import static org.junit.Assert.*;
-
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.lang.reflect.Type;
-import java.util.List;
-
+import com.google.gson.*;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData;
@@ -34,12 +28,12 @@ import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
-import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
-import com.google.gson.JsonDeserializationContext;
-import com.google.gson.JsonDeserializer;
-import com.google.gson.JsonElement;
-import com.google.gson.JsonParseException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.lang.reflect.Type;
+import java.util.List;
+
+import static org.junit.Assert.*;
public class TestPolicyEngine {
@@ -100,10 +94,27 @@ public class TestPolicyEngine {
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
- policyEngine = new RangerPolicyEngineImpl(servicePolicies);
+ if (null != testCase.tagPolicyInfo) {
+ ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
+ tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
+ tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
+ tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
+
+ servicePolicies.setTagPolicies(tagPolicies);
+ }
+
+ String componentName = testCase.serviceDef.getName();
+
+ RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
+
+ // Uncomment next line for testing tag-policy evaluation
+ // policyEngineOptions.disableTagPolicyEvaluation = false;
+
+ policyEngine = new RangerPolicyEngineImpl(servicePolicies, policyEngineOptions);
for(TestData test : testCase.tests) {
RangerAccessResult expected = test.result;
+ policyEngine.enrichContext(test.request);
RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null);
assertNotNull("result was null! - " + test.name, result);
@@ -117,6 +128,7 @@ public class TestPolicyEngine {
public String serviceName;
public RangerServiceDef serviceDef;
public List<RangerPolicy> policies;
+ public TagPolicyInfo tagPolicyInfo;
public List<TestData> tests;
class TestData {
@@ -124,6 +136,12 @@ public class TestPolicyEngine {
public RangerAccessRequest request;
public RangerAccessResult result;
}
+
+ class TagPolicyInfo {
+ public String serviceName;
+ public RangerServiceDef serviceDef;
+ public List<RangerPolicy> tagPolicies;
+ }
}
static class RangerAccessRequestDeserializer implements JsonDeserializer<RangerAccessRequest> {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d61bce5c/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index eed71be..4ef634c 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -36,7 +36,91 @@
]
}
],
+ "tagPolicyInfo": {
+ "serviceName":"tagdev",
+ "serviceDef": {
+ "name": "_tag_",
+ "id": 101,
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "tag",
+ "type": "string",
+ "level": 1,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": false
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "TAG",
+ "description": "TAG"
+ }
+ ],
+ "accessTypes": [
+ {
+ "name": "hdfs:read",
+ "label": "hdfs:Read"
+ },
+ {
+ "name": "hdfs:write",
+ "label": "hdfs:Write"
+ },
+ {
+ "name": "hdfs:execute",
+ "label": "hdfs:Execute"
+ }
+ ],
+ "contextEnrichers" : [
+ {
+ "name" : "test_enricher",
+ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagProvider",
+ "enricherOptions" : {"wildCard":true, "ignoreCase":true, "dataFile":"/etc/ranger/data/resourceTags.txt"}
+ }
+ ],
+ "policyConditions": [
+ {
+ "itemId":1,
+ "name":"Default_TagAttributeValueEvaluator",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerTagAttributeEvaluator",
+ "evaluatorOptions" : {"interpreter":"python"},
+ "label":"Python-Script",
+ "description": "Python script to execute"
+ }
+ ]
+ },
+ "tagPolicies":[
+ {"id":5,"name":"allow somethingelse tag","isEnabled":true,"isAuditEnabled":true,"policyType":0,
+ "resources":{"tag":{"values":["restricte?"],"isRecursive":false}},
+ "policyItems":[
+ {"accesses":[{"type":"hdfs:read","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false,
+ "conditions" : [{"type":"Default_TagAttributeValueEvaluator", "values":["Test_Script"]}]}
+ ]
+ }
+ ,
+ {"id":4,"name":"allow partial-match tag","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"tag":{"values":["restr*"],"isRecursive":false}},
+ "policyItems":[
+ {"accesses":[{"type":"hdfs:write","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":3,"name":"restricted tags","isEnabled":true,"isAuditEnabled":true,"policyType":0,
+ "resources":{"tag":{"values":["res*"],"isRecursive":false}},
+ "policyItems":[
+ {"accesses":[{"type":"hdfs:write","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false}
+ ]
+ }
+ ]
+ },
"tests":[
{"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance",
"request":{