You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/03/10 18:03:11 UTC
incubator-ranger git commit: RANGER-877: Exceptions in policies:
allowExceptions should implicitly deny; denyExceptions should implicitly allow
Repository: incubator-ranger
Updated Branches:
refs/heads/master f06795e2e -> 46c2f94ab
RANGER-877: Exceptions in policies: allowExceptions should implicitly deny; denyExceptions should implicitly allow
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/46c2f94a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/46c2f94a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/46c2f94a
Branch: refs/heads/master
Commit: 46c2f94abd0b95b8b9da741b9cdb21a9422c009b
Parents: f06795e
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Mon Mar 7 18:30:13 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Wed Mar 9 13:47:12 2016 -0800
----------------------------------------------------------------------
.../RangerDefaultPolicyEvaluator.java | 51 +++++++++++++++++---
.../test_policyengine_tag_hive.json | 4 +-
.../test_policyengine_tag_hive_filebased.json | 8 +--
3 files changed, 50 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/46c2f94a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 50c8165..1fa8644 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -97,10 +97,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
resourceMatcher.init();
if(policy != null) {
- allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, policy.getPolicyItems(), RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
- denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, policy.getDenyPolicyItems(), RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
- allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, policy.getAllowExceptions(), RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
- denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, policy.getDenyExceptions(), RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
+ allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
+ denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
+ allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
+ denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
} else {
allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
@@ -528,10 +528,31 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
- private List<RangerPolicyItemEvaluator> createPolicyItemEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options, List<RangerPolicyItem> policyItems, int policyItemType) {
- List<RangerPolicyItemEvaluator> ret = null;
+ private List<RangerPolicyItemEvaluator> createPolicyItemEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options, int policyItemType) {
+ List<RangerPolicyItemEvaluator> ret = null;
+ List<RangerPolicyItem> policyItems = null;
- if(CollectionUtils.isNotEmpty(policyItems) && isPolicyItemTypeEnabled(serviceDef, policyItemType)) {
+ if(isPolicyItemTypeEnabled(serviceDef, policyItemType)) {
+ if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
+ policyItems = policy.getPolicyItems();
+
+ if (isPolicyItemTypeEnabled(serviceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS)) {
+ policyItems = mergeLists(policyItems, policy.getDenyExceptions());
+ }
+ } else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
+ policyItems = policy.getDenyPolicyItems();
+
+ if (isPolicyItemTypeEnabled(serviceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS)) {
+ policyItems = mergeLists(policyItems, policy.getAllowExceptions());
+ }
+ } else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS) {
+ policyItems = policy.getAllowExceptions();
+ } else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS) {
+ policyItems = policy.getDenyExceptions();
+ }
+ }
+
+ if(CollectionUtils.isNotEmpty(policyItems)) {
ret = new ArrayList<RangerPolicyItemEvaluator>();
int policyItemCounter = 1;
@@ -641,4 +662,20 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
+
+ private <T> List<T> mergeLists(List<T> list1, List<T> list2) {
+ List<T> ret = null;
+
+ if(CollectionUtils.isEmpty(list1)) {
+ ret = list2;
+ } else if(CollectionUtils.isEmpty(list2)) {
+ ret = list1;
+ } else {
+ ret = new ArrayList<T>(list1);
+
+ ret.addAll(list2);
+ }
+
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/46c2f94a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index 0893f44..9c9bc40 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -238,7 +238,7 @@
"accessType":"select","user":"dataloader","userGroups":[],"requestData":"select ssn from employee.personal;' for dataloader",
"context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2015/08/10\"}}]"}
},
- "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+ "result":{"isAudited":true,"isAllowed":true,"policyId":5}
},
{"name":"ALLOW 'select ssn from employee.personal;' for user1",
"request":{
@@ -303,7 +303,7 @@
"accessType":"","user":"hive","userGroups":[],"requestData":"use default",
"context": {"TAGS":"[{\"type\":\"PII-FINAL\", \"attributes\":{\"expiry\":\"2026/06/15\"}}]"}
},
- "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
},
{"name":"DENY 'use default;' for user1",
"request":{
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/46c2f94a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
index da00ea3..e9ee355 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
@@ -233,7 +233,7 @@
"resource":{"elements":{"database":"employee", "table":"personal", "column":"emp-number"}},
"accessType":"select","user":"dataloader","userGroups":[],"requestData":"select emp-number from employee.personal;' for dataloader"
},
- "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+ "result":{"isAudited":true,"isAllowed":true,"policyId":5}
},
{"name":"DENY 'select salary from employee.personal;' for user1 using EXPIRES_ON tag",
"request":{
@@ -268,14 +268,14 @@
"resource":{"elements":{"database":"default", "table":"table1", "column":"name"}},
"accessType":"select","user":"hive","userGroups":[],"requestData":"select name from default.table1;' for hive"
},
- "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
},
{"name":"ALLOW 'desc default.table1;' for hive using PII, PII-FINAL tags",
"request":{
"resource":{"elements":{"database":"default", "table":"table1"}},
"accessType":"","user":"hive","userGroups":[],"requestData":"desc default.table1;' for hive"
},
- "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
},
{"name":"DENY 'desc default.table2;' for user1 using PII-FINAL tag",
"request":{
@@ -296,7 +296,7 @@
"resource":{"elements":{"database":"default", "table":"table3", "column":"name"}},
"accessType":"select","user":"hive","userGroups":[],"requestData":"select name from default.table3 for user hive"
},
- "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
}
]