You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2020/11/16 05:06:58 UTC

[ranger] 02/03: RANGER-3040: add read permission for lookupuser on default policies of presto/storm/es

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git

commit 7849c658f7b5ca71d43ed3299fb36992c48b4b2c
Author: rujia1019 <82...@163.com>
AuthorDate: Thu Oct 15 11:16:01 2020 +0800

    RANGER-3040: add read permission for lookupuser on default policies of presto/storm/es
    
    Signed-off-by: pradeep <pr...@apache.org>
---
 .../elasticsearch/RangerServiceElasticsearch.java  | 31 ++++++++++++++++++
 .../services/presto/RangerServicePresto.java       | 32 +++++++++++++++++++
 .../ranger/services/storm/RangerServiceStorm.java  | 37 ++++++++++++++++++++++
 3 files changed, 100 insertions(+)

diff --git a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java
index 100851d..a8953e1 100644
--- a/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java
+++ b/plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java
@@ -18,10 +18,15 @@
 package org.apache.ranger.services.elasticsearch;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
 import org.slf4j.Logger;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -33,6 +38,7 @@ import org.slf4j.LoggerFactory;
 public class RangerServiceElasticsearch extends RangerBaseService {
 
 	private static final Logger LOG = LoggerFactory.getLogger(RangerServiceElasticsearch.class);
+	public static final String ACCESS_TYPE_READ  = "read";
 
 	public RangerServiceElasticsearch() {
 		super();
@@ -44,6 +50,31 @@ public class RangerServiceElasticsearch extends RangerBaseService {
 	}
 
 	@Override
+	public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerServiceElasticsearch.getDefaultRangerPolicies()");
+		}
+
+		List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+		for (RangerPolicy defaultPolicy : ret) {
+			if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+				List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>();
+				accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ));
+				RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+				policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+				policyItemForLookupUser.setAccesses(accessListForLookupUser);
+				policyItemForLookupUser.setDelegateAdmin(false);
+				defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerServiceElasticsearch.getDefaultRangerPolicies()");
+		}
+		return ret;
+	}
+
+	@Override
 	public Map<String, Object> validateConfig() throws Exception {
 		Map<String, Object> ret = new HashMap<String, Object>();
 		String serviceName = getServiceName();
diff --git a/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java b/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java
index 810fc3f..d95876a 100644
--- a/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java
+++ b/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java
@@ -18,15 +18,20 @@
  */
 package org.apache.ranger.services.presto;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.client.HadoopConfigHolder;
 import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
 import org.apache.ranger.plugin.service.RangerBaseService;
 import org.apache.ranger.plugin.service.ResourceLookupContext;
 import org.apache.ranger.services.presto.client.PrestoResourceManager;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -34,6 +39,33 @@ import java.util.Map;
 public class RangerServicePresto extends RangerBaseService {
   private static final Log LOG = LogFactory.getLog(RangerServicePresto.class);
 
+  public static final String ACCESS_TYPE_SELECT  = "select";
+
+  @Override
+  public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("==> RangerServicePresto.getDefaultRangerPolicies()");
+    }
+
+    List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+    for (RangerPolicy defaultPolicy : ret) {
+      if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+        List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>();
+        accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_SELECT));
+        RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+        policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+        policyItemForLookupUser.setAccesses(accessListForLookupUser);
+        policyItemForLookupUser.setDelegateAdmin(false);
+        defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+      }
+    }
+
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("<== RangerServicePresto.getDefaultRangerPolicies()");
+    }
+    return ret;
+  }
+
   @Override
   public Map<String, Object> validateConfig() throws Exception {
     Map<String, Object> ret = new HashMap<String, Object>();
diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/RangerServiceStorm.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/RangerServiceStorm.java
index 1b71cd7..ffe26b6 100644
--- a/storm-agent/src/main/java/org/apache/ranger/services/storm/RangerServiceStorm.java
+++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/RangerServiceStorm.java
@@ -19,10 +19,15 @@
 package org.apache.ranger.services.storm;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.service.RangerBaseService;
@@ -34,6 +39,10 @@ import org.apache.commons.logging.LogFactory;
 public class RangerServiceStorm extends RangerBaseService {
 
 	private static final Log LOG = LogFactory.getLog(RangerServiceStorm.class);
+	public static final String ACCESS_TYPE_GET_TOPOLOGY  = "getTopology";
+	public static final String ACCESS_TYPE_GET_TOPOLOGY_CONF  = "getTopologyConf";
+	public static final String ACCESS_TYPE_GET_USER_TOPOLOGY  = "getUserTopology";
+	public static final String ACCESS_TYPE_GET_TOPOLOGY_INFO  = "getTopologyInfo";
 	
 	public RangerServiceStorm() {
 		super();
@@ -45,6 +54,34 @@ public class RangerServiceStorm extends RangerBaseService {
 	}
 
 	@Override
+	public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerServiceStorm.getDefaultRangerPolicies()");
+		}
+
+		List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+		for (RangerPolicy defaultPolicy : ret) {
+			if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+				List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>();
+				accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_GET_TOPOLOGY));
+				accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_GET_TOPOLOGY_CONF));
+				accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_GET_USER_TOPOLOGY));
+				accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_GET_TOPOLOGY_INFO));
+				RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+				policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+				policyItemForLookupUser.setAccesses(accessListForLookupUser);
+				policyItemForLookupUser.setDelegateAdmin(false);
+				defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerServiceStorm.getDefaultRangerPolicies()");
+		}
+		return ret;
+	}
+
+	@Override
 	public Map<String,Object> validateConfig() throws Exception {
 		Map<String, Object> ret = new HashMap<String, Object>();
 		String 	serviceName  	    = getServiceName();