You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2017/11/29 01:31:47 UTC
ranger git commit: RANGER-1781: Policy model update to support
restricted access-types based on selected resource(Initialize isValidLeaf
attribute in new/existing installation and new/updated service definition)
Repository: ranger
Updated Branches:
refs/heads/master b70479c4f -> 1e77fa2a4
RANGER-1781: Policy model update to support restricted access-types based on selected resource(Initialize isValidLeaf attribute in new/existing installation and new/updated service definition)
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/1e77fa2a
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/1e77fa2a
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/1e77fa2a
Branch: refs/heads/master
Commit: 1e77fa2a4be3425f97d5711ebb0de5db8258c618
Parents: b70479c
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Tue Nov 28 17:31:37 2017 -0800
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Tue Nov 28 17:31:37 2017 -0800
----------------------------------------------------------------------
.../validation/RangerServiceDefHelper.java | 25 ++-
.../org/apache/ranger/biz/ServiceDBStore.java | 6 +
...pdateForResourceSpecificAccesses_J10012.java | 173 +++++++++++++++++++
3 files changed, 199 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/1e77fa2a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
index 486a39c..6cb55c2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
@@ -162,7 +162,11 @@ public class RangerServiceDefHelper {
}
_delegate = delegate;
}
-
+
+ public void patchServiceDefWithDefaultValues() {
+ _delegate.patchServiceDefWithDefaultValues();
+ }
+
/**
* for a resource definition as follows:
*
@@ -297,7 +301,21 @@ public class RangerServiceDefHelper {
LOG.debug(message);
}
}
-
+
+ public void patchServiceDefWithDefaultValues() {
+ for(int policyType : RangerPolicy.POLICY_TYPES) {
+ Set<List<RangerResourceDef>> resourceHierarchies = getResourceHierarchies(policyType);
+ for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
+ for (int index = 0; index < resourceHierarchy.size(); index++) {
+ RangerResourceDef resourceDef = resourceHierarchy.get(index);
+ if (!Boolean.TRUE.equals(resourceDef.getIsValidLeaf())) {
+ resourceDef.setIsValidLeaf(index == resourceHierarchy.size()-1);
+ }
+ }
+ }
+ }
+ }
+
public Set<List<RangerResourceDef>> getResourceHierarchies(Integer policyType) {
if(policyType == null) {
policyType = RangerPolicy.POLICY_TYPE_ACCESS;
@@ -403,9 +421,6 @@ public class RangerServiceDefHelper {
LOG.error("Error in path: sink node:[" + sink + "] is not leaf node");
ret = false;
break;
- } else if (sinkResourceDef.getIsValidLeaf() == null) {
- LOG.info("Setting sink ResourceDef's isValidLeaf from null to 'true'");
- sinkResourceDef.setIsValidLeaf(true);
}
}
} else {
http://git-wip-us.apache.org/repos/asf/ranger/blob/1e77fa2a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 956b605..9d8f5d2 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -369,6 +369,9 @@ public class ServiceDBStore extends AbstractServiceStore {
List<RangerAccessTypeDef> rowFilterAccessTypes = rowFilterDef == null || rowFilterDef.getAccessTypes() == null ? new ArrayList<RangerAccessTypeDef>() : rowFilterDef.getAccessTypes();
List<RangerResourceDef> rowFilterResources = rowFilterDef == null || rowFilterDef.getResources() == null ? new ArrayList<RangerResourceDef>() : rowFilterDef.getResources();
+ RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false);
+ defHelper.patchServiceDefWithDefaultValues();
+
// While creating, value of version should be 1.
serviceDef.setVersion(Long.valueOf(1));
@@ -625,6 +628,9 @@ public class ServiceDBStore extends AbstractServiceStore {
RangerDataMaskDef dataMaskDef = serviceDef.getDataMaskDef();
RangerRowFilterDef rowFilterDef = serviceDef.getRowFilterDef();
+ RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false);
+ defHelper.patchServiceDefWithDefaultValues();
+
serviceDef.setCreateTime(existing.getCreateTime());
serviceDef.setGuid(existing.getGuid());
serviceDef.setVersion(existing.getVersion());
http://git-wip-us.apache.org/repos/asf/ranger/blob/1e77fa2a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java
new file mode 100644
index 0000000..f13e107
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java
@@ -0,0 +1,173 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+import org.apache.ranger.biz.RangerBizUtil;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.JSONUtil;
+import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
+import org.apache.ranger.service.RangerPolicyService;
+import org.apache.ranger.service.XPermMapService;
+import org.apache.ranger.service.XPolicyService;
+import org.apache.ranger.util.CLIUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+import org.apache.ranger.entity.XXServiceDef;
+
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012 extends BaseLoader {
+ private static final Logger logger = Logger.getLogger(PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.class);
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ @Autowired
+ JSONUtil jsonUtil;
+
+ @Autowired
+ RangerPolicyService policyService;
+
+ @Autowired
+ StringUtil stringUtil;
+
+ @Autowired
+ XPolicyService xPolService;
+
+ @Autowired
+ XPermMapService xPermMapService;
+
+ @Autowired
+ RangerBizUtil bizUtil;
+
+ @Autowired
+ RangerValidatorFactory validatorFactory;
+
+ @Autowired
+ ServiceDBStore svcStore;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+ try {
+ PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012 loader = (PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012) CLIUtil.getBean(PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.class);
+ loader.init();
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+ logger.info("Load complete. Exiting!!!");
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==> PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.execLoad()");
+ try {
+ updateAllServiceDef();
+ } catch (Exception e) {
+ logger.error("Error in PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.execLoad()", e);
+ }
+ logger.info("<== PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.execLoad()");
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012 data ");
+ }
+
+ private void updateAllServiceDef() {
+
+ List<XXServiceDef> allXXServiceDefs;
+ allXXServiceDefs = daoMgr.getXXServiceDef().getAll();
+
+ if (CollectionUtils.isNotEmpty(allXXServiceDefs)) {
+
+ for (XXServiceDef xxServiceDef : allXXServiceDefs) {
+
+ String serviceDefName = xxServiceDef.getName();
+
+ try {
+ String jsonStrPreUpdate = xxServiceDef.getDefOptions();
+ Map<String, String> serviceDefOptionsPreUpdate = jsonUtil.jsonToMap(jsonStrPreUpdate);
+ String valueBeforeUpdate = serviceDefOptionsPreUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+
+ RangerServiceDef serviceDef = svcDBStore.getServiceDefByName(serviceDefName);
+
+ if (serviceDef != null) {
+ logger.info("Started patching service-def:[" + serviceDefName + "]");
+
+ RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false);
+ defHelper.patchServiceDefWithDefaultValues();
+
+ svcStore.updateServiceDef(serviceDef);
+
+ XXServiceDef dbServiceDef = daoMgr.getXXServiceDef().findByName(serviceDefName);
+
+ if (dbServiceDef != null) {
+ String jsonStrPostUpdate = dbServiceDef.getDefOptions();
+ Map<String, String> serviceDefOptionsPostUpdate = jsonUtil.jsonToMap(jsonStrPostUpdate);
+ String valueAfterUpdate = serviceDefOptionsPostUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+
+ if (!StringUtils.equals(valueBeforeUpdate, valueAfterUpdate)) {
+ if (StringUtils.isEmpty(valueBeforeUpdate)) {
+ serviceDefOptionsPostUpdate.remove(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+ } else {
+ serviceDefOptionsPostUpdate.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, valueBeforeUpdate);
+ }
+ dbServiceDef.setDefOptions(mapToJsonString(serviceDefOptionsPostUpdate));
+ daoMgr.getXXServiceDef().update(dbServiceDef);
+ }
+ }
+ logger.info("Completed patching service-def:[" + serviceDefName + "]");
+ }
+ } catch (Exception e) {
+ logger.error("Error while patching service-def:[" + serviceDefName + "]", e);
+ }
+ }
+ }
+ }
+
+ private String mapToJsonString(Map<String, String> map) throws Exception {
+ String ret = null;
+ if(map != null) {
+ ret = jsonUtil.readMapToString(map);
+ }
+ return ret;
+ }
+}
+