You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2020/04/24 02:38:47 UTC

[ranger] branch master updated: RANGER-2772: Adding the functionality of merging the policy - Part 3

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new b7a2902  RANGER-2772: Adding the functionality of merging the policy - Part 3
b7a2902 is described below

commit b7a2902939f0d5ae64ead9fde539e76a766238a2
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Thu Apr 23 19:38:33 2020 -0700

    RANGER-2772: Adding the functionality of merging the policy - Part 3
---
 .../java/org/apache/ranger/rest/ServiceREST.java   | 53 ++++++++++-------
 .../org/apache/ranger/rest/ServiceRESTUtil.java    | 68 +++++++++++++++++-----
 2 files changed, 88 insertions(+), 33 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 82e67e6..1bdee86 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -83,6 +83,7 @@ import org.apache.ranger.common.ServiceUtil;
 import org.apache.ranger.common.UserSessionBase;
 import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter;
 import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXPolicy;
 import org.apache.ranger.entity.XXPolicyExportAudit;
 import org.apache.ranger.entity.XXSecurityZone;
 import org.apache.ranger.entity.XXSecurityZoneRefService;
@@ -97,6 +98,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerPolicyDelta;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
 import org.apache.ranger.plugin.model.RangerSecurityZone;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -1661,7 +1663,13 @@ public class ServiceREST {
 				}
 				boolean updateIfExists=("true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS)))) ? true : false ;
 				boolean mergeIfExists  = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS)))  ? true : false;
-				if(updateIfExists || mergeIfExists) {
+
+				if (mergeIfExists && updateIfExists) {
+					LOG.warn("Cannot use both updateIfExists and mergeIfExists for a createPolicy. mergeIfExists will override updateIfExists for policy :[" + policy.getName() + "]");
+				}
+				if (mergeIfExists) {
+					ret = applyPolicy(policy, request);
+				} else if(updateIfExists) {
 					RangerPolicy existingPolicy = null;
 					String serviceName = request.getParameter(PARAM_SERVICE_NAME);
 					if (serviceName == null) {
@@ -1699,20 +1707,11 @@ public class ServiceREST {
 					}
 					try {
 						if (existingPolicy != null) {
-							if (updateIfExists) {
-								policy.setId(existingPolicy.getId());
-								ret = updatePolicy(policy);
-							} else if(mergeIfExists){
-								ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy);
-								ret = updatePolicy(existingPolicy);
-							}
+							policy.setId(existingPolicy.getId());
+							ret = updatePolicy(policy);
 						}
 					} catch (Exception excp){
-						if(updateIfExists) {
-							LOG.error("updatePolicy(" + policy + ") failed", excp);
-						}else if(mergeIfExists) {
-							LOG.error("updatePolicy for merge (" + existingPolicy + ") failed", excp);
-						}
+						LOG.error("updatePolicy(" + policy + ") failed", excp);
 						throw restErrorUtil.createRESTException(excp.getMessage());
 					}
 				}
@@ -1775,17 +1774,31 @@ public class ServiceREST {
 		RangerPolicy ret = null;
 
 		if (policy != null && StringUtils.isNotBlank(policy.getService())) {
+
 			try {
-				// Check if applied policy contains any conditions
-				if (ServiceRESTUtil.containsRangerCondition(policy)) {
-					LOG.error("Applied policy contains condition(s); not supported:" + policy);
-					throw new Exception("Applied policy contains condition(s); not supported:" + policy);
-				}
 
-				String user = request.getRemoteUser();
-				RangerPolicy existingPolicy = getExactMatchPolicyForResource(policy, StringUtils.isNotBlank(user) ? user :"admin");
+				final              RangerPolicy existingPolicy;
+				String             signature                     = (new RangerPolicyResourceSignature(policy)).getSignature();
+				List<RangerPolicy> policiesWithMatchingSignature = svcStore.getPoliciesByResourceSignature(policy.getService(), signature, true);
+
+				if (CollectionUtils.isNotEmpty(policiesWithMatchingSignature)) {
+					if (policiesWithMatchingSignature.size() == 1) {
+						existingPolicy = policiesWithMatchingSignature.get(0);
+					} else {
+						throw new Exception("Multiple policies with matching policy-signature are found. Cannot determine target for applying policy");
+					}
+				} else {
+					existingPolicy = null;
+				}
 
 				if (existingPolicy == null) {
+					if (StringUtils.isNotEmpty(policy.getName())) {
+						XXPolicy dbPolicy = daoManager.getXXPolicy().findByPolicyName(policy.getName());
+						if (dbPolicy != null) {
+							policy.setName(policy.getName() + System.currentTimeMillis());
+						}
+					}
+
 					ret = createPolicy(policy, null);
 				} else {
 					ServiceRESTUtil.processApplyPolicy(existingPolicy, policy);
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
index 640d3c3..76cf92c 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
@@ -215,16 +215,54 @@ public class ServiceRESTUtil {
 			LOG.debug("==> ServiceRESTUtil.processApplyPolicy()");
 		}
 
-		processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW);
-		processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY);
-		processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
-		processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
+		// Check if applied policy or existing policy contains any conditions
+		if (ServiceRESTUtil.containsRangerCondition(existingPolicy) || ServiceRESTUtil.containsRangerCondition(appliedPolicy)) {
+			LOG.info("Applied policy [" + appliedPolicy + "] or existing policy [" + existingPolicy + "] contains condition(s). Combining two policies.");
+			combinePolicy(existingPolicy, appliedPolicy);
+
+		} else {
+
+			processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW);
+			processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY);
+			processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
+			processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
+		}
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("<== ServiceRESTUtil.processApplyPolicy()");
 		}
 	}
 
+	static private void combinePolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) {
+
+		List<RangerPolicy.RangerPolicyItem> appliedPolicyItems;
+
+		// Combine allow policy-items
+		appliedPolicyItems = appliedPolicy.getPolicyItems();
+		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+			existingPolicy.getPolicyItems().addAll(appliedPolicyItems);
+		}
+
+		// Combine deny policy-items
+		appliedPolicyItems = appliedPolicy.getDenyPolicyItems();
+		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+			existingPolicy.getDenyPolicyItems().addAll(appliedPolicyItems);
+		}
+
+		// Combine allow-exception policy-items
+		appliedPolicyItems = appliedPolicy.getAllowExceptions();
+		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+			existingPolicy.getAllowExceptions().addAll(appliedPolicyItems);
+		}
+
+		// Combine deny-exception policy-items
+		appliedPolicyItems = appliedPolicy.getDenyExceptions();
+		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+			existingPolicy.getDenyExceptions().addAll(appliedPolicyItems);
+		}
+
+	}
+
 	static private void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()");
@@ -1029,17 +1067,21 @@ public class ServiceRESTUtil {
 		}
 
 		if (policy != null) {
-			List<RangerPolicy.RangerPolicyItem> allItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
+			if (CollectionUtils.isNotEmpty(policy.getConditions())) {
+				ret = true;
+			} else {
+				List<RangerPolicy.RangerPolicyItem> allItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
 
-			allItems.addAll(policy.getPolicyItems());
-			allItems.addAll(policy.getDenyPolicyItems());
-			allItems.addAll(policy.getAllowExceptions());
-			allItems.addAll(policy.getDenyExceptions());
+				allItems.addAll(policy.getPolicyItems());
+				allItems.addAll(policy.getDenyPolicyItems());
+				allItems.addAll(policy.getAllowExceptions());
+				allItems.addAll(policy.getDenyExceptions());
 
-			for (RangerPolicy.RangerPolicyItem policyItem : allItems) {
-				if (!policyItem.getConditions().isEmpty()) {
-					ret = true;
-					break;
+				for (RangerPolicy.RangerPolicyItem policyItem : allItems) {
+					if (!policyItem.getConditions().isEmpty()) {
+						ret = true;
+						break;
+					}
 				}
 			}
 		}