You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2020/04/24 02:38:47 UTC
[ranger] branch master updated: RANGER-2772: Adding the
functionality of merging the policy - Part 3
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b7a2902 RANGER-2772: Adding the functionality of merging the policy - Part 3
b7a2902 is described below
commit b7a2902939f0d5ae64ead9fde539e76a766238a2
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Thu Apr 23 19:38:33 2020 -0700
RANGER-2772: Adding the functionality of merging the policy - Part 3
---
.../java/org/apache/ranger/rest/ServiceREST.java | 53 ++++++++++-------
.../org/apache/ranger/rest/ServiceRESTUtil.java | 68 +++++++++++++++++-----
2 files changed, 88 insertions(+), 33 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 82e67e6..1bdee86 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -83,6 +83,7 @@ import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter;
import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXPolicy;
import org.apache.ranger.entity.XXPolicyExportAudit;
import org.apache.ranger.entity.XXSecurityZone;
import org.apache.ranger.entity.XXSecurityZoneRefService;
@@ -97,6 +98,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -1661,7 +1663,13 @@ public class ServiceREST {
}
boolean updateIfExists=("true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS)))) ? true : false ;
boolean mergeIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))) ? true : false;
- if(updateIfExists || mergeIfExists) {
+
+ if (mergeIfExists && updateIfExists) {
+ LOG.warn("Cannot use both updateIfExists and mergeIfExists for a createPolicy. mergeIfExists will override updateIfExists for policy :[" + policy.getName() + "]");
+ }
+ if (mergeIfExists) {
+ ret = applyPolicy(policy, request);
+ } else if(updateIfExists) {
RangerPolicy existingPolicy = null;
String serviceName = request.getParameter(PARAM_SERVICE_NAME);
if (serviceName == null) {
@@ -1699,20 +1707,11 @@ public class ServiceREST {
}
try {
if (existingPolicy != null) {
- if (updateIfExists) {
- policy.setId(existingPolicy.getId());
- ret = updatePolicy(policy);
- } else if(mergeIfExists){
- ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy);
- ret = updatePolicy(existingPolicy);
- }
+ policy.setId(existingPolicy.getId());
+ ret = updatePolicy(policy);
}
} catch (Exception excp){
- if(updateIfExists) {
- LOG.error("updatePolicy(" + policy + ") failed", excp);
- }else if(mergeIfExists) {
- LOG.error("updatePolicy for merge (" + existingPolicy + ") failed", excp);
- }
+ LOG.error("updatePolicy(" + policy + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
}
@@ -1775,17 +1774,31 @@ public class ServiceREST {
RangerPolicy ret = null;
if (policy != null && StringUtils.isNotBlank(policy.getService())) {
+
try {
- // Check if applied policy contains any conditions
- if (ServiceRESTUtil.containsRangerCondition(policy)) {
- LOG.error("Applied policy contains condition(s); not supported:" + policy);
- throw new Exception("Applied policy contains condition(s); not supported:" + policy);
- }
- String user = request.getRemoteUser();
- RangerPolicy existingPolicy = getExactMatchPolicyForResource(policy, StringUtils.isNotBlank(user) ? user :"admin");
+ final RangerPolicy existingPolicy;
+ String signature = (new RangerPolicyResourceSignature(policy)).getSignature();
+ List<RangerPolicy> policiesWithMatchingSignature = svcStore.getPoliciesByResourceSignature(policy.getService(), signature, true);
+
+ if (CollectionUtils.isNotEmpty(policiesWithMatchingSignature)) {
+ if (policiesWithMatchingSignature.size() == 1) {
+ existingPolicy = policiesWithMatchingSignature.get(0);
+ } else {
+ throw new Exception("Multiple policies with matching policy-signature are found. Cannot determine target for applying policy");
+ }
+ } else {
+ existingPolicy = null;
+ }
if (existingPolicy == null) {
+ if (StringUtils.isNotEmpty(policy.getName())) {
+ XXPolicy dbPolicy = daoManager.getXXPolicy().findByPolicyName(policy.getName());
+ if (dbPolicy != null) {
+ policy.setName(policy.getName() + System.currentTimeMillis());
+ }
+ }
+
ret = createPolicy(policy, null);
} else {
ServiceRESTUtil.processApplyPolicy(existingPolicy, policy);
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
index 640d3c3..76cf92c 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
@@ -215,16 +215,54 @@ public class ServiceRESTUtil {
LOG.debug("==> ServiceRESTUtil.processApplyPolicy()");
}
- processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW);
- processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY);
- processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
- processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
+ // Check if applied policy or existing policy contains any conditions
+ if (ServiceRESTUtil.containsRangerCondition(existingPolicy) || ServiceRESTUtil.containsRangerCondition(appliedPolicy)) {
+ LOG.info("Applied policy [" + appliedPolicy + "] or existing policy [" + existingPolicy + "] contains condition(s). Combining two policies.");
+ combinePolicy(existingPolicy, appliedPolicy);
+
+ } else {
+
+ processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW);
+ processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY);
+ processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
+ processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
+ }
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.processApplyPolicy()");
}
}
+ static private void combinePolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) {
+
+ List<RangerPolicy.RangerPolicyItem> appliedPolicyItems;
+
+ // Combine allow policy-items
+ appliedPolicyItems = appliedPolicy.getPolicyItems();
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+ existingPolicy.getPolicyItems().addAll(appliedPolicyItems);
+ }
+
+ // Combine deny policy-items
+ appliedPolicyItems = appliedPolicy.getDenyPolicyItems();
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+ existingPolicy.getDenyPolicyItems().addAll(appliedPolicyItems);
+ }
+
+ // Combine allow-exception policy-items
+ appliedPolicyItems = appliedPolicy.getAllowExceptions();
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+ existingPolicy.getAllowExceptions().addAll(appliedPolicyItems);
+ }
+
+ // Combine deny-exception policy-items
+ appliedPolicyItems = appliedPolicy.getDenyExceptions();
+ if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
+ existingPolicy.getDenyExceptions().addAll(appliedPolicyItems);
+ }
+
+ }
+
static private void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()");
@@ -1029,17 +1067,21 @@ public class ServiceRESTUtil {
}
if (policy != null) {
- List<RangerPolicy.RangerPolicyItem> allItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
+ if (CollectionUtils.isNotEmpty(policy.getConditions())) {
+ ret = true;
+ } else {
+ List<RangerPolicy.RangerPolicyItem> allItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
- allItems.addAll(policy.getPolicyItems());
- allItems.addAll(policy.getDenyPolicyItems());
- allItems.addAll(policy.getAllowExceptions());
- allItems.addAll(policy.getDenyExceptions());
+ allItems.addAll(policy.getPolicyItems());
+ allItems.addAll(policy.getDenyPolicyItems());
+ allItems.addAll(policy.getAllowExceptions());
+ allItems.addAll(policy.getDenyExceptions());
- for (RangerPolicy.RangerPolicyItem policyItem : allItems) {
- if (!policyItem.getConditions().isEmpty()) {
- ret = true;
- break;
+ for (RangerPolicy.RangerPolicyItem policyItem : allItems) {
+ if (!policyItem.getConditions().isEmpty()) {
+ ret = true;
+ break;
+ }
}
}
}