You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2018/03/02 19:34:25 UTC
[1/2] ranger git commit: RANGER-2004: updated Ranger authorization
plugin for Atlas for the changes in ATLAS-2459
Repository: ranger
Updated Branches:
refs/heads/master d3fffd00d -> 9a3d4e306
RANGER-2004: updated Ranger authorization plugin for Atlas for the changes in ATLAS-2459
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9a3d4e30
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9a3d4e30
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9a3d4e30
Branch: refs/heads/master
Commit: 9a3d4e306b5e536e294cb20fb67664e2e0b7a7f8
Parents: 6cc6208
Author: nixonrodrigues <ni...@apache.org>
Authored: Tue Feb 27 18:37:58 2018 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Mar 2 11:33:26 2018 -0800
----------------------------------------------------------------------
.../service-defs/ranger-servicedef-atlas.json | 417 +++++------
.../atlas/authorizer/RangerAtlasAuthorizer.java | 258 ++++++-
.../services/atlas/RangerServiceAtlas.java | 375 +++++++++-
.../services/atlas/client/AtlasClient.java | 688 -------------------
.../atlas/client/AtlasConnectionMgr.java | 30 -
.../services/atlas/client/AtlasResourceMgr.java | 90 ---
6 files changed, 801 insertions(+), 1057 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a3d4e30/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
index 4a550c6..5237125 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
@@ -1,207 +1,212 @@
-{
- "id":11,
- "name": "atlas",
- "implClass": "org.apache.ranger.services.atlas.RangerServiceAtlas",
- "label": "Atlas Metadata Server",
- "description": "Atlas Metadata Server",
- "resources":
- [
- {
- "itemId": 1,
- "name": "entity",
- "type": "string",
- "level": 10,
- "parent": "",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Entity",
- "description": "Entity"
- },
-
- {
- "itemId": 2,
- "name": "type",
- "type": "string",
- "level": 10,
- "parent": "",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Type",
- "description": "Type"
- },
-
- {
- "itemId": 3,
- "name": "operation",
- "type": "string",
- "level": 10,
- "parent": "",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Operations",
- "description": "Admin Operations"
- },
-
- {
- "itemId": 4,
- "name": "taxonomy",
- "type": "string",
- "level": 10,
- "parent": "",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Taxonomy",
- "description": "Taxonomy"
- },
-
- {
- "itemId": 5,
- "name": "term",
- "type": "string",
- "level": 10,
- "parent": "",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Term",
- "description": "Term"
- }
-
-
- ],
-
- "accessTypes":
- [
- {
- "itemId": 1,
- "name": "read",
- "label": "read"
- },
-
- {
- "itemId": 2,
- "name": "create",
- "label": "create"
- },
-
- {
- "itemId": 3,
- "name": "update",
- "label": "update"
- },
-
- {
- "itemId": 4,
- "name": "delete",
- "label": "delete"
- },
-
-
- {
- "itemId": 5,
- "name": "all",
- "label": "All",
- "impliedGrants":
- [
- "read",
- "create",
- "update",
- "delete"
- ]
- }
- ],
-
- "configs":
- [
- {
- "itemId": 1,
- "name": "username",
- "type": "string",
- "mandatory": true,
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Username"
- },
-
- {
- "itemId": 2,
- "name": "password",
- "type": "password",
- "mandatory": true,
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Password"
- },
-
- {
- "itemId": 3,
- "name": "atlas.rest.address",
- "type": "string",
- "mandatory": true,
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "defaultValue": "http://localhost:21000"
- },
-
- {
- "itemId": 4,
- "name": "commonNameForCertificate",
- "type": "string",
- "mandatory": false,
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Common Name for Certificate"
- }
- ],
-
- "enums":
- [
-
- ],
-
- "contextEnrichers":
- [
- ],
-
- "policyConditions":
- [
- ]
+{
+ "id": 11,
+ "name": "atlas",
+ "implClass": "org.apache.ranger.services.atlas.RangerServiceAtlas",
+ "label": "Atlas Metadata Server",
+ "description": "Atlas Metadata Server",
+ "guid": "311a79b7-16f5-46f4-9829-a0224b9999c5",
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "type-category",
+ "type": "string",
+ "level": 10,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "label": "Type Catagory",
+ "description": "Type Catagory"
+ },
+ {
+ "itemId": 2,
+ "name": "type",
+ "type": "string",
+ "level": 20,
+ "parent": "type-category",
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "label": "Type Name",
+ "description": "Type Name",
+ "accessTypeRestrictions": [ "type-create", "type-update", "type-delete" ]
+ },
+ {
+ "itemId": 3,
+ "name": "entity-type",
+ "type": "string",
+ "level": 10,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "label": "Entity Type",
+ "description": "Entity Type"
+ },
+ {
+ "itemId": 4,
+ "name": "entity-classification",
+ "type": "string",
+ "level": 20,
+ "parent": "entity-type",
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "label": "Entity Classification",
+ "description": "Entity Classification"
+ },
+ {
+ "itemId": 5,
+ "name": "entity",
+ "type": "string",
+ "level": 30,
+ "parent": "entity-classification",
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "label": "Entity ID",
+ "description": "Entity ID",
+ "accessTypeRestrictions": [ "entity-read", "entity-create", "entity-update", "entity-delete", "entity-read-classification", "entity-add-classification", "entity-update-classification", "entity-remove-classification" ]
+ },
+ {
+ "itemId": 6,
+ "name": "atlas-service",
+ "type": "string",
+ "level": 10,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "label": "Atlas Service",
+ "description": "Atlas Service",
+ "accessTypeRestrictions": [ "admin-import", "admin-export" ]
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "type-create",
+ "label": "Create Type"
+ },
+ {
+ "itemId": 2,
+ "name": "type-update",
+ "label": "UpdateType"
+ },
+ {
+ "itemId": 3,
+ "name": "type-delete",
+ "label": "Delete Type"
+ },
+ {
+ "itemId": 4,
+ "name": "entity-read",
+ "label": "Read Entity"
+ },
+ {
+ "itemId": 5,
+ "name": "entity-create",
+ "label": "Create Entity"
+ },
+ {
+ "itemId": 6,
+ "name": "entity-update",
+ "label": "Update Entity"
+ },
+ {
+ "itemId": 7,
+ "name": "entity-delete",
+ "label": "Delete Entity"
+ },
+ {
+ "itemId": 8,
+ "name": "entity-read-classification",
+ "label": "Read Classification"
+ },
+ {
+ "itemId": 9,
+ "name": "entity-add-classification",
+ "label": "Add Classification"
+ },
+ {
+ "itemId": 10,
+ "name": "entity-update-classification",
+ "label": "Update Classification"
+ },
+ {
+ "itemId": 11,
+ "name": "entity-remove-classification",
+ "label": "Remove Classification"
+ },
+ {
+ "itemId": 12,
+ "name": "admin-export",
+ "label": "Admin Export"
+ },
+ {
+ "itemId": 13,
+ "name": "admin-import",
+ "label": "Admin Import"
+ }
+ ],
+ "configs": [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "mandatory": true,
+ "label": "Username"
+ },
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "mandatory": true,
+ "label": "Password"
+ },
+ {
+ "itemId": 3,
+ "name": "atlas.rest.address",
+ "type": "string",
+ "mandatory": true,
+ "defaultValue": "http://localhost:21000"
+ },
+ {
+ "itemId": 4,
+ "name": "commonNameForCertificate",
+ "type": "string",
+ "mandatory": false,
+ "label": "Common Name for Certificate"
+ }
+ ],
+ "options": {
+ "enableDenyAndExceptionsInPolicies": "true"
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a3d4e30/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index 90e75a1..465b06f 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -25,14 +25,31 @@ import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasEntityAccessRequest;
import org.apache.atlas.authorize.AtlasTypeAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizer;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
+
+import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_CATEGORY;
+import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_NAME;
+import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_TYPE;
+import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_CLASSIFICATION;
+import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_ID;
+import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_SERVICE;
+
+import java.util.*;
public class RangerAtlasAuthorizer implements AtlasAuthorizer {
- private static final Logger LOG = LoggerFactory.getLogger(RangerAtlasAuthorizer.class);
+ private static final Log LOG = LogFactory.getLog(RangerAtlasAuthorizer.class);
+ private static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("atlasauth.request");
private static volatile RangerBasePlugin atlasPlugin = null;
@@ -73,15 +90,33 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
@Override
public boolean isAccessAllowed(AtlasAdminAccessRequest request) throws AtlasAuthorizationException {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> isAccessAllowed(AtlasAdminAccessRequest)");
+ LOG.debug("==> isAccessAllowed(" + request + ")");
}
- final boolean ret;
+ final boolean ret;
+ RangerPerfTracer perf = null;
+
+ try {
+ if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
+ }
+
+ String action = request.getAction() != null ? request.getAction().getType() : null;
+ RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl(Collections.singletonMap(RESOURCE_SERVICE, "*"));
+ RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
- ret = true; // TODO: evaluate Ranger policies
+ rangerRequest.setClientIPAddress(request.getClientIPAddress());
+ rangerRequest.setAccessTime(request.getAccessTime());
+ rangerRequest.setAction(action);
+ rangerRequest.setClusterName(getClusterName());
+
+ ret = checkAccess(rangerRequest);
+ } finally {
+ RangerPerfTracer.log(perf);
+ }
if (LOG.isDebugEnabled()) {
- LOG.debug("<== isAccessAllowed(AtlasAdminAccessRequest)");
+ LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
}
return ret;
@@ -90,15 +125,82 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
@Override
public boolean isAccessAllowed(AtlasEntityAccessRequest request) throws AtlasAuthorizationException {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> isAccessAllowed(AtlasEntityAccessRequest)");
+ LOG.debug("==> isAccessAllowed(" + request + ")");
}
- final boolean ret;
+ boolean ret = false;
+ RangerPerfTracer perf = null;
+ RangerAtlasAuditHandler auditHandler = new RangerAtlasAuditHandler(request, getServiceDef());
+
+ try {
+ if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
+ }
+
+ final String action = request.getAction() != null ? request.getAction().getType() : null;
+ final Set<String> entityTypes = request.getEntityTypeAndAllSuperTypes();
+ final String entityId = request.getEntityId();
+ final String classification = request.getClassification() != null ? request.getClassification().getTypeName() : null;
+ RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
+
+ rangerRequest.setAccessType(action);
+ rangerRequest.setAction(action);
+ rangerRequest.setUser(request.getUser());
+ rangerRequest.setUserGroups(request.getUserGroups());
+ rangerRequest.setClientIPAddress(request.getClientIPAddress());
+ rangerRequest.setAccessTime(request.getAccessTime());
+ rangerRequest.setClusterName(getClusterName());
+
+ final Set<String> classificationsToAuthorize;
+
+ if (classification != null) {
+ if (request.getEntityClassifications() == null) {
+ classificationsToAuthorize = Collections.singleton(classification);
+ } else {
+ classificationsToAuthorize = new HashSet<>(request.getEntityClassifications());
+
+ classificationsToAuthorize.add(classification);
+ }
+ } else {
+ classificationsToAuthorize = request.getEntityClassifications();
+ }
+
+ if (CollectionUtils.isNotEmpty(classificationsToAuthorize)) {
+ // check authorization for each classification
+ for (String classificationToAuthorize : classificationsToAuthorize) {
+ RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
+
+ rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
+ rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
+ rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
+
+ rangerRequest.setResource(rangerResource);
+
+ ret = checkAccess(rangerRequest, auditHandler);
+
+ if (!ret) {
+ break;
+ }
+ }
+ } else { // no classifications to authorize
+ RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
- ret = true; // TODO: evaluate Ranger policies
+ rangerResource.setValue(RESOURCE_ENTITY_TYPE, entityTypes);
+ rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, Collections.<String>emptySet());
+ rangerResource.setValue(RESOURCE_ENTITY_ID, entityId);
+
+ rangerRequest.setResource(rangerResource);
+
+ ret = checkAccess(rangerRequest, auditHandler);
+ }
+ } finally {
+ auditHandler.flushAudit();
+
+ RangerPerfTracer.log(perf);
+ }
if (LOG.isDebugEnabled()) {
- LOG.debug("<== isAccessAllowed(AtlasEntityAccessRequest)");
+ LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
}
return ret;
@@ -107,15 +209,82 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
@Override
public boolean isAccessAllowed(AtlasTypeAccessRequest request) throws AtlasAuthorizationException {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> isAccessAllowed(AtlasTypeAccessRequest)");
+ LOG.debug("==> isAccessAllowed(" + request + ")");
}
- final boolean ret;
+ final boolean ret;
+ RangerPerfTracer perf = null;
+
+ try {
+ if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed(" + request + ")");
+ }
+
+ final String typeName = request.getTypeDef() != null ? request.getTypeDef().getName() : null;
+ final String typeCategory = request.getTypeDef() != null && request.getTypeDef().getCategory() != null ? request.getTypeDef().getCategory().name() : null;
+ final String action = request.getAction() != null ? request.getAction().getType() : null;
+
+ RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
+
+ rangerResource.setValue(RESOURCE_TYPE_NAME, typeName);
+ rangerResource.setValue(RESOURCE_TYPE_CATEGORY, typeCategory);
+
+ RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource, action, request.getUser(), request.getUserGroups());
+ rangerRequest.setClientIPAddress(request.getClientIPAddress());
+ rangerRequest.setAccessTime(request.getAccessTime());
+ rangerRequest.setClusterName(getClusterName());
+ rangerRequest.setAction(action);
- ret = true; // TODO: evaluate Ranger policies
+
+ ret = checkAccess(rangerRequest);
+ } finally {
+ RangerPerfTracer.log(perf);
+ }
if (LOG.isDebugEnabled()) {
- LOG.debug("<== isAccessAllowed(AtlasTypeAccessRequest)");
+ LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private String getClusterName() {
+ RangerBasePlugin plugin = atlasPlugin;
+
+ return plugin != null ? plugin.getClusterName() : null;
+ }
+
+ private RangerServiceDef getServiceDef() {
+ RangerBasePlugin plugin = atlasPlugin;
+
+ return plugin != null ? plugin.getServiceDef() : null;
+ }
+
+ private boolean checkAccess(RangerAccessRequestImpl request) {
+ boolean ret = false;
+ RangerBasePlugin plugin = atlasPlugin;
+
+ if (plugin != null) {
+ RangerAccessResult result = plugin.isAccessAllowed(request);
+
+ ret = result != null && result.getIsAllowed();
+ } else {
+ LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
+ }
+
+ return ret;
+ }
+
+ private boolean checkAccess(RangerAccessRequestImpl request, RangerAtlasAuditHandler auditHandler) {
+ boolean ret = false;
+ RangerBasePlugin plugin = atlasPlugin;
+
+ if (plugin != null) {
+ RangerAccessResult result = plugin.isAccessAllowed(request, auditHandler);
+
+ ret = result != null && result.getIsAllowed();
+ } else {
+ LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
}
return ret;
@@ -126,4 +295,63 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
super("atlas", "atlas");
}
}
+
+ class RangerAtlasAuditHandler extends RangerDefaultAuditHandler {
+ private final Map<Long, AuthzAuditEvent> auditEvents;
+ private final String resourcePath;
+ private boolean denyExists = false;
+
+
+ public RangerAtlasAuditHandler(AtlasEntityAccessRequest request, RangerServiceDef serviceDef) {
+ Collection<String> classifications = request.getEntityClassifications();
+ String strClassifications = classifications == null ? "[]" : classifications.toString();
+
+ if (request.getClassification() != null) {
+ strClassifications += ("," + request.getClassification().getTypeName());
+ }
+
+ RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
+
+ rangerResource.setServiceDef(serviceDef);
+ rangerResource.setValue(RESOURCE_ENTITY_TYPE, request.getEntityType());
+ rangerResource.setValue(RESOURCE_ENTITY_CLASSIFICATION, strClassifications);
+ rangerResource.setValue(RESOURCE_ENTITY_ID, request.getEntityId());
+
+ auditEvents = new HashMap<>();
+ resourcePath = rangerResource.getAsString();
+ }
+
+ @Override
+ public void processResult(RangerAccessResult result) {
+ if (denyExists) { // nothing more to do, if a deny already encountered
+ return;
+ }
+
+ AuthzAuditEvent auditEvent = super.getAuthzEvents(result);
+
+ if (auditEvent != null) {
+ // audit event might have list of entity-types and classification-types; overwrite with the values in original request
+ if (resourcePath != null) {
+ auditEvent.setResourcePath(resourcePath);
+ }
+
+ if (!result.getIsAllowed()) {
+ denyExists = true;
+
+ auditEvents.clear();
+ }
+
+ auditEvents.put(auditEvent.getPolicyId(), auditEvent);
+ }
+ }
+
+
+ public void flushAudit() {
+ if (auditEvents != null) {
+ for (AuthzAuditEvent auditEvent : auditEvents.values()) {
+ logAuthzAudit(auditEvent);
+ }
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a3d4e30/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index fe97874..671d2d1 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -18,25 +18,62 @@
*/
package org.apache.ranger.services.atlas;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import com.google.gson.Gson;
+import com.sun.jersey.api.client.Client;
+import com.sun.jersey.api.client.ClientResponse;
+import com.sun.jersey.api.client.WebResource;
+import com.sun.jersey.core.util.MultivaluedMapImpl;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOCase;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.client.BaseClient;
+import org.apache.ranger.plugin.client.HadoopException;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
-import org.apache.ranger.services.atlas.client.AtlasResourceMgr;
+import org.apache.ranger.plugin.util.PasswordUtils;
-public class RangerServiceAtlas extends RangerBaseService {
+import javax.security.auth.Subject;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.NewCookie;
+public class RangerServiceAtlas extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceAtlas.class);
+ public static final String RESOURCE_SERVICE = "atlas-service";
+ public static final String RESOURCE_TYPE_CATEGORY = "type-category";
+ public static final String RESOURCE_TYPE_NAME = "type";
+ public static final String RESOURCE_ENTITY_TYPE = "entity-type";
+ public static final String RESOURCE_ENTITY_CLASSIFICATION = "entity-classification";
+ public static final String RESOURCE_ENTITY_ID = "entity";
+ public static final String CONFIG_REST_ADDRESS = "atlas.rest.address";
+ public static final String CONFIG_USERNAME = "username";
+ public static final String CONFIG_PASSWORD = "password";
+
+ private static final String TYPE_ENTITY = "entity";
+ private static final String TYPE_CLASSIFICATION = "classification";
+ private static final String TYPE_STRUCT = "struct";
+ private static final String TYPE_ENUM = "enum";
+ private static final String TYPE_RELATIONSHIP = "relationship";
+
+ private static final String URL_LOGIN = "/j_spring_security_check";
+ private static final String URL_GET_TYPESDEF_HEADERS = "/api/atlas/v2/types/typedefs/headers";
+
+ private static final String WEB_RESOURCE_CONTENT_TYPE = "application/x-www-form-urlencoded";
+ private static final String CONNECTION_ERROR_MSG = " You can still save the repository and start creating"
+ + " policies, but you would not be able to use autocomplete for"
+ + " resource names. Check ranger_admin.log for more info.";
+
public RangerServiceAtlas() {
super();
}
@@ -48,44 +85,35 @@ public class RangerServiceAtlas extends RangerBaseService {
@Override
public Map<String, Object> validateConfig() throws Exception {
- Map<String, Object> responseMap = new HashMap<String, Object>();
- String serviceName = getServiceName();
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerServiceAtlas.validateConfig Service: ("+ serviceName + " )");
- }
- if (configs != null) {
- try {
- responseMap = AtlasResourceMgr.validateConfig(serviceName,configs);
- } catch (Exception e) {
- LOG.error("<== RangerServiceAtlas.validateConfig Error:" + e);
- throw e;
- }
+ LOG.debug("==> RangerServiceAtlas.validateConfig()");
}
+
+ AtlasServiceClient client = new AtlasServiceClient(getServiceName(), configs);
+
+ Map<String, Object> ret = client.validateConfig();
+
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerServiceAtlas.validateConfig Response : ("+ responseMap + " )");
+ LOG.debug("<== RangerServiceAtlas.validateConfig(): "+ ret );
}
- return responseMap;
+
+ return ret;
}
@Override
public List<String> lookupResource(ResourceLookupContext context)throws Exception {
- List<String> ret = new ArrayList<String>();
- String serviceName = getServiceName();
- Map<String, String> configs = getConfigs();
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerServiceAtlas.lookupResource Context: ("+ context + ")");
- }
- if (context != null) {
- try {
- ret = AtlasResourceMgr.getAtlasResources(serviceName, configs,context);
- } catch (Exception e) {
- LOG.error("<==RangerServiceAtlas.lookupResource Error : " + e);
- throw e;
- }
+ LOG.debug("==> RangerServiceAtlas.lookupResource("+ context + ")");
}
+
+ AtlasServiceClient client = new AtlasServiceClient(getServiceName(), configs);
+
+ List<String> ret = client.lookupResource(context);
+
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerServiceAtlas.lookupResource Response: (" + ret+ ")");
+ LOG.debug("<== RangerServiceAtlas.lookupResource("+ context + "): " + ret);
}
+
return ret;
}
@@ -116,4 +144,295 @@ public class RangerServiceAtlas extends RangerBaseService {
}
return ret;
}
+
+ private static class AtlasServiceClient extends BaseClient {
+ private static final String[] TYPE_CATEGORIES = new String[] { "classification", "enum", "entity", "relationship", "struct" };
+
+ Map<String, List<String>> typesDef = new HashMap<>();
+
+ public AtlasServiceClient(String serviceName, Map<String, String> serviceConfig) {
+ super(serviceName, serviceConfig);
+ }
+
+ public Map<String, Object> validateConfig() {
+ Map<String, Object> ret = new HashMap<>();
+
+ loginToAtlas(Client.create());
+
+ BaseClient.generateResponseDataMap(true, "ConnectionTest Successful", "ConnectionTest Successful", null, null, ret);
+
+ return ret;
+ }
+
+ public List<String> lookupResource(ResourceLookupContext lookupContext) {
+ final List<String> ret = new ArrayList<>();
+ final String userInput = lookupContext.getUserInput();
+ final List<String> currentValues = lookupContext.getResources().get(lookupContext.getResourceName());
+
+ switch(lookupContext.getResourceName()) {
+ case RESOURCE_TYPE_CATEGORY: {
+ for (String typeCategory : TYPE_CATEGORIES) {
+ addIfStartsWithAndNotExcluded(ret, typeCategory, userInput, currentValues);
+ }
+ }
+ break;
+
+ case RESOURCE_TYPE_NAME: {
+ refreshTypesDefs();
+
+ final List<String> typeCategories = lookupContext.getResources().get(RESOURCE_TYPE_CATEGORY);
+
+ if (emptyOrContainsMatch(typeCategories, TYPE_CLASSIFICATION)) {
+ addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_CLASSIFICATION), userInput, currentValues);
+ }
+
+ if (emptyOrContainsMatch(typeCategories, TYPE_ENTITY)) {
+ addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_ENTITY), userInput, currentValues);
+ }
+
+ if (emptyOrContainsMatch(typeCategories, TYPE_ENUM)) {
+ addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_ENUM), userInput, currentValues);
+ }
+
+ if (emptyOrContainsMatch(typeCategories, TYPE_STRUCT)) {
+ addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_STRUCT), userInput, currentValues);
+ }
+
+ if (emptyOrContainsMatch(typeCategories, TYPE_RELATIONSHIP)) {
+ addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_RELATIONSHIP), userInput, currentValues);
+ }
+ }
+ break;
+
+ case RESOURCE_ENTITY_TYPE: {
+ refreshTypesDefs();
+
+ addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_ENTITY), userInput, currentValues);
+ }
+ break;
+
+ case RESOURCE_ENTITY_CLASSIFICATION: {
+ refreshTypesDefs();
+
+ addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_CLASSIFICATION), userInput, currentValues);
+ }
+ break;
+
+ default: {
+ ret.add(lookupContext.getResourceName());
+ }
+ }
+
+ return ret;
+ }
+
+ private ClientResponse loginToAtlas(Client client) {
+ ClientResponse ret = null;
+ HadoopException excp = null;
+ String loginUrl = null;
+
+ for (String atlasUrl : getAtlasUrls()) {
+ try {
+ loginUrl = atlasUrl + URL_LOGIN;
+
+ WebResource webResource = client.resource(loginUrl);
+ MultivaluedMap<String, String> formData = new MultivaluedMapImpl();
+ String password = null;
+
+ try {
+ password = PasswordUtils.decryptPassword(getPassword());
+ } catch (Exception ex) {
+ LOG.info("Password decryption failed; trying Atlas connection with received password string");
+ }
+
+ if (password == null) {
+ password = getPassword();
+ }
+
+ formData.add("j_username", getUserName());
+ formData.add("j_password", password);
+
+ try {
+ ret = webResource.type(WEB_RESOURCE_CONTENT_TYPE).post(ClientResponse.class, formData);
+ } catch (Exception e) {
+ LOG.error("failed to login to Atlas at " + loginUrl, e);
+ }
+
+ if (ret != null) {
+ break;
+ }
+ } catch (Throwable t) {
+ String msgDesc = "Exception while login to Atlas at : " + loginUrl;
+
+ LOG.error(msgDesc, t);
+
+ excp = new HadoopException(msgDesc, t);
+ excp.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + CONNECTION_ERROR_MSG, null, null);
+ }
+ }
+
+ if (ret == null) {
+ if (excp == null) {
+ String msgDesc = "Exception while login to Atlas at : " + loginUrl;
+
+ excp = new HadoopException(msgDesc);
+ excp.generateResponseDataMap(false, "", msgDesc + CONNECTION_ERROR_MSG, null, null);
+ }
+
+ throw excp;
+ }
+
+ return ret;
+ }
+
+ private boolean refreshTypesDefs() {
+ boolean ret = false;
+
+ Subject subj = getLoginSubject();
+
+ if (subj == null) {
+ return ret;
+ }
+
+ Map<String, List<String>> typesDef = Subject.doAs(subj, new PrivilegedAction<Map<String, List<String>>>() {
+ @Override
+ public Map<String, List<String>> run() {
+ Map<String, List<String>> ret = null;
+
+ for (String atlasUrl : getAtlasUrls()) {
+ Client client = null;
+
+ try {
+ client = Client.create();
+
+ ClientResponse loginResponse = loginToAtlas(client);
+ WebResource webResource = client.resource(atlasUrl + URL_GET_TYPESDEF_HEADERS);
+ WebResource.Builder builder = webResource.getRequestBuilder();
+
+ for (NewCookie cook : loginResponse.getCookies()) {
+ builder = builder.cookie(cook);
+ }
+
+ ClientResponse response = builder.get(ClientResponse.class);
+
+ if (response != null) {
+ String jsonString = response.getEntity(String.class);
+ Gson gson = new Gson();
+ List types = gson.fromJson(jsonString, List.class);
+
+ ret = new HashMap<>();
+
+ for (Object type : types) {
+ if (type instanceof Map) {
+ Map typeDef = (Map) type;
+
+ Object name = typeDef.get("name");
+ Object category = typeDef.get("category");
+
+ if (name != null && category != null) {
+ String strCategory = category.toString().toLowerCase();
+ List<String> categoryList = ret.get(strCategory);
+
+ if (categoryList == null) {
+ categoryList = new ArrayList<>();
+
+ ret.put(strCategory, categoryList);
+ }
+
+ categoryList.add(name.toString());
+ }
+ }
+ }
+
+ break;
+ }
+ } catch (Throwable t) {
+ String msgDesc = "Exception while getting Atlas Resource List.";
+ LOG.error(msgDesc, t);
+ } finally {
+ if (client != null) {
+ client.destroy();
+ }
+ }
+ }
+
+ return ret;
+ }
+ });
+
+ if (typesDef != null) {
+ this.typesDef = typesDef;
+ ret = true;
+ }
+
+ return ret;
+ }
+
+ String[] getAtlasUrls() {
+ String urlString = connectionProperties.get(CONFIG_REST_ADDRESS);
+
+ String[] ret = urlString == null ? new String[0] : urlString.split(",");
+
+ // remove separator at the end
+ for (int i = 0; i < ret.length; i++) {
+ String url = ret[i];
+
+ while (url.length() > 0 && url.charAt(url.length() - 1) == '/') {
+ url = url.substring(0, url.length() - 1);
+ }
+
+ ret[i] = url;
+ }
+
+ return ret;
+ }
+
+ String getUserName() {
+ return connectionProperties.get(CONFIG_USERNAME);
+ }
+
+ String getPassword() {
+ return connectionProperties.get(CONFIG_PASSWORD);
+ }
+
+ boolean emptyOrContainsMatch(List<String> list, String value) {
+ if (list == null || list.isEmpty()) {
+ return true;
+ }
+
+ for (String item : list) {
+ if (StringUtils.equalsIgnoreCase(item, value) || FilenameUtils.wildcardMatch(value, item, IOCase.INSENSITIVE)) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ void addIfStartsWithAndNotExcluded(List<String> list, List<String> values, String prefix, List<String> excludeList) {
+ if (values == null || list == null) {
+ return;
+ }
+
+ for (String value : values) {
+ addIfStartsWithAndNotExcluded(list, value, prefix, excludeList);
+ }
+ }
+
+ void addIfStartsWithAndNotExcluded(List<String> list, String value, String prefix, List<String> excludeList) {
+ if (value == null || list == null) {
+ return;
+ }
+
+ if (prefix != null && !value.startsWith(prefix)) {
+ return;
+ }
+
+ if (excludeList != null && excludeList.contains(value)) {
+ return;
+ }
+
+ list.add(value);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a3d4e30/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasClient.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasClient.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasClient.java
deleted file mode 100644
index ea05ad0..0000000
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasClient.java
+++ /dev/null
@@ -1,688 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.services.atlas.client;
-
-import java.security.PrivilegedAction;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.Callable;
-import java.util.concurrent.TimeUnit;
-
-import javax.security.auth.Subject;
-import javax.ws.rs.core.MultivaluedMap;
-import javax.ws.rs.core.NewCookie;
-
-import org.apache.log4j.Logger;
-import org.apache.ranger.plugin.client.BaseClient;
-import org.apache.ranger.plugin.client.HadoopException;
-import org.apache.ranger.plugin.util.PasswordUtils;
-import org.apache.ranger.services.atlas.json.model.ResourceEntityResponse;
-import org.apache.ranger.services.atlas.json.model.ResourceOperationResponse;
-import org.apache.ranger.services.atlas.json.model.ResourceOperationResponse.Results;
-import org.apache.ranger.services.atlas.json.model.ResourceTaxonomyResponse;
-import org.apache.ranger.services.atlas.json.model.ResourceTermResponse;
-import org.apache.ranger.services.atlas.json.model.ResourceTypeResponse;
-
-import com.google.gson.Gson;
-import com.google.gson.reflect.TypeToken;
-import com.sun.jersey.api.client.Client;
-import com.sun.jersey.api.client.ClientResponse;
-import com.sun.jersey.api.client.WebResource;
-import com.sun.jersey.core.util.MultivaluedMapImpl;
-
-public class AtlasClient extends BaseClient {
-
- private static final Logger LOG = Logger.getLogger(AtlasClient.class);
- private static final String EXPECTED_MIME_TYPE = "application/json";
- private static final String WEB_RESOURCE_CONTENT_TYPE = "application/x-www-form-urlencoded";
- private static final String ATLAS_STATUS_API_ENDPOINT = "/j_spring_security_check";
- /*** TYPE **/
- private static final String ATLAS_LIST_TYPE_API_ENDPOINT = "/api/atlas/types/";
- /**** ENTITY **/
- private static final String ATLAS_ENTITY_LIST_API_ENDPOINT = "/api/atlas/v1/entities";
- /*** TERM **/
- private static final String ATLAS_LIST_TERM_API_ENDPOINT = "/api/atlas/v1/taxonomies/Catalog/terms/";
- /*** TAXONOMY **/
- private static final String ATLAS_LIST_TAXONOMY_API_ENDPOINT = "/api/atlas/v1/taxonomies/";
- /*** OPERATION **/
- private static final String ATLAS_OPERATION_SEARCH_API_ENDPOINT = "/api/atlas/discovery/search/gremlin/query=";
- private static final String errMessage = " You can still save the repository and start creating "
- + "policies, but you would not be able to use autocomplete for "
- + "resource names. Check ranger_admin.log for more info.";
-
- private String atlasUrl;
- private String userName;
- private String password;
- private String statusUrl;
-
- public AtlasClient(String serviceName, Map<String, String> configs) {
-
- super(serviceName, configs, "atlas-client");
-
- this.atlasUrl = configs.get("atlas.rest.address");
- this.userName = configs.get("username");
- this.password = configs.get("password");
- this.statusUrl = atlasUrl + ATLAS_STATUS_API_ENDPOINT;
- if (this.atlasUrl == null || this.atlasUrl.isEmpty()) {
- LOG.error("No value found for configuration 'atlas.rest.address'. Atlas resource lookup will fail");
- }
- if (this.userName == null || this.userName.isEmpty()) {
- LOG.error("No value found for configuration 'username'. Atlas resource lookup will fail");
- }
- if (this.password == null || this.password.isEmpty()) {
- LOG.error("No value found for configuration 'password'. Atlas resource lookup will fail");
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Atlas Client is build with url [" + this.atlasUrl + "] user: [" + this.userName
- + "], password: [" + "*********" + "]");
- }
- }
-
- public List<String> getResourceList(final String resourceNameMatching, final String atlasResourceParameter,
- final List<String> existingResourceList) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Getting Atlas Resource list for resourceNameMatching : " + resourceNameMatching);
- }
- final String errMsg = errMessage;
- List<String> ret = null;
- Callable<List<String>> callableAtlasResourceListGetter = new Callable<List<String>>() {
-
- @Override
- public List<String> call() {
- List<String> atlasResourceListGetter = null;
- Subject subj = getLoginSubject();
- if (subj != null) {
- atlasResourceListGetter = Subject.doAs(subj, new PrivilegedAction<List<String>>() {
- @Override
- public List<String> run() {
- Client client = null;
- List<String> lret = new ArrayList<String>();
- try {
- client = Client.create();
-
- if (null == resourceNameMatching || "".equals(resourceNameMatching)) {
- lret = connectionTestResource(resourceNameMatching, atlasResourceParameter,
- existingResourceList, client);
- } else if ("type".equals(resourceNameMatching)) {
- lret = getTypeResource(resourceNameMatching, atlasResourceParameter,
- existingResourceList, client);
- } else if ("term".equals(resourceNameMatching)) {
- lret = getTermResource(resourceNameMatching, atlasResourceParameter,
- existingResourceList, client);
- } else if ("taxonomy".equals(resourceNameMatching)) {
- lret = getTaxonomyResource(resourceNameMatching, atlasResourceParameter,
- existingResourceList, client);
- } else if ("entity".equals(resourceNameMatching)) {
- lret = getEntityResource(resourceNameMatching, atlasResourceParameter,
- existingResourceList, client);
- } else if ("operation".equals(resourceNameMatching)) {
- lret = getOperationResource(resourceNameMatching, atlasResourceParameter,
- existingResourceList, client);
- }
- } catch (Throwable t) {
- String msgDesc = "Exception while getting Atlas Resource List.";
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg,
- null, null);
- throw hdpException;
- } finally {
- if (client != null) {
- client.destroy();
- }
- }
- return lret;
- }
- });
- }
- return atlasResourceListGetter;
- }
- };
- try {
- ret = timedTask(callableAtlasResourceListGetter, 5, TimeUnit.SECONDS);
- } catch (Throwable t) {
- LOG.error("Unable to get Atlas Resource list", t);
- String msgDesc = "Unable to get a valid response for " + "expected mime type : [" + EXPECTED_MIME_TYPE
- + "] ";
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- }
- return ret;
- }
-
- private ClientResponse getStatusResponse(Client client) {
- final String errMsg = errMessage;
- ClientResponse statusResponse = null;
- try {
- WebResource webResource = client.resource(statusUrl);
- MultivaluedMap<String, String> formData = new MultivaluedMapImpl();
- formData.add("j_username", userName);
- String decryptedPwd = null;
- try {
- decryptedPwd = PasswordUtils.decryptPassword(password);
- } catch (Exception ex) {
- LOG.info("Password decryption failed; trying Atlas connection with received password string");
- decryptedPwd = null;
- } finally {
- if (decryptedPwd == null) {
- decryptedPwd = password;
- }
- }
- formData.add("j_password", decryptedPwd);
- try {
- statusResponse = webResource.type(WEB_RESOURCE_CONTENT_TYPE).post(ClientResponse.class,
- formData);
- } catch (Exception e) {
- String msgDesc = "Unable to get a valid statusResponse for expected mime type : ["
- + WEB_RESOURCE_CONTENT_TYPE + "] URL : " + statusUrl + " - got null response.";
- LOG.error(msgDesc);
- }
- if (LOG.isDebugEnabled()) {
- LOG.debug("getStatusResponse():calling " + statusUrl);
- }
- if (statusResponse != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getStatusResponse():response.getStatus()= " + statusResponse.getStatus());
- }
- }
- } catch (Throwable t) {
- String msgDesc = "Exception while getting Atlas Resource List." + " URL : " + statusUrl;
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- }
- return statusResponse;
- }
-
- public List<String> connectionTestResource(final String resourceNameMatching, final String atlasResourceParameter,
- List<String> existingResourceList, Client client) {
- List<String> lret = new ArrayList<String>();
- final String errMsg = errMessage;
- String testConnectiontUrl = atlasUrl + ATLAS_LIST_TYPE_API_ENDPOINT;
- ClientResponse statusResponse = null;
- ClientResponse resultResponse = null;
- try {
- statusResponse = getStatusResponse(client);
- if (statusResponse != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getTypeResource():response.getStatus()= " + statusResponse.getStatus());
- }
- if (statusResponse.getStatus() == 200) {
- WebResource webResourceTestConnection = client.resource(testConnectiontUrl);
- WebResource.Builder builder = webResourceTestConnection.getRequestBuilder();
- for (NewCookie cook : statusResponse.getCookies()) {
- builder = builder.cookie(cook);
- }
- resultResponse = builder.get(ClientResponse.class);
- lret.add(resultResponse.getEntity(String.class));
- } else {
- LOG.info("connectionTestResource():response.getStatus()= " + statusResponse.getStatus()
- + " for URL " + statusUrl + ", so returning null list");
- LOG.info(statusResponse.getEntity(String.class));
- lret = null;
- }
- }
- } catch (Throwable t) {
- lret = null;
- String msgDesc = "Exception while getting Atlas Resource List." + " URL : " + statusUrl;
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- } finally {
- if (statusResponse != null) {
- statusResponse.close();
- }
- if (resultResponse != null) {
- resultResponse.close();
- }
- }
- return lret;
- }
-
- public List<String> getTypeResource(final String resourceNameMatching, final String atlasResourceParameter,
- List<String> existingResourceList, Client client) {
- List<String> lret = new ArrayList<String>();
- final String errMsg = errMessage;
- ClientResponse statusResponse = null;
- ClientResponse resultResponse = null;
- try {
- statusResponse = getStatusResponse(client);
- if (statusResponse != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getTypeResource():response.getStatus()= " + statusResponse.getStatus());
- }
- if (statusResponse.getStatus() == 200) {
- WebResource webResourceType = client.resource(atlasUrl + ATLAS_LIST_TYPE_API_ENDPOINT);
- WebResource.Builder builder = webResourceType.getRequestBuilder();
- for (NewCookie cook : statusResponse.getCookies()) {
- builder = builder.cookie(cook);
- }
- resultResponse = builder.get(ClientResponse.class);
- if (resultResponse != null) {
- String jsonString = resultResponse.getEntity(String.class).toString();
- Gson gson = new Gson();
- List<String> responseResourceList = new ArrayList<String>();
- ResourceTypeResponse resourceTypeResponses = gson.fromJson(jsonString,
- ResourceTypeResponse.class);
- if (resourceTypeResponses != null) {
- responseResourceList = resourceTypeResponses.getResults();
- }
- if (responseResourceList != null) {
- for (String responseResource : responseResourceList) {
- if (responseResource != null) {
- if (existingResourceList != null && existingResourceList.contains(responseResource)) {
- continue;
- }
- if (atlasResourceParameter == null || atlasResourceParameter.isEmpty()
- || responseResource.startsWith(atlasResourceParameter)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getTypeResource():Adding existing Resource " + responseResource);
- }
- lret.add(responseResource);
- }
- }
- }
- }
- }
- }
- }
- } catch (Throwable t) {
- String msgDesc = "Exception while getting Atlas TypeResource List." + " URL : " + atlasUrl
- + ATLAS_LIST_TYPE_API_ENDPOINT;
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- } finally {
- if (statusResponse != null) {
- statusResponse.close();
- }
- if (resultResponse != null) {
- resultResponse.close();
- }
- }
- return lret;
- }
-
- public List<String> getEntityResource(final String resourceNameMatching, final String atlasResourceParameter,
- List<String> existingResourceList, Client client) {
- List<String> lret = new ArrayList<String>();
- final String errMsg = errMessage;
- ClientResponse statusResponse = null;
- ClientResponse resultResponse = null;
-
- try {
- statusResponse = getStatusResponse(client);
- if (statusResponse != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getEntityResource():response.getStatus() = " + statusResponse.getStatus());
- }
- if (statusResponse.getStatus() == 200) {
- WebResource webResourceEntity = client.resource(atlasUrl + ATLAS_ENTITY_LIST_API_ENDPOINT);
- WebResource.Builder builder = webResourceEntity.getRequestBuilder();
- for (NewCookie cook : statusResponse.getCookies()) {
- builder = builder.cookie(cook);
- }
- resultResponse = builder.get(ClientResponse.class);
- if (resultResponse != null) {
- String jsonString = resultResponse.getEntity(String.class).toString();
- Gson gson = new Gson();
- List<String> responseResourceList = new ArrayList<String>();
- List<ResourceEntityResponse> resourceEntityResponses = gson.fromJson(jsonString,
- new TypeToken<List<ResourceEntityResponse>>() {
- }.getType());
- if (resourceEntityResponses != null) {
- for (ResourceEntityResponse resourceEntityResponse : resourceEntityResponses) {
- if (resourceEntityResponse != null) {
- responseResourceList.add(resourceEntityResponse.getName());
- }
- }
- if (responseResourceList != null) {
- for (String responseResource : responseResourceList) {
- if (responseResource != null) {
- if (existingResourceList != null
- && existingResourceList.contains(responseResource)) {
- continue;
- }
- if (atlasResourceParameter == null || atlasResourceParameter.isEmpty()
- || responseResource.startsWith(atlasResourceParameter)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getEntityResource():Adding existing Resource "
- + responseResource);
- }
- lret.add(responseResource);
- }
- }
- }
- }
- }
- }
- }
- }
- } catch (Throwable t) {
- String msgDesc = "Exception while getting Atlas getEntityResource List." + " URL : " + atlasUrl
- + ATLAS_ENTITY_LIST_API_ENDPOINT;
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- } finally {
- if (statusResponse != null) {
- statusResponse.close();
- }
- if (resultResponse != null) {
- resultResponse.close();
- }
- }
- return lret;
- }
-
- public List<String> getTermResource(final String resourceNameMatching, final String atlasResourceParameter,
- List<String> existingResourceList, Client client) {
- List<String> lret = new ArrayList<String>();
- final String errMsg = errMessage;
- ClientResponse statusResponse = null;
- ClientResponse resultResponse = null;
- try {
- statusResponse = getStatusResponse(client);
- if (statusResponse != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getTermResource():response.getStatus()= " + statusResponse.getStatus());
- }
- if (statusResponse.getStatus() == 200) {
- WebResource webResourceTerm = client.resource(atlasUrl + ATLAS_LIST_TERM_API_ENDPOINT);
- WebResource.Builder builder = webResourceTerm.getRequestBuilder();
- for (NewCookie cook : statusResponse.getCookies()) {
- builder = builder.cookie(cook);
- }
- resultResponse = builder.get(ClientResponse.class);
- if (resultResponse != null) {
- String jsonString = resultResponse.getEntity(String.class).toString();
- Gson gson = new Gson();
- List<String> responseResourceList = new ArrayList<String>();
- List<ResourceTermResponse> resourceTermResponses = gson.fromJson(jsonString,
- new TypeToken<List<ResourceTermResponse>>() {
- }.getType());
- for (ResourceTermResponse resourceTermResponse : resourceTermResponses) {
- responseResourceList.add(resourceTermResponse.getName());
- }
- if (responseResourceList != null) {
- for (String responseResource : responseResourceList) {
- if (responseResource != null) {
- if (existingResourceList != null && existingResourceList.contains(responseResource)) {
- continue;
- }
- if (atlasResourceParameter == null || atlasResourceParameter.isEmpty()
- || responseResource.startsWith(atlasResourceParameter)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getTermResource():Adding existing Resource " + responseResource);
- }
- lret.add(responseResource);
- }
- }
- }
- }
- }
- }
- }
- } catch (Throwable t) {
- String msgDesc = "Exception while getting Atlas getTermResource List." + " URL : " + atlasUrl
- + ATLAS_LIST_TERM_API_ENDPOINT;
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- } finally {
- if (statusResponse != null) {
- statusResponse.close();
- }
- if (resultResponse != null) {
- resultResponse.close();
- }
- }
- return lret;
- }
-
- public List<String> getTaxonomyResource(final String resourceNameMatching, final String atlasResourceParameter,
- List<String> existingResourceList, Client client) {
- List<String> lret = new ArrayList<String>();
- final String errMsg = errMessage;
- ClientResponse statusResponse = null;
- ClientResponse resultResponse = null;
- try {
- statusResponse = getStatusResponse(client);
- if (statusResponse != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getTaxonomyResource():response.getStatus()= " + statusResponse.getStatus());
- }
- if (statusResponse.getStatus() == 200) {
- WebResource webResourceTaxonomy = client.resource(atlasUrl + ATLAS_LIST_TAXONOMY_API_ENDPOINT);
- WebResource.Builder builder = webResourceTaxonomy.getRequestBuilder();
- for (NewCookie cook : statusResponse.getCookies()) {
- builder = builder.cookie(cook);
- }
- resultResponse = builder.get(ClientResponse.class);
- if (resultResponse != null) {
- String jsonString = resultResponse.getEntity(String.class).toString();
- Gson gson = new Gson();
- List<String> responseResourceList = new ArrayList<String>();
- List<ResourceTaxonomyResponse> resourceTaxonomyResponses = gson.fromJson(jsonString,
- new TypeToken<List<ResourceTaxonomyResponse>>() {
- }.getType());
- for (ResourceTaxonomyResponse resourceTaxonomyResponse : resourceTaxonomyResponses) {
- responseResourceList.add(resourceTaxonomyResponse.getName());
- }
- if (responseResourceList != null) {
- for (String responseResource : responseResourceList) {
- if (responseResource != null) {
- if (existingResourceList != null && existingResourceList.contains(responseResource)) {
- continue;
- }
- if (atlasResourceParameter == null || atlasResourceParameter.isEmpty()
- || responseResource.startsWith(atlasResourceParameter)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getTaxonomyResource():Adding existing Resource " + responseResource);
- }
- lret.add(responseResource);
- }
- }
- }
- }
- }
- }
- }
- } catch (Throwable t) {
- String msgDesc = "Exception while getting Atlas TaxonomyResource List." + " URL : " + atlasUrl
- + ATLAS_LIST_TAXONOMY_API_ENDPOINT;
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- } finally {
- if (statusResponse != null) {
- statusResponse.close();
- }
- if (resultResponse != null) {
- resultResponse.close();
- }
- }
- return lret;
- }
-
- public List<String> getOperationResource(final String resourceNameMatching, final String atlasResourceParameter,
- List<String> existingResourceList, Client client) {
- List<String> lret = new ArrayList<String>();
- final String errMsg = errMessage;
- ClientResponse statusResponse = null;
- ClientResponse resultResponse = null;
- try {
- statusResponse = getStatusResponse(client);
- if (statusResponse != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getOperationResource():response.getStatus()= " + statusResponse.getStatus());
- }
- if (statusResponse.getStatus() == 200) {
- WebResource webResourceEntity = client.resource(atlasUrl + ATLAS_OPERATION_SEARCH_API_ENDPOINT);
- WebResource.Builder builder = webResourceEntity.getRequestBuilder();
- for (NewCookie cook : statusResponse.getCookies()) {
- builder = builder.cookie(cook);
- }
- resultResponse = builder.get(ClientResponse.class);
- if (resultResponse != null) {
- String jsonString = resultResponse.getEntity(String.class).toString();
- Gson gson = new Gson();
- List<String> responseResourceList = new ArrayList<String>();
- List<ResourceOperationResponse> resourceOperationResponses = gson.fromJson(jsonString,
- new TypeToken<List<ResourceOperationResponse>>() {
- }.getType());
- for (ResourceOperationResponse resourceOperationResponse : resourceOperationResponses) {
- List<Results> results = resourceOperationResponse.getResults();
- for (Results result : results) {
- responseResourceList.add(result.getResult());
- }
- }
- if (responseResourceList != null) {
- for (String responseResource : responseResourceList) {
- if (responseResource != null) {
- if (existingResourceList != null && existingResourceList.contains(responseResource)) {
- continue;
- }
- if (atlasResourceParameter == null || atlasResourceParameter.isEmpty()
- || responseResource.startsWith(atlasResourceParameter)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getOperationResource():Adding existing Resource "
- + responseResource);
- }
- lret.add(responseResource);
- }
- }
- }
- }
- }
- }
- }
- } catch (Throwable t) {
- String msgDesc = "Exception while getting Atlas OperationResource List." + " URL : " + atlasUrl
- + ATLAS_OPERATION_SEARCH_API_ENDPOINT;
- HadoopException hdpException = new HadoopException(msgDesc, t);
- LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
-
- } finally {
- if (statusResponse != null) {
- statusResponse.close();
- }
- if (resultResponse != null) {
- resultResponse.close();
- }
- }
- return lret;
- }
-
- public static HashMap<String, Object> connectionTest(String serviceName, Map<String, String> configs) {
-
- String errMsg = errMessage;
- boolean connectivityStatus = false;
- HashMap<String, Object> responseData = new HashMap<String, Object>();
- AtlasClient atlasClient = getAtlasClient(serviceName, configs);
- List<String> strList = getAtlasResource(atlasClient, "", "", null);
-
- if (strList != null && strList.size() > 0) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("TESTING Resource list size" + strList.size() + " Atlas Resource");
- }
- connectivityStatus = true;
- }
- if (connectivityStatus) {
- String successMsg = "ConnectionTest Successful";
- BaseClient.generateResponseDataMap(connectivityStatus, successMsg, successMsg, null, null, responseData);
- } else {
- String failureMsg = "Unable to retrieve any Atlas Resource using given parameters.";
- BaseClient.generateResponseDataMap(connectivityStatus, failureMsg, failureMsg + errMsg, null, null,
- responseData);
- }
- return responseData;
- }
-
- public static AtlasClient getAtlasClient(String serviceName, Map<String, String> configs) {
- AtlasClient atlasClient = null;
- if (LOG.isDebugEnabled()) {
- LOG.debug("Getting AtlasClient for datasource: " + serviceName);
- }
- String errMsg = errMessage;
- if (configs == null || configs.isEmpty()) {
- String msgDesc = "Could not connect as Connection ConfigMap is empty.";
- LOG.error(msgDesc);
- HadoopException hdpException = new HadoopException(msgDesc);
- hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null);
- throw hdpException;
- } else {
- atlasClient = new AtlasClient(serviceName, configs);
- }
- return atlasClient;
- }
-
- public static List<String> getAtlasResource(final AtlasClient atlasClient, String atlasResourceName,
- String atlasResourceParameter, List<String> existingAtlasResourceName) {
-
- List<String> resultList = new ArrayList<String>();
- String errMsg = errMessage;
-
- try {
- if (atlasClient == null) {
- String msgDesc = "Unable to get Atlas Resource : AtlasClient is null.";
- LOG.error(msgDesc);
- HadoopException hdpException = new HadoopException(msgDesc);
- hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null);
- throw hdpException;
- }
-
- if (atlasResourceName != null) {
- String finalAtlasResourceName = atlasResourceName.trim();
- resultList = atlasClient.getResourceList(finalAtlasResourceName, atlasResourceParameter,
- existingAtlasResourceName);
- if (resultList != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Returning list of " + resultList.size() + " Atlas Resources");
- }
- }
- }
- } catch (Throwable t) {
- String msgDesc = "getAtlasResource: Unable to get Atlas Resources.";
- LOG.error(msgDesc, t);
- HadoopException hdpException = new HadoopException(msgDesc);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
- throw hdpException;
- }
- return resultList;
- }
-
- public static <T> T timedTask(Callable<T> callableObj, long timeout, TimeUnit timeUnit) throws Exception {
- return callableObj.call();
- }
-}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a3d4e30/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasConnectionMgr.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasConnectionMgr.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasConnectionMgr.java
deleted file mode 100644
index 140f91e..0000000
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasConnectionMgr.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.services.atlas.client;
-
-import java.util.Map;
-
-public class AtlasConnectionMgr {
-
- public static AtlasClient getAtlasClient(String serviceName, Map<String, String> configs) {
- return new AtlasClient(serviceName, configs);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a3d4e30/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasResourceMgr.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasResourceMgr.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasResourceMgr.java
deleted file mode 100644
index f81e304..0000000
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasResourceMgr.java
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.services.atlas.client;
-
-import java.util.List;
-import java.util.Map;
-
-import org.apache.log4j.Logger;
-import org.apache.ranger.plugin.service.ResourceLookupContext;
-
-public class AtlasResourceMgr {
- private static final Logger LOG = Logger.getLogger(AtlasResourceMgr.class);
-
- public static Map<String, Object> validateConfig(String serviceName, Map<String, String> configs) throws Exception {
-
- Map<String, Object> ret = null;
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> AtlasResourceMgr.validateConfig ServiceName: "+ serviceName + "Configs" + configs );
- }
-
- try {
- ret = AtlasClient.connectionTest(serviceName, configs);
- } catch (Exception e) {
- LOG.error("<== AtlasResourceMgr.validateConfig Error: " + e);
- throw e;
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== AtlasResourceMgr.validateConfig Result : "+ ret );
- }
- return ret;
- }
-
- public static List<String> getAtlasResources(String serviceName, Map<String, String> configs,
- ResourceLookupContext context) {
- String userInput = context.getUserInput();
- Map<String, List<String>> resourceMap = context.getResources();
- List<String> resultList = null;
- List<String> atlasResourceList = null;
- String atlasResourceName = null;
- String atlasResourceParameter = null;
- if (null != context) {
- atlasResourceName = context.getResourceName();
- }
- if (resourceMap != null && !resourceMap.isEmpty()) {
- atlasResourceParameter = userInput;
- atlasResourceList = resourceMap.get(atlasResourceName);
- } else {
- atlasResourceParameter = userInput;
- }
-
- if (configs == null || configs.isEmpty()) {
- LOG.error("Connection Config is empty");
- } else {
- resultList = getAtlasResource(serviceName, configs, atlasResourceName, atlasResourceParameter,
- atlasResourceList);
- }
- return resultList;
- }
-
- public static List<String> getAtlasResource(String serviceName, Map<String, String> configs,
- String atlasResourceName, String atlasResourceParameter, List<String> atlasResourceList) {
- final AtlasClient atlasClient = AtlasConnectionMgr.getAtlasClient(serviceName, configs);
- List<String> resourceList = null;
- if (atlasClient != null) {
- synchronized (atlasClient) {
- resourceList = atlasClient.getResourceList(atlasResourceName, atlasResourceParameter, atlasResourceList);
- }
- }
- return resourceList;
- }
-}
[2/2] ranger git commit: RANGER-1999: Ranger policy engine updates to
support list-of-values in access reource
Posted by ma...@apache.org.
RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/6cc62086
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/6cc62086
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/6cc62086
Branch: refs/heads/master
Commit: 6cc62086795a212516b69fd09a1c2ef7a6761e5d
Parents: d3fffd0
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Feb 28 13:00:03 2018 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Mar 2 11:33:26 2018 -0800
----------------------------------------------------------------------
.../ranger/authorization/utils/StringUtil.java | 16 +++
.../policyengine/RangerAccessResource.java | 4 +-
.../policyengine/RangerAccessResourceImpl.java | 16 +--
.../RangerAccessResourceReadOnly.java | 8 +-
.../policyengine/RangerMutableResource.java | 2 +-
.../RangerDefaultPolicyResourceMatcher.java | 32 +++--
.../RangerAbstractResourceMatcher.java | 13 +-
.../RangerDefaultResourceMatcher.java | 25 +++-
.../resourcematcher/RangerResourceMatcher.java | 2 +-
.../plugin/resourcematcher/ResourceMatcher.java | 13 ++
.../ranger/plugin/service/RangerBasePlugin.java | 3 +-
.../ranger/plugin/util/RangerResourceTrie.java | 130 ++++++++++++++-----
.../plugin/policyengine/TestPolicyEngine.java | 7 +
.../RangerAbstractResourceMatcherTest.java | 2 +-
.../policyengine/test_policyengine_atlas.json | 120 +++++++++++++++++
.../hive/authorizer/RangerHiveResource.java | 10 +-
.../perftest/v2/RangerPolicyFactory.java | 2 +-
.../org/apache/ranger/rest/ServiceREST.java | 17 +--
18 files changed, 344 insertions(+), 78 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java b/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
index 2835cdd..2bb834d 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
@@ -23,7 +23,9 @@ import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.GregorianCalendar;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import java.util.TimeZone;
public class StringUtil {
@@ -273,4 +275,18 @@ public class StringUtil {
return utc.getTime();
}
+
+ public static Map<String, Object> toStringObjectMap(Map<String, String> map) {
+ Map<String, Object> ret = null;
+
+ if (map != null) {
+ ret = new HashMap<>(map.size());
+
+ for (Map.Entry<String, String> e : map.entrySet()) {
+ ret.put(e.getKey(), e.getValue());
+ }
+ }
+
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
index 2ee616a..e2ed3f2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
@@ -33,7 +33,7 @@ public interface RangerAccessResource {
boolean exists(String name);
- String getValue(String name);
+ Object getValue(String name);
RangerServiceDef getServiceDef();
@@ -45,7 +45,7 @@ public interface RangerAccessResource {
String getCacheKey();
- Map<String, String> getAsMap();
+ Map<String, Object> getAsMap();
RangerAccessResource getReadOnlyCopy();
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
index 5800486..93810ae 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
@@ -31,7 +31,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
public class RangerAccessResourceImpl implements RangerMutableResource {
private String ownerUser;
- private Map<String, String> elements;
+ private Map<String, Object> elements;
private String stringifiedValue;
private String stringifiedCacheKeyValue;
private String leafName;
@@ -41,11 +41,11 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
this(null, null);
}
- public RangerAccessResourceImpl(Map<String, String> elements) {
+ public RangerAccessResourceImpl(Map<String, Object> elements) {
this(elements, null);
}
- public RangerAccessResourceImpl(Map<String, String> elements, String ownerUser) {
+ public RangerAccessResourceImpl(Map<String, Object> elements, String ownerUser) {
this.elements = elements;
this.ownerUser = ownerUser;
}
@@ -61,8 +61,8 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
}
@Override
- public String getValue(String name) {
- String ret = null;
+ public Object getValue(String name) {
+ Object ret = null;
if(elements != null && elements.containsKey(name)) {
ret = elements.get(name);
@@ -88,7 +88,7 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
}
@Override
- public void setValue(String name, String value) {
+ public void setValue(String name, Object value) {
if(value == null) {
if(elements != null) {
elements.remove(name);
@@ -200,7 +200,7 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
}
@Override
- public Map<String, String> getAsMap() {
+ public Map<String, Object> getAsMap() {
return elements == null ? Collections.EMPTY_MAP : Collections.unmodifiableMap(elements);
}
@@ -251,7 +251,7 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
sb.append("elements={");
if(elements != null) {
- for(Map.Entry<String, String> e : elements.entrySet()) {
+ for(Map.Entry<String, Object> e : elements.entrySet()) {
sb.append(e.getKey()).append("=").append(e.getValue()).append("; ");
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
index 18bb1f4..30abf91 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
@@ -29,7 +29,7 @@ public class RangerAccessResourceReadOnly implements RangerAccessResource {
private final RangerAccessResource source;
private final Set<String> keys;
- private final Map<String, String> map;
+ private final Map<String, Object> map;
public RangerAccessResourceReadOnly(final RangerAccessResource source) {
this.source = source;
@@ -42,7 +42,7 @@ public class RangerAccessResourceReadOnly implements RangerAccessResource {
}
this.keys = Collections.unmodifiableSet(sourceKeys);
- Map<String, String> sourceMap = source.getAsMap();
+ Map<String, Object> sourceMap = source.getAsMap();
if (MapUtils.isEmpty(sourceMap)) {
sourceMap = new HashMap<>();
@@ -54,7 +54,7 @@ public class RangerAccessResourceReadOnly implements RangerAccessResource {
public boolean exists(String name) { return source.exists(name); }
- public String getValue(String name) { return source.getValue(name); }
+ public Object getValue(String name) { return source.getValue(name); }
public RangerServiceDef getServiceDef() { return source.getServiceDef(); }
@@ -66,7 +66,7 @@ public class RangerAccessResourceReadOnly implements RangerAccessResource {
public String getCacheKey() { return source.getCacheKey(); }
- public Map<String, String> getAsMap() { return map; }
+ public Map<String, Object> getAsMap() { return map; }
public RangerAccessResource getReadOnlyCopy() { return this; }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
index 9fcefbe..7f83f96 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
@@ -25,6 +25,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
public interface RangerMutableResource extends RangerAccessResource {
void setOwnerUser(String ownerUser);
- void setValue(String type, String value);
+ void setValue(String type, Object value);
void setServiceDef(RangerServiceDef serviceDef);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 415263e..c1b29d3 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -274,13 +274,21 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
- String resourceValue = resource.getValue(resourceName);
+ Object resourceValue = resource.getValue(resourceName);
RangerResourceMatcher matcher = getResourceMatcher(resourceName);
- if (StringUtils.isEmpty(resourceValue)) {
- ret = matcher == null || matcher.isCompleteMatch(resourceValue, evalContext);
- } else {
- ret = matcher != null && matcher.isCompleteMatch(resourceValue, evalContext);
+ if (resourceValue == null) {
+ ret = matcher == null || matcher.isCompleteMatch(null, evalContext);
+ } else if (resourceValue instanceof String) {
+ String strValue = (String) resourceValue;
+
+ if (StringUtils.isEmpty(strValue)) {
+ ret = matcher == null || matcher.isCompleteMatch(strValue, evalContext);
+ } else {
+ ret = matcher != null && matcher.isCompleteMatch(strValue, evalContext);
+ }
+ } else { // return false for any other type of resourceValue
+ ret = false;
}
if (!ret) {
@@ -447,12 +455,18 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
- String resourceValue = resource.getValue(resourceName);
- if (resourceValue != null) {
+ Object resourceValue = resource.getValue(resourceName);
+ if (resourceValue instanceof String) {
+ String strValue = (String) resourceValue;
+
if (policyResources == null) {
policyResources = new HashMap<>();
}
- policyResources.put(resourceName, new RangerPolicyResource(resourceValue));
+ policyResources.put(resourceName, new RangerPolicyResource(strValue));
+ } else if (resourceValue != null) { // return false for any other type of resourceValue
+ policyResources = null;
+
+ break;
}
}
final boolean ret = MapUtils.isNotEmpty(policyResources) && isMatch(policyResources, evalContext);
@@ -572,7 +586,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
for (RangerResourceDef resourceDef : hierarchy) {
RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
- String resourceValue = resource.getValue(resourceDef.getName());
+ Object resourceValue = resource.getValue(resourceDef.getName());
if (matcher != null) {
if (resourceValue != null) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index acd599a..8f6facd 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -271,8 +271,17 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
return sb;
}
- boolean isAllValuesRequested(String resource) {
- boolean result = StringUtils.isEmpty(resource) || WILDCARD_ASTERISK.equals(resource);
+ boolean isAllValuesRequested(Object resource) {
+ final boolean result;
+
+ if (resource == null) {
+ result = true;
+ } else if (resource instanceof String) {
+ result = StringUtils.isEmpty((String) resource) || WILDCARD_ASTERISK.equals(resource);
+ } else { // return false for any other type of resourceValue
+ result = false;
+ }
+
if (LOG.isDebugEnabled()) {
LOG.debug("isAllValuesRequested(" + resource + "): " + result);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
index a7399ee..8a44471 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
@@ -23,6 +23,7 @@ package org.apache.ranger.plugin.resourcematcher;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import java.util.Collection;
import java.util.Map;
@@ -30,7 +31,7 @@ public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher
private static final Log LOG = LogFactory.getLog(RangerDefaultResourceMatcher.class);
@Override
- public boolean isMatch(String resource, Map<String, Object> evalContext) {
+ public boolean isMatch(Object resource, Map<String, Object> evalContext) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultResourceMatcher.isMatch(" + resource + ", " + evalContext + ")");
}
@@ -41,10 +42,24 @@ public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher
if(allValuesRequested || isMatchAny) {
ret = isMatchAny;
} else {
- for (ResourceMatcher resourceMatcher : resourceMatchers.getResourceMatchers()) {
- ret = resourceMatcher.isMatch(resource, evalContext);
- if (ret) {
- break;
+ if (resource instanceof String) {
+ String strValue = (String) resource;
+
+ for (ResourceMatcher resourceMatcher : resourceMatchers.getResourceMatchers()) {
+ ret = resourceMatcher.isMatch(strValue, evalContext);
+ if (ret) {
+ break;
+ }
+ }
+ } else if (resource instanceof Collection) {
+ @SuppressWarnings("unchecked")
+ Collection<String> collValue = (Collection<String>) resource;
+
+ for (ResourceMatcher resourceMatcher : resourceMatchers.getResourceMatchers()) {
+ ret = resourceMatcher.isMatchAny(collValue, evalContext);
+ if (ret) {
+ break;
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
index 8183ded..0cb3e0f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
@@ -33,7 +33,7 @@ public interface RangerResourceMatcher {
boolean isMatchAny();
- boolean isMatch(String resource, Map<String, Object> evalContext);
+ boolean isMatch(Object resource, Map<String, Object> evalContext);
boolean isCompleteMatch(String resource, Map<String, Object> evalContext);
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
index eab9dbc..35856a9 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
@@ -24,6 +24,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.util.StringTokenReplacer;
import java.io.Serializable;
+import java.util.Collection;
import java.util.Comparator;
import java.util.Map;
@@ -46,6 +47,18 @@ abstract class ResourceMatcher {
return tokenReplacer != null;
}
+ public boolean isMatchAny(Collection<String> resourceValues, Map<String, Object> evalContext) {
+ if (resourceValues != null) {
+ for (String resourceValue : resourceValues) {
+ if (isMatch(resourceValue, evalContext)) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
@Override
public String toString() {
return this.getClass().getName() + "(" + this.value + ")";
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index aad7834..725ed74 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.admin.client.RangerAdminRESTClient;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
@@ -401,7 +402,7 @@ public class RangerBasePlugin {
if(request != null && resultProcessor != null) {
RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();
- accessRequest.setResource(new RangerAccessResourceImpl(request.getResource()));
+ accessRequest.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(request.getResource())));
accessRequest.setUser(request.getGrantor());
accessRequest.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
accessRequest.setAction(action);
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
index f6c1e4d..e7e8cf5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
@@ -30,6 +30,7 @@ import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
@@ -46,6 +47,7 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
private final boolean optWildcard;
private final String wildcardChars;
private final TrieNode root;
+ private final Comparator<T> comparator;
public RangerResourceTrie(RangerServiceDef.RangerResourceDef resourceDef, List<T> evaluators) {
this(resourceDef, evaluators, null);
@@ -77,6 +79,7 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
this.optWildcard = RangerAbstractResourceMatcher.getOptionWildCard(matcherOptions);
this.wildcardChars = optWildcard ? DEFAULT_WILDCARD_CHARS + tokenReplaceSpecialChars : "" + tokenReplaceSpecialChars;
this.root = new TrieNode(Character.valueOf((char)0));
+ this.comparator = comparator;
for(T evaluator : evaluators) {
Map<String, RangerPolicyResource> policyResources = evaluator.getPolicyResource();
@@ -120,40 +123,21 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
return resourceName;
}
- public List<T> getEvaluatorsForResource(String resource) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerResourceTrie.getEvaluatorsForResource(" + resource + ")");
- }
-
- List<T> ret = null;
-
- TrieNode curr = root;
-
- final int len = resource.length();
- for(int i = 0; i < len; i++) {
- Character ch = getLookupChar(resource.charAt(i));
- TrieNode child = curr.getChild(ch);
+ public List<T> getEvaluatorsForResource(Object resource) {
+ if (resource instanceof String) {
+ return getEvaluatorsForResource((String) resource);
+ } else if (resource instanceof Collection) {
+ if (CollectionUtils.isEmpty((Collection) resource)) { // treat empty collection same as empty-string
+ return getEvaluatorsForResource("");
+ } else {
+ @SuppressWarnings("unchecked")
+ Collection<String> resources = (Collection<String>) resource;
- if(child == null) {
- ret = curr.getWildcardEvaluators();
- curr = null; // so that curr.getEvaluators() will not be called below
- break;
+ return getEvaluatorsForResources(resources);
}
-
- curr = child;
}
- if(ret == null) {
- if(curr != null) {
- ret = curr.getEvaluators();
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerResourceTrie.getEvaluatorsForResource(" + resource + "): evaluatorCount=" + (ret == null ? 0 : ret.size()));
- }
-
- return ret;
+ return null;
}
public TrieData getTrieData() {
@@ -202,6 +186,92 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
}
}
+ private List<T> getEvaluatorsForResource(String resource) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerResourceTrie.getEvaluatorsForResource(" + resource + ")");
+ }
+
+ List<T> ret = null;
+ TrieNode curr = root;
+
+ final int len = resource.length();
+ for(int i = 0; i < len; i++) {
+ Character ch = getLookupChar(resource.charAt(i));
+ TrieNode child = curr.getChild(ch);
+
+ if(child == null) {
+ ret = curr.getWildcardEvaluators();
+ curr = null; // so that curr.getEvaluators() will not be called below
+ break;
+ }
+
+ curr = child;
+ }
+
+ if(ret == null) {
+ if(curr != null) {
+ ret = curr.getEvaluators();
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerResourceTrie.getEvaluatorsForResource(" + resource + "): evaluatorCount=" + (ret == null ? 0 : ret.size()));
+ }
+
+ return ret;
+ }
+
+ private List<T> getEvaluatorsForResources(Collection<String> resources) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerResourceTrie.getEvaluatorsForResources(" + resources + ")");
+ }
+
+ List<T> ret = null;
+ Map<Long, T> evaluatorsMap = null;
+
+ for (String resource : resources) {
+ List<T> resourceEvaluators = getEvaluatorsForResource(resource);
+
+ if (CollectionUtils.isEmpty(resourceEvaluators)) {
+ continue;
+ }
+
+ if (evaluatorsMap == null) {
+ if (ret == null) { // first resource: don't create map yet
+ ret = resourceEvaluators;
+ } else if (ret != resourceEvaluators) { // if evaluator list is same as earlier resources, retain the list, else create a map
+ evaluatorsMap = new HashMap();
+
+ for (T evaluator : ret) {
+ evaluatorsMap.put(evaluator.getId(), evaluator);
+ }
+
+ ret = null;
+ }
+ }
+
+ if (evaluatorsMap != null) {
+ for (T evaluator : resourceEvaluators) {
+ evaluatorsMap.put(evaluator.getId(), evaluator);
+ }
+ }
+ }
+
+ if (ret == null && evaluatorsMap != null) {
+ ret = new ArrayList<>(evaluatorsMap.values());
+
+ if (comparator != null) {
+ Collections.sort(ret, comparator);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerResourceTrie.getEvaluatorsForResources(" + resources + "): evaluatorCount=" + (ret == null ? 0 : ret.size()));
+ }
+
+ return ret;
+ }
+
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index bcd1577..f8c692b 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -302,6 +302,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(resourceFiles);
}
+ @Test
+ public void testPolicyEngine_atlas() {
+ String[] resourceFiles = { "/policyengine/test_policyengine_atlas.json" };
+
+ runTestsFromResourceFiles(resourceFiles);
+ }
+
private void runTestsFromResourceFiles(String[] resourceNames) {
for(String resourceName : resourceNames) {
InputStream inStream = this.getClass().getResourceAsStream(resourceName);
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
index e2c7c27..e31437f 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
@@ -42,7 +42,7 @@ public class RangerAbstractResourceMatcherTest {
static class AbstractMatcherWrapper extends RangerAbstractResourceMatcher {
@Override
- public boolean isMatch(String resource, Map<String, Object> evalContext) {
+ public boolean isMatch(Object resource, Map<String, Object> evalContext) {
fail("This method is not expected to be used by test!");
return false;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/agents-common/src/test/resources/policyengine/test_policyengine_atlas.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_atlas.json b/agents-common/src/test/resources/policyengine/test_policyengine_atlas.json
new file mode 100644
index 0000000..1f7c93b
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_atlas.json
@@ -0,0 +1,120 @@
+{
+ "serviceName":"atlasdev",
+
+ "serviceDef":{
+ "name":"atlas",
+ "id":3,
+ "resources":[
+ {"name":"entity-type","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Entity Type","description":"Entity Type"},
+ {"name":"entity-classification","level":2,"parent":"entity-type","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Entity Classification","description":"Entity Classification"},
+ {"name":"entity","level":2,"parent":"entity-classification","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Entity ID","description":"Entity ID"}
+ ],
+ "accessTypes":[
+ {"name":"entity-read","label":"Read Entity"},
+ {"name":"entity-create","label":"Create Entity"},
+ {"name":"entity-update","label":"Update Entity"},
+ {"name":"entity-delete","label":"Delete Entity"},
+ {"name":"entity-read-classification","label":"Read Entity Classification"},
+ {"name":"entity-add-classification","label":"Add Entity Classification"},
+ {"name":"entity-update-classification","label":"Update Entity Classification"},
+ {"name":"entity-remove-classification","label":"Remove Entity Classification"}
+ ]
+ },
+
+ "policies":[
+ {"id":1,"name":"policy for DataSets","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"entity-type":{"values":["DataSet"]},"entity-classification":{"values":["*"]},"entity":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"entity-read", "isAllowed":true}],"users":[],"groups":["data-stewards"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":2,"name":"policy for hive_table","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"entity-type":{"values":["hive_table"]},"entity-classification":{"values":["*"]},"entity":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"entity-read", "isAllowed":true}],"users":[],"groups":["hive-admins"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":10,"name":"policy for PII classification","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"entity-type":{"values":["hive_table"]},"entity-classification":{"values":["PII"]},"entity":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"entity-read", "isAllowed":true}],"users":[],"groups":["privacy-officers"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":20,"name":"policy for EMAIL_PII classification","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"entity-type":{"values":["hive_table"]},"entity-classification":{"values":["EMAIL_PII"]},"entity":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"entity-read", "isAllowed":true}],"users":[],"groups":["email-admins"],"delegateAdmin":false}
+ ]
+ }
+ ],
+
+ "tests":[
+ {"name":"DataSet read by a data-steward",
+ "request":{
+ "resource":{"elements":{"entity-type":"DataSet", "entity-classification":[]}, "entity":"default@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["data-stewards"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"DataSet read by a hive-admin",
+ "request":{
+ "resource":{"elements":{"entity-type":"DataSet", "entity-classification":""}, "entity":"default@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["hive-admins"]
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"hive_table read by a data-steward",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":""}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["data-stewards"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"hive_table read by a hive-admin",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":""}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["hive-admins"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"PII hive_table read by a privacy-officer",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":["PII"]}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["privacy-officers"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":10}
+ }
+ ,
+ {"name":"PII hive_table read by a email-admin",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":["PII"]}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["email-admins"]
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"EMAIL_PII hive_table read by a privacy-officer",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":["PII", "EMAIL_PII"]}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["privacy-officers"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":10}
+ }
+ ,
+ {"name":"EMAIL_PII hive_table read by a email-admin",
+ "request":{
+ "resource":{"elements":{"entity-type":["hive_table", "DataSet"], "entity-classification":["PII", "EMAIL_PII"]}, "entity":"default.testtable@cl1"},
+ "accessType":"entity-read","user":"user1","userGroups":["email-admins"]
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":20}
+ }
+ ]
+}
+
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
index e4eafc6..48b8cb2 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
@@ -89,22 +89,22 @@ public class RangerHiveResource extends RangerAccessResourceImpl {
}
public String getDatabase() {
- return getValue(KEY_DATABASE);
+ return (String) getValue(KEY_DATABASE);
}
public String getTable() {
- return getValue(KEY_TABLE);
+ return (String) getValue(KEY_TABLE);
}
public String getUdf() {
- return getValue(KEY_UDF);
+ return (String) getValue(KEY_UDF);
}
public String getColumn() {
- return getValue(KEY_COLUMN);
+ return (String) getValue(KEY_COLUMN);
}
public String getUrl() {
- return getValue(KEY_URL);
+ return (String) getValue(KEY_URL);
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
index 0008808..cef7bd9 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
@@ -179,7 +179,7 @@ public class RangerPolicyFactory {
return accessRequest;
}
- private static ImmutableMap<String, String> createResourceElements(boolean shouldEvaluateToTrue) {
+ private static ImmutableMap<String, Object> createResourceElements(boolean shouldEvaluateToTrue) {
String database = String.format("db_%s", System.nanoTime());
String table = String.format("table_%s", System.nanoTime());
String column = String.format("column_%s", System.nanoTime());
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cc62086/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 5b7d085..cb7ca52 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -58,6 +58,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.biz.AssetMgr;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.ServiceDBStore;
@@ -506,7 +507,7 @@ public class ServiceREST {
List<RangerPolicy> ret = new ArrayList<>();
List<RangerService> services = new ArrayList<>();
- Map<String, String> resource = new HashMap<>();
+ Map<String, Object> resource = new HashMap<>();
String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource);
@@ -542,7 +543,7 @@ public class ServiceREST {
return ret;
}
- private String validateResourcePoliciesRequest(String serviceDefName, String serviceName, HttpServletRequest request, List<RangerService> services, Map<String, String> resource) {
+ private String validateResourcePoliciesRequest(String serviceDefName, String serviceName, HttpServletRequest request, List<RangerService> services, Map<String, Object> resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.validatePoliciesForResourceRequest(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
}
@@ -1065,7 +1066,7 @@ public class ServiceREST {
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource());
+ RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1098,7 +1099,7 @@ public class ServiceREST {
if(! CollectionUtils.isEmpty(resourceNames)) {
for(String resourceName : resourceNames) {
- RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName));
+ RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
@@ -1162,7 +1163,7 @@ public class ServiceREST {
String userName = grantRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource());
+ RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
XXService xService = daoManager.getXXService().findByName(serviceName);
@@ -1210,7 +1211,7 @@ public class ServiceREST {
if(! CollectionUtils.isEmpty(resourceNames)) {
for(String resourceName : resourceNames) {
- RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName));
+ RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
@@ -1277,7 +1278,7 @@ public class ServiceREST {
String userName = revokeRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
+ RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
@@ -1338,7 +1339,7 @@ public class ServiceREST {
String userName = revokeRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
- RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
+ RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
boolean isAllowed = false;
boolean isKeyAdmin = bizUtil.isKeyAdmin();