You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/08/13 06:19:17 UTC

incubator-ranger git commit: RANGER-274: Add default tag policy to support EXPIRES_ON tag when a new tag service is created.

Repository: incubator-ranger
Updated Branches:
  refs/heads/tag-policy bc090a669 -> 8c37c47fa


RANGER-274: Add default tag policy to support EXPIRES_ON tag when a new tag service is created.

Signed-off-by: Madhan Neethiraj <ma...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/8c37c47f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/8c37c47f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/8c37c47f

Branch: refs/heads/tag-policy
Commit: 8c37c47faa36daf8b0d087499ff61708ab5097e9
Parents: bc090a6
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Aug 10 15:08:49 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Wed Aug 12 20:46:16 2015 -0700

----------------------------------------------------------------------
 .../org/apache/ranger/biz/ServiceDBStore.java   | 135 +++++++++++++++++--
 1 file changed, 124 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8c37c47f/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 3f657be..cdde7e8 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -133,6 +133,12 @@ import org.springframework.transaction.support.TransactionTemplate;
 public class ServiceDBStore extends AbstractServiceStore {
 	private static final Log LOG = LogFactory.getLog(ServiceDBStore.class);
 
+	public static final String RANGER_DEFAULT_TAGPOLICY_TAG_PREFIX = "ranger.default.tagpolicy.tag.";
+	public static final String RANGER_DEFAULT_TAGPOLICY_TAG_NAME = RANGER_DEFAULT_TAGPOLICY_TAG_PREFIX + "name";
+	public static final String RANGER_DEFAULT_TAGPOLICY_TAG_ATTRIBUTE_NAME = RANGER_DEFAULT_TAGPOLICY_TAG_PREFIX + "attribute.name";
+	public static final String RANGER_DEFAULT_TAGPOLICY_TAG_SCRIPT_FORMAT = RANGER_DEFAULT_TAGPOLICY_TAG_PREFIX + "%1$s." + "script";
+
+
 	@Autowired
 	RangerServiceDefService serviceDefService;
  
@@ -1095,10 +1101,6 @@ public class ServiceDBStore extends AbstractServiceStore {
 				RangerServiceService.OPERATION_CREATE_CONTEXT);
 		bizUtil.createTrxLog(trxLogList);
 
-		if (createdService.getType().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
-			createDefaultPolicy = false;
-		}
-
 		if (createDefaultPolicy) {
 			createDefaultPolicies(xCreatedService, vXUser);
 		}
@@ -1772,14 +1774,125 @@ public class ServiceDBStore extends AbstractServiceStore {
 	}
 
 	void createDefaultPolicies(XXService createdService, VXUser vXUser) throws Exception {
-		// we need to create one policy for each resource hierarchy
 		RangerServiceDef serviceDef = getServiceDef(createdService.getType());
-		RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
-		int i = 1;
-		for (List<RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies()) {
-			createDefaultPolicy(createdService, vXUser, aHierarchy, i);
-			i++;
-		};
+
+		if (serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
+			createDefaultTagPolicy(createdService);
+		} else {
+			// we need to create one policy for each resource hierarchy
+			RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
+			int i = 1;
+			for (List<RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies()) {
+				createDefaultPolicy(createdService, vXUser, aHierarchy, i);
+				i++;
+			}
+		}
+	}
+
+	private void createDefaultTagPolicy(XXService createdService) throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> ServiceDBStore.createDefaultTagPolicy() ");
+		}
+
+		String tagResourceDefName = null;
+		String tagPolicyConditionName = null;
+
+		RangerServiceDef tagServiceDef = getServiceDef(createdService.getType());
+		List<RangerResourceDef> tagResourceDef = tagServiceDef.getResources();
+		if (tagResourceDef != null && tagResourceDef.size() > 0) {
+			// Assumption : First (and perhaps the only) resourceDef is the name of the tag resource
+			RangerResourceDef theTagResourceDef = tagResourceDef.get(0);
+			tagResourceDefName = theTagResourceDef.getName();
+		} else {
+			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy: Cannot get tagResourceDef Name.");
+		}
+
+		List<RangerPolicyConditionDef> policyConditions = tagServiceDef.getPolicyConditions();
+		if (policyConditions != null && policyConditions.size() > 0) {
+			// Assumption : First (and perhaps the only) policyConditionDef is javascript evaluator
+			RangerPolicyConditionDef condition = policyConditions.get(0);
+			tagPolicyConditionName = condition.getName();
+		} else {
+			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy: Cannot get tagPolicyConditionDef Name.");
+		}
+
+		String tagName = RangerConfiguration.getInstance().get(RANGER_DEFAULT_TAGPOLICY_TAG_NAME, "EXPIRES_ON");
+		String tagAttributeName = RangerConfiguration.getInstance().get(RANGER_DEFAULT_TAGPOLICY_TAG_ATTRIBUTE_NAME, "expiry_date");
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("ServiceDBStore.createDefaultTagPolicy() - tagResourceDefName=" + tagResourceDefName +
+					", tagPolicyConditionName=" + tagPolicyConditionName + ", tagName=" + tagName +
+					", tagAttributeName=" + tagAttributeName);
+		}
+
+		if (tagResourceDefName != null && tagPolicyConditionName != null && tagName != null && tagAttributeName != null) {
+
+			String policyName = createdService.getName() + "-" + tagName;
+
+			RangerPolicy policy = new RangerPolicy();
+
+			policy.setIsEnabled(true);
+			policy.setVersion(1L);
+			policy.setName(policyName);
+			policy.setService(createdService.getName());
+			policy.setDescription("Default Policy for TAG: " + tagName + " for TAG Service: " + createdService.getName());
+			policy.setIsAuditEnabled(true);
+			policy.setPolicyTypeFinal(true);
+
+			Map<String, RangerPolicyResource> resourceMap = new HashMap<>();
+
+			RangerPolicyResource polRes = new RangerPolicyResource();
+			polRes.setIsExcludes(false);
+			polRes.setIsRecursive(false);
+			polRes.setValue(tagName);
+			resourceMap.put(tagResourceDefName, polRes);
+
+			policy.setResources(resourceMap);
+
+			List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
+
+			RangerPolicyItem policyItem = new RangerPolicyItem();
+
+			List<String> groups = new ArrayList<String>();
+			groups.add(RangerConstants.GROUP_PUBLIC);
+			policyItem.setGroups(groups);
+
+			List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
+			List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
+			for (XXAccessTypeDef accessTypeDef : accessTypeDefs) {
+				RangerPolicyItemAccess access = new RangerPolicyItemAccess();
+				access.setType(accessTypeDef.getName());
+				access.setIsAllowed(true);
+				accesses.add(access);
+			}
+			policyItem.setAccesses(accesses);
+
+			List<RangerPolicyItemCondition> policyItemConditions = new ArrayList<RangerPolicyItemCondition>();
+			String propertyName = String.format(RANGER_DEFAULT_TAGPOLICY_TAG_SCRIPT_FORMAT, tagName);
+			String scriptFormat = RangerConfiguration.getInstance().get(propertyName, "if (ctx.isAccessedAfter('%1$s', '%2$s')) { ctx.result = false;} else { ctx.result = true;}");
+			String formattedScript = String.format(scriptFormat, tagName, tagAttributeName);
+			List<String> javascriptScriptList = new ArrayList<String>();
+			javascriptScriptList.add(formattedScript);
+			RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition(tagPolicyConditionName, javascriptScriptList);
+			policyItemConditions.add(policyItemCondition);
+
+			policyItem.setConditions(policyItemConditions);
+			policyItem.setDelegateAdmin(true);
+
+			policyItems.add(policyItem);
+
+			policy.setPolicyItems(policyItems);
+
+			policy = createPolicy(policy);
+		} else {
+			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy, tagResourceDefName=" + tagResourceDefName +
+					", tagPolicyConditionName=" + tagPolicyConditionName + ", defaultTagName=" + tagName +
+					", defaultTagAttributeName=" + tagAttributeName);
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== ServiceDBStore.createDefaultTagPolicy()");
+		}
 	}
 
 	private void createDefaultPolicy(XXService createdService, VXUser vXUser, List<RangerResourceDef> resourceHierarchy, int num) throws Exception {