You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2019/03/25 15:38:24 UTC
[ranger] branch master updated: RANGER-2371:Security Zone policies
do not work correctly when incremental policy updates are enabled
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d8ab946 RANGER-2371:Security Zone policies do not work correctly when incremental policy updates are enabled
d8ab946 is described below
commit d8ab9468823f5f5c7c46582962f946a2bab5ce05
Author: Abhay Kulkarni <>
AuthorDate: Mon Mar 25 07:53:27 2019 -0700
RANGER-2371:Security Zone policies do not work correctly when incremental policy updates are enabled
---
.../policyengine/RangerPolicyEngineImpl.java | 18 +-
.../policyengine/RangerPolicyRepository.java | 99 ++--
.../ranger/plugin/service/RangerBasePlugin.java | 7 +-
.../apache/ranger/plugin/util/ServicePolicies.java | 44 +-
.../plugin/policyengine/TestPolicyEngine.java | 8 +
.../policyengine/test_policyengine_hdfs_zones.json | 508 +++++++++++++++++++++
.../java/org/apache/ranger/rest/ServiceREST.java | 7 +-
7 files changed, 622 insertions(+), 69 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index c00f072..5e68363 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.policyengine;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.ListUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
@@ -290,14 +291,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
- if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
- buildZoneTrie(servicePolicies);
- for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone : servicePolicies.getSecurityZones().entrySet()) {
- RangerPolicyRepository policyRepository = new RangerPolicyRepository(appId, servicePolicies, options, zone.getKey());
- policyRepositories.put(zone.getKey(), policyRepository);
- }
- }
-
RangerPerfTracer.log(perf);
if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) {
@@ -1217,9 +1210,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return ret;
}
- public List<RangerPolicy> getResourcePolicies() { return policyRepository == null ? null : policyRepository.getPolicies(); }
+ public List<RangerPolicy> getResourcePolicies(String zoneName) {
+ RangerPolicyRepository zoneResourceRepository = policyRepositories.get(zoneName);
+ return zoneResourceRepository == null ? ListUtils.EMPTY_LIST : zoneResourceRepository.getPolicies();
+ }
+
+ public List<RangerPolicy> getResourcePolicies() { return policyRepository == null ? ListUtils.EMPTY_LIST : policyRepository.getPolicies(); }
- public List<RangerPolicy> getTagPolicies() { return tagPolicyRepository == null ? null : tagPolicyRepository.getPolicies(); }
+ public List<RangerPolicy> getTagPolicies() { return tagPolicyRepository == null ? ListUtils.EMPTY_LIST : tagPolicyRepository.getPolicies(); }
private RangerAccessResult zoneAwareAccessEvaluationWithNoAudit(RangerAccessRequest request, int policyType) {
if (LOG.isDebugEnabled()) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 8b51c63..ff2a4b2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -229,19 +229,23 @@ class RangerPolicyRepository {
}
}
- if (CollectionUtils.isNotEmpty(other.getPolicies())) {
- if (CollectionUtils.isNotEmpty(this.getPolicies())) {
- this.contextEnrichers = other.contextEnrichers;
- other.isContextEnrichersShared = true;
+ if (StringUtils.isEmpty(zoneName)) {
+ if (CollectionUtils.isNotEmpty(other.getPolicies())) {
+ if (CollectionUtils.isNotEmpty(this.getPolicies())) {
+ this.contextEnrichers = other.contextEnrichers;
+ other.isContextEnrichersShared = true;
+ } else {
+ this.contextEnrichers = null;
+ }
} else {
- this.contextEnrichers = null;
+ if (CollectionUtils.isNotEmpty(this.policies)) {
+ this.contextEnrichers = Collections.unmodifiableList(buildContextEnrichers(options));
+ } else {
+ this.contextEnrichers = null;
+ }
}
} else {
- if (CollectionUtils.isNotEmpty(this.policies)) {
- this.contextEnrichers = Collections.unmodifiableList(buildContextEnrichers(options));
- } else {
- this.contextEnrichers = null;
- }
+ this.contextEnrichers = null;
}
this.policyVersion = policyVersion;
@@ -301,7 +305,11 @@ class RangerPolicyRepository {
init(options);
- this.contextEnrichers = Collections.unmodifiableList(buildContextEnrichers(options));
+ if (StringUtils.isEmpty(zoneName)) {
+ this.contextEnrichers = Collections.unmodifiableList(buildContextEnrichers(options));
+ } else {
+ this.contextEnrichers = null;
+ }
if(options.disableTrieLookupPrefilter) {
policyResourceTrie = null;
@@ -350,7 +358,11 @@ class RangerPolicyRepository {
init(options);
- this.contextEnrichers = Collections.unmodifiableList(buildContextEnrichers(options));
+ if (StringUtils.isEmpty(zoneName)) {
+ this.contextEnrichers = Collections.unmodifiableList(buildContextEnrichers(options));
+ } else {
+ this.contextEnrichers = null;
+ }
if(options.disableTrieLookupPrefilter) {
policyResourceTrie = null;
@@ -1122,7 +1134,7 @@ class RangerPolicyRepository {
return ret;
}
- private void updateTrie(Map<String, RangerResourceTrie> currentMap, Integer policyDeltaType, RangerPolicyEvaluator oldEvaluator, RangerPolicyEvaluator newEvaluator) {
+ private void updateTrie(Map<String, RangerResourceTrie> trieMap, Integer policyDeltaType, RangerPolicyEvaluator oldEvaluator, RangerPolicyEvaluator newEvaluator) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.updateTrie(policyDeltaType=" + policyDeltaType + "): ");
}
@@ -1130,36 +1142,15 @@ class RangerPolicyRepository {
String resourceDefName = resourceDef.getName();
- RangerResourceTrie trie = currentMap.get(resourceDefName);
+ RangerResourceTrie<RangerPolicyEvaluator> trie = trieMap.get(resourceDefName);
if (policyDeltaType == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
- if (newEvaluator != null) {
- RangerPolicy.RangerPolicyResource resource = newEvaluator.getPolicyResource().get(resourceDefName);
- if (resource != null) {
- trie.add(resource, newEvaluator);
- }
- }
+ addEvaluatorToTrie(newEvaluator, trie, resourceDefName);
} else if (policyDeltaType == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
- if (oldEvaluator != null) {
- RangerPolicy.RangerPolicyResource resource = oldEvaluator.getPolicyResource().get(resourceDefName);
- if (resource != null) {
- trie.delete(resource, oldEvaluator);
- }
- }
+ removeEvaluatorFromTrie(oldEvaluator, trie, resourceDefName);
} else if (policyDeltaType == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) {
- if (oldEvaluator != null) {
- RangerPolicy.RangerPolicyResource oldResource = oldEvaluator.getPolicyResource().get(resourceDefName);
- if (oldResource != null) {
- trie.delete(oldResource, oldEvaluator);
- }
- }
- if (newEvaluator != null) {
- RangerPolicy.RangerPolicyResource newResource = newEvaluator.getPolicyResource().get(resourceDefName);
-
- if (newResource != null) {
- trie.add(newResource, newEvaluator);
- }
- }
+ removeEvaluatorFromTrie(oldEvaluator, trie, resourceDefName);
+ addEvaluatorToTrie(newEvaluator, trie, resourceDefName);
} else {
LOG.error("policyDeltaType:" + policyDeltaType + " is currently not handled, policy-id:[" + oldEvaluator.getPolicy().getId() +"]");
}
@@ -1169,6 +1160,24 @@ class RangerPolicyRepository {
}
}
+ private void addEvaluatorToTrie(RangerPolicyEvaluator newEvaluator, RangerResourceTrie<RangerPolicyEvaluator> trie, String resourceDefName) {
+ if (newEvaluator != null) {
+ RangerPolicy.RangerPolicyResource resource = newEvaluator.getPolicyResource().get(resourceDefName);
+ if (resource != null) {
+ trie.add(resource, newEvaluator);
+ }
+ }
+ }
+
+ private void removeEvaluatorFromTrie(RangerPolicyEvaluator oldEvaluator, RangerResourceTrie<RangerPolicyEvaluator> trie, String resourceDefName) {
+ if (oldEvaluator != null) {
+ RangerPolicy.RangerPolicyResource resource = oldEvaluator.getPolicyResource().get(resourceDefName);
+ if (resource != null) {
+ trie.delete(resource, oldEvaluator);
+ }
+ }
+ }
+
private Map<Long, RangerPolicyEvaluator> createPolicyEvaluatorsMap() {
Map<Long, RangerPolicyEvaluator> tmpPolicyEvaluatorMap = new HashMap<>();
@@ -1209,6 +1218,8 @@ class RangerPolicyRepository {
} else {
LOG.warn("RangerPolicyEngine: ignoring policy id=" + policy.getId() + " - invalid policyType '" + policy.getPolicyType() + "'");
}
+
+ policyEvaluatorsMap.put(policy.getId(), ret);
}
}
}
@@ -1230,6 +1241,9 @@ class RangerPolicyRepository {
break;
}
}
+
+ policyEvaluatorsMap.remove(id);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.removePolicy(" + id +")");
}
@@ -1255,6 +1269,7 @@ class RangerPolicyRepository {
if (evaluators != null) {
evaluators.remove(evaluator);
}
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.deletePolicyEvaluator(" + evaluator.getPolicy() + ")");
}
@@ -1294,10 +1309,10 @@ class RangerPolicyRepository {
break;
}
- Map<String, RangerResourceTrie> trie = getTrie(policyType);
+ Map<String, RangerResourceTrie> trieMap = getTrie(policyType);
- if (trie != null) {
- updateTrie(trie, changeType, currentEvaluator, newEvaluator);
+ if (trieMap != null) {
+ updateTrie(trieMap, changeType, currentEvaluator, newEvaluator);
}
if (changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE || changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 9081af2..cff768f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -23,7 +23,6 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Hashtable;
-import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
@@ -299,10 +298,8 @@ public class RangerBasePlugin {
usePolicyDeltas = false;
} else if (policies.getPolicyDeltas() != null) {
// Rebuild policies from deltas
- RangerPolicyEngineImpl policyEngineImpl = (RangerPolicyEngineImpl) oldPolicyEngine;
- List<RangerPolicy> oldResourcePolicies = policyEngineImpl.getResourcePolicies();
- List<RangerPolicy> oldTagPolicies = policyEngineImpl.getTagPolicies();
- servicePolicies = ServicePolicies.applyDelta(policies, oldResourcePolicies, oldTagPolicies);
+ RangerPolicyEngineImpl policyEngine = (RangerPolicyEngineImpl) oldPolicyEngine;
+ servicePolicies = ServicePolicies.applyDelta(policies, policyEngine);
if (servicePolicies != null) {
usePolicyDeltas = true;
} else {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
index 7eb2bb3..2a80b25 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
@@ -20,7 +20,6 @@
package org.apache.ranger.plugin.util;
-import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
@@ -31,10 +30,12 @@ import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
+import org.apache.commons.collections.MapUtils;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.codehaus.jackson.annotate.JsonAutoDetect;
import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility;
@@ -334,7 +335,7 @@ public class ServicePolicies implements java.io.Serializable {
;
}
}
- public static ServicePolicies copyHeader(ServicePolicies source) {
+ private static ServicePolicies copyHeader(ServicePolicies source) {
ServicePolicies ret = new ServicePolicies();
ret.setServiceName(source.getServiceName());
@@ -353,7 +354,7 @@ public class ServicePolicies implements java.io.Serializable {
return ret;
}
- public static TagPolicies copyHeader(TagPolicies source) {
+ private static TagPolicies copyHeader(TagPolicies source) {
TagPolicies ret = new TagPolicies();
ret.setServiceName(source.getServiceName());
@@ -367,24 +368,51 @@ public class ServicePolicies implements java.io.Serializable {
return ret;
}
- public static ServicePolicies applyDelta(final ServicePolicies servicePolicies, final List<RangerPolicy> oldResourcePolicies, final List<RangerPolicy> oldTagPolicies) {
+ public static ServicePolicies applyDelta(final ServicePolicies servicePolicies, RangerPolicyEngineImpl policyEngine) {
ServicePolicies ret = copyHeader(servicePolicies);
+ List<RangerPolicy> oldResourcePolicies = policyEngine.getResourcePolicies();
+ List<RangerPolicy> oldTagPolicies = policyEngine.getTagPolicies();
+
List<RangerPolicy> newResourcePolicies = RangerPolicyDeltaUtil.applyDeltas(oldResourcePolicies, servicePolicies.getPolicyDeltas(), servicePolicies.getServiceDef().getName());
+ ret.setPolicies(newResourcePolicies);
+
final List<RangerPolicy> newTagPolicies;
if (servicePolicies.getTagPolicies() != null) {
- final List<RangerPolicy> policies = oldTagPolicies == null ? new ArrayList<>() : oldTagPolicies;
- newTagPolicies = RangerPolicyDeltaUtil.applyDeltas(policies, servicePolicies.getPolicyDeltas(), servicePolicies.getTagPolicies().getServiceDef().getName());
+ newTagPolicies = RangerPolicyDeltaUtil.applyDeltas(oldTagPolicies, servicePolicies.getPolicyDeltas(), servicePolicies.getTagPolicies().getServiceDef().getName());
} else {
newTagPolicies = null;
}
- ret.setPolicies(newResourcePolicies);
-
if (ret.getTagPolicies() != null) {
ret.getTagPolicies().setPolicies(newTagPolicies);
}
+
+ if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
+ Map<String, SecurityZoneInfo> newSecurityZones = new HashMap<>();
+
+ for (Map.Entry<String, SecurityZoneInfo> entry : servicePolicies.getSecurityZones().entrySet()) {
+ String zoneName = entry.getKey();
+ SecurityZoneInfo zoneInfo = entry.getValue();
+
+ List<RangerPolicy> zoneResourcePolicies = policyEngine.getResourcePolicies(zoneName);
+ // There are no separate tag-policy-repositories for each zone
+
+ final List<RangerPolicy> newZonePolicies = RangerPolicyDeltaUtil.applyDeltas(zoneResourcePolicies, zoneInfo.getPolicyDeltas(), servicePolicies.getServiceDef().getName());
+
+ SecurityZoneInfo newZoneInfo = new SecurityZoneInfo();
+
+ newZoneInfo.setZoneName(zoneName);
+ newZoneInfo.setResources(zoneInfo.getResources());
+ newZoneInfo.setPolicies(newZonePolicies);
+
+ newSecurityZones.put(zoneName, newZoneInfo);
+ }
+
+ ret.setSecurityZones(newSecurityZones);
+ }
+
return ret;
}
}
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 9bd5e24..080efac 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -211,6 +211,12 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(hdfsTestResourceFiles);
}
+ @Test
+ public void testPolicyEngine_hdfsForZones() {
+ String[] hdfsTestResourceFiles = { "/policyengine/test_policyengine_hdfs_zones.json" };
+
+ runTestsFromResourceFiles(hdfsTestResourceFiles);
+ }
@Test
public void testPolicyEngine_hive() {
@@ -374,6 +380,7 @@ public class TestPolicyEngine {
servicePolicies.setServiceName(testCase.serviceName);
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
+ servicePolicies.setSecurityZones(testCase.securityZones);
if (StringUtils.isNotBlank(testCase.auditMode)) {
servicePolicies.setAuditMode(testCase.auditMode);
@@ -560,6 +567,7 @@ public class TestPolicyEngine {
public RangerServiceDef serviceDef;
public List<RangerPolicy> policies;
public TagPolicyInfo tagPolicyInfo;
+ public Map<String, ServicePolicies.SecurityZoneInfo> securityZones;
public String auditMode;
public List<TestData> tests;
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_zones.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_zones.json
new file mode 100644
index 0000000..6fcb66e
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_zones.json
@@ -0,0 +1,508 @@
+{
+ "serviceName": "cl1_hadoop",
+ "serviceDef": {
+ "accessTypes": [
+ {
+ "impliedGrants": [],
+ "itemId": 1,
+ "label": "Read",
+ "name": "read"
+ },
+ {
+ "impliedGrants": [],
+ "itemId": 2,
+ "label": "Write",
+ "name": "write"
+ },
+ {
+ "impliedGrants": [],
+ "itemId": 3,
+ "label": "Execute",
+ "name": "execute"
+ }
+ ],
+ "configs": [
+ {
+ "itemId": 1,
+ "label": "Username",
+ "mandatory": true,
+ "name": "username",
+ "subType": "",
+ "type": "string",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "itemId": 2,
+ "label": "Password",
+ "mandatory": true,
+ "name": "password",
+ "subType": "",
+ "type": "password",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "itemId": 3,
+ "label": "Namenode URL",
+ "mandatory": true,
+ "name": "fs.default.name",
+ "subType": "",
+ "type": "string",
+ "uiHint": "{\"TextFieldWithIcon\":true, \"info\": \"1.For one Namenode Url, eg.<br>hdfs://<host>:<port><br>2.For HA Namenode Urls(use , delimiter), eg.<br>hdfs://<host>:<port>,hdfs://<host2>:<port2><br>\"}",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "defaultValue": "false",
+ "itemId": 4,
+ "label": "Authorization Enabled",
+ "mandatory": true,
+ "name": "hadoop.security.authorization",
+ "subType": "YesTrue:NoFalse",
+ "type": "bool",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "defaultValue": "simple",
+ "itemId": 5,
+ "label": "Authentication Type",
+ "mandatory": true,
+ "name": "hadoop.security.authentication",
+ "subType": "authnType",
+ "type": "enum",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "itemId": 6,
+ "mandatory": false,
+ "name": "hadoop.security.auth_to_local",
+ "subType": "",
+ "type": "string",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "itemId": 7,
+ "mandatory": false,
+ "name": "dfs.datanode.kerberos.principal",
+ "subType": "",
+ "type": "string",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "itemId": 8,
+ "mandatory": false,
+ "name": "dfs.namenode.kerberos.principal",
+ "subType": "",
+ "type": "string",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "itemId": 9,
+ "mandatory": false,
+ "name": "dfs.secondary.namenode.kerberos.principal",
+ "subType": "",
+ "type": "string",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "defaultValue": "authentication",
+ "itemId": 10,
+ "label": "RPC Protection Type",
+ "mandatory": false,
+ "name": "hadoop.rpc.protection",
+ "subType": "rpcProtection",
+ "type": "enum",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ },
+ {
+ "itemId": 11,
+ "label": "Common Name for Certificate",
+ "mandatory": false,
+ "name": "commonNameForCertificate",
+ "subType": "",
+ "type": "string",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ }
+ ],
+ "contextEnrichers": [],
+ "dataMaskDef": {
+ "accessTypes": [],
+ "maskTypes": [],
+ "resources": []
+ },
+ "description": "HDFS Repository",
+ "enums": [
+ {
+ "defaultIndex": 0,
+ "elements": [
+ {
+ "itemId": 1,
+ "label": "Simple",
+ "name": "simple"
+ },
+ {
+ "itemId": 2,
+ "label": "Kerberos",
+ "name": "kerberos"
+ }
+ ],
+ "itemId": 1,
+ "name": "authnType"
+ },
+ {
+ "defaultIndex": 0,
+ "elements": [
+ {
+ "itemId": 1,
+ "label": "Authentication",
+ "name": "authentication"
+ },
+ {
+ "itemId": 2,
+ "label": "Integrity",
+ "name": "integrity"
+ },
+ {
+ "itemId": 3,
+ "label": "Privacy",
+ "name": "privacy"
+ }
+ ],
+ "itemId": 2,
+ "name": "rpcProtection"
+ }
+ ],
+ "guid": "0d047247-bafe-4cf8-8e9b-d5d377284b2d",
+ "id": 1,
+ "implClass": "org.apache.ranger.services.hdfs.RangerServiceHdfs",
+ "isEnabled": true,
+ "label": "HDFS Repository",
+ "name": "hdfs",
+ "options": {
+ "enableDenyAndExceptionsInPolicies": "true"
+ },
+ "policyConditions": [],
+ "resources": [
+ {
+ "accessTypeRestrictions": [],
+ "description": "HDFS file or directory path",
+ "excludesSupported": false,
+ "isValidLeaf": true,
+ "itemId": 1,
+ "label": "Resource Path",
+ "level": 10,
+ "lookupSupported": true,
+ "mandatory": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
+ "matcherOptions": {
+ "ignoreCase": "false",
+ "wildCard": "true"
+ },
+ "name": "path",
+ "recursiveSupported": true,
+ "type": "path",
+ "uiHint": "",
+ "validationMessage": "",
+ "validationRegEx": ""
+ }
+ ],
+ "rowFilterDef": {
+ "accessTypes": [],
+ "resources": []
+ },
+ "version": 1
+ },
+ "policies": [
+ {
+ "allowExceptions": [],
+ "dataMaskPolicyItems": [],
+ "denyExceptions": [],
+ "denyPolicyItems": [],
+ "description": "Policy for all - path",
+ "guid": "7a763261-06f4-42a3-9c74-e6d4287a5494",
+ "id": 1,
+ "isAuditEnabled": true,
+ "isEnabled": true,
+ "name": "all - path",
+ "options": {},
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "isAllowed": true,
+ "type": "read"
+ },
+ {
+ "isAllowed": true,
+ "type": "write"
+ },
+ {
+ "isAllowed": true,
+ "type": "execute"
+ }
+ ],
+ "conditions": [],
+ "delegateAdmin": true,
+ "groups": [],
+ "users": [
+ "hadoop"
+ ]
+ }
+ ],
+ "policyLabels": [],
+ "policyPriority": 0,
+ "policyType": 0,
+ "resources": {
+ "path": {
+ "isExcludes": false,
+ "isRecursive": true,
+ "values": [
+ "/*"
+ ]
+ }
+ },
+ "rowFilterPolicyItems": [],
+ "service": "cl1_hadoop",
+ "validitySchedules": [],
+ "version": 1
+ },
+ {
+ "allowExceptions": [],
+ "dataMaskPolicyItems": [],
+ "denyExceptions": [],
+ "denyPolicyItems": [],
+ "description": "Policy for kms-audit-path",
+ "guid": "06fa497e-a638-49a1-a13f-f4d583af7f91",
+ "id": 2,
+ "isAuditEnabled": true,
+ "isEnabled": true,
+ "name": "kms-audit-path",
+ "options": {},
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "isAllowed": true,
+ "type": "read"
+ },
+ {
+ "isAllowed": true,
+ "type": "write"
+ },
+ {
+ "isAllowed": true,
+ "type": "execute"
+ }
+ ],
+ "conditions": [],
+ "delegateAdmin": false,
+ "groups": [],
+ "users": [
+ "keyadmin"
+ ]
+ }
+ ],
+ "policyLabels": [],
+ "policyPriority": 0,
+ "policyType": 0,
+ "resources": {
+ "path": {
+ "isExcludes": false,
+ "isRecursive": true,
+ "values": [
+ "/ranger/audit/kms"
+ ]
+ }
+ },
+ "rowFilterPolicyItems": [],
+ "service": "cl1_hadoop",
+ "validitySchedules": [],
+ "version": 1
+ },
+ {
+ "allowExceptions": [],
+ "dataMaskPolicyItems": [],
+ "denyExceptions": [],
+ "denyPolicyItems": [],
+ "description": "",
+ "guid": "ce4828e1-ad6f-402a-960f-da1c660f8675",
+ "id": 40,
+ "isAuditEnabled": true,
+ "isEnabled": true,
+ "name": "Finance for default zone",
+ "options": {},
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "isAllowed": true,
+ "type": "read"
+ },
+ {
+ "isAllowed": true,
+ "type": "write"
+ },
+ {
+ "isAllowed": true,
+ "type": "execute"
+ }
+ ],
+ "conditions": [],
+ "delegateAdmin": false,
+ "groups": [],
+ "users": [
+ "sales-admin"
+ ]
+ }
+ ],
+ "policyLabels": [
+ ""
+ ],
+ "policyPriority": 0,
+ "policyType": 0,
+ "resources": {
+ "path": {
+ "isExcludes": false,
+ "isRecursive": true,
+ "values": [
+ "/finance"
+ ]
+ }
+ },
+ "rowFilterPolicyItems": [],
+ "service": "cl1_hadoop",
+ "validitySchedules": [],
+ "version": 1
+ }
+ ],
+ "securityZones": {
+ "finance": {
+ "policies": [
+ {
+ "allowExceptions": [],
+ "dataMaskPolicyItems": [],
+ "denyExceptions": [],
+ "denyPolicyItems": [],
+ "description": "Policy for all - path",
+ "guid": "2b88b928-00e4-4670-9ca9-fc577eda7cfc",
+ "id": 37,
+ "isAuditEnabled": true,
+ "isEnabled": true,
+ "name": "finance-all - path-0",
+ "options": {},
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "isAllowed": true,
+ "type": "read"
+ },
+ {
+ "isAllowed": true,
+ "type": "write"
+ },
+ {
+ "isAllowed": true,
+ "type": "execute"
+ }
+ ],
+ "conditions": [],
+ "delegateAdmin": true,
+ "groups": [],
+ "users": [
+ "hadoop", "finance-admin"
+ ]
+ }
+ ],
+ "policyLabels": [
+ ""
+ ],
+ "policyPriority": 0,
+ "policyType": 0,
+ "resources": {
+ "path": {
+ "isExcludes": false,
+ "isRecursive": true,
+ "values": [
+ "/*"
+ ]
+ }
+ },
+ "rowFilterPolicyItems": [],
+ "service": "cl1_hadoop",
+ "validitySchedules": [],
+ "version": 3,
+ "zoneName": "finance"
+ }
+ ],
+ "resources": [
+ {
+ "path": [
+ "/finance"
+ ]
+ }
+ ],
+ "zoneName": "finance"
+ }
+ },
+ "tests":[
+ {"name":"ALLOW 'read /finance/restricted/sales.db' for u=finance-admin; in zone finance",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+ "accessType":"read","user":"finance-admin","userGroups":[],"requestData":"read /finance/restricted/sales.db"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":37}
+ }
+ ,
+ {"name":"DENY 'read /sales/restricted/invoices.db' for u=finance-admin; not in zone unzoned",
+ "request":{
+ "resource":{"elements":{"path":"/sales/restricted/invoices.db"}},
+ "accessType":"read","user":"finance-admin","userGroups":[],"requestData":"read /finance/restricted/invoices.db"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'read /finance/restricted/sales.db' for u=hadoop; in zone finance",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+ "accessType":"read","user":"hadoop","userGroups":[],"requestData":"read /finance/restricted/sales.db"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":37}
+ }
+ ,
+ {"name":"ALLOW 'read /sales/restricted/invoices.db' for u=hadoop; in zone unzoned",
+ "request":{
+ "resource":{"elements":{"path":"/sales/restricted/invoices.db"}},
+ "accessType":"read","user":"hadoop","userGroups":[],"requestData":"read /finance/restricted/invoices.db"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"DENY 'read /finance/restricted/sales.db' for u=sales-admin; in zone finance",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+ "accessType":"read","user":"sales-admin","userGroups":[],"requestData":"read /finance/restricted/sales.db"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ]
+}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 602eb3f..a60d4e0 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -3694,7 +3694,6 @@ public class ServiceREST {
final ServicePolicies ret;
if (MapUtils.isNotEmpty(securityZones)) {
-
ret = new ServicePolicies();
ret.setServiceDef(servicePolicies.getServiceDef());
ret.setServiceId(servicePolicies.getServiceId());
@@ -3706,8 +3705,8 @@ public class ServiceREST {
Map<String, ServicePolicies.SecurityZoneInfo> securityZonesInfo = new HashMap<>();
if (CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) {
- List<RangerPolicy> allPolicies = new ArrayList<>(servicePolicies.getPolicies());
+ List<RangerPolicy> allPolicies = new ArrayList<>(servicePolicies.getPolicies());
for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
@@ -3727,7 +3726,6 @@ public class ServiceREST {
ret.setPolicies(allPolicies);
ret.setTagPolicies(servicePolicies.getTagPolicies());
- ret.setSecurityZones(securityZonesInfo);
} else {
List<RangerPolicyDelta> allPolicyDeltas = new ArrayList<>(servicePolicies.getPolicyDeltas());
@@ -3746,13 +3744,14 @@ public class ServiceREST {
securityZonesInfo.put(entry.getKey(), securityZoneInfo);
}
- ret.setPolicyDeltas(allPolicyDeltas);
+ ret.setPolicyDeltas(allPolicyDeltas);
}
ret.setSecurityZones(securityZonesInfo);
} else {
ret = servicePolicies;
}
+
return ret;
}