You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2017/09/14 16:21:01 UTC
[1/2] ranger git commit: RANGER-1647: Allow Ranger policy conditions
to use tag attributes and values in Ranger -- ranger-0.7 branch
Repository: ranger
Updated Branches:
refs/heads/ranger-0.7 309abeff4 -> 109f2218d
RANGER-1647: Allow Ranger policy conditions to use tag attributes and values in Ranger -- ranger-0.7 branch
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/dbe1a3a3
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/dbe1a3a3
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/dbe1a3a3
Branch: refs/heads/ranger-0.7
Commit: dbe1a3a3f033f0e423e70d14b9937162ad5d4a66
Parents: 309abef
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Wed Sep 13 15:57:33 2017 -0700
Committer: Sailaja Polavarapu <sp...@hortonworks.com>
Committed: Wed Sep 13 15:57:33 2017 -0700
----------------------------------------------------------------------
.../RangerScriptConditionEvaluator.java | 8 +++++++-
.../RangerScriptExecutionContext.java | 10 +++++-----
.../service-defs/ranger-servicedef-tag.json | 8 ++++++++
.../test/resources/policyengine/resourceTags.json | 2 +-
.../policyengine/test_policyengine_owner.json | 10 +++++-----
.../policyengine/test_policyengine_tag_hive.json | 14 +++++++-------
.../test_policyengine_tag_hive_filebased.json | 16 ++++++++--------
7 files changed, 41 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
index 48ffc38..5febf95 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
@@ -24,12 +24,14 @@ import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import javax.script.Bindings;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
@@ -90,11 +92,15 @@ public class RangerScriptConditionEvaluator extends RangerAbstractConditionEvalu
RangerAccessRequest readOnlyRequest = request.getReadOnlyCopy();
- RangerScriptExecutionContext context = new RangerScriptExecutionContext(readOnlyRequest);
+ RangerScriptExecutionContext context = new RangerScriptExecutionContext(readOnlyRequest);
+ RangerTagForEval currentTag = context.getCurrentTag();
+ Map<String, String> tagAttribs = currentTag != null ? currentTag.getAttributes() : Collections.<String, String>emptyMap();
Bindings bindings = scriptEngine.createBindings();
bindings.put("ctx", context);
+ bindings.put("tag", currentTag);
+ bindings.put("tagAttr", tagAttribs);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerScriptConditionEvaluator.isMatched(): script={" + script + "}");
http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
index acd96be..415d7fd 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
@@ -368,23 +368,23 @@ public final class RangerScriptExecutionContext {
return ret;
}
- public void logDebug(String msg) {
+ public void logDebug(Object msg) {
LOG.debug(msg);
}
- public void logInfo(String msg) {
+ public void logInfo(Object msg) {
LOG.info(msg);
}
- public void logWarn(String msg) {
+ public void logWarn(Object msg) {
LOG.warn(msg);
}
- public void logError(String msg) {
+ public void logError(Object msg) {
LOG.error(msg);
}
- public void logFatal(String msg) {
+ public void logFatal(Object msg) {
LOG.fatal(msg);
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json
index 3bad222..c17b750 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json
@@ -69,6 +69,14 @@
"uiHint": "{ \"singleValue\":true }",
"label":"Accessed after expiry_date (yes/no)?",
"description": "Accessed after expiry_date? (yes/no)"
+ },
+ {
+ "itemId":2,
+ "name":"expression",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+ "label":"Enter boolean expression",
+ "description": "Boolean expression"
}
]
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/test/resources/policyengine/resourceTags.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/resourceTags.json b/agents-common/src/test/resources/policyengine/resourceTags.json
index 9523ca0..c564673 100644
--- a/agents-common/src/test/resources/policyengine/resourceTags.json
+++ b/agents-common/src/test/resources/policyengine/resourceTags.json
@@ -49,7 +49,7 @@
},
"3": {
"type": "RESTRICTED",
- "attributes": { "activation_date": "2015/08/10" },
+ "attributes": { "activation_date": "2015/08/10", "score": "2" },
"id": 3,
"guid": "tag-restricted-3-guid"
},
http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/test/resources/policyengine/test_policyengine_owner.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_owner.json b/agents-common/src/test/resources/policyengine/test_policyengine_owner.json
index 82a6632..223a0c6 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_owner.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_owner.json
@@ -16,11 +16,11 @@
"policyConditions": [
{
"itemId":1,
- "name":"ScriptConditionEvaluator",
- "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
- "evaluatorOptions" : {"engineName":"JavaScript"},
- "label":"Script",
- "description": "Script to execute"
+ "name":"expression",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+ "label":"Enter boolean expression",
+ "description": "Boolean expression"
}
]
},
http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index 04b9afe..11f31e3 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -143,11 +143,11 @@
"policyConditions": [
{
"itemId":1,
- "name":"ScriptConditionEvaluator",
- "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
- "evaluatorOptions" : {"engineName":"JavaScript"},
- "label":"Script",
- "description": "Script to execute"
+ "name":"expression",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+ "label":"Enter boolean expression",
+ "description": "Boolean expression"
},
{
"itemId":2,
@@ -166,7 +166,7 @@
{
"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
"conditions":[{
- "type":"ScriptConditionEvaluator",
+ "type":"expression",
"values":["if ( ctx.isAccessedBefore('expiry') ) ctx.result = true;"]
}]
}
@@ -197,7 +197,7 @@
"denyExceptions":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
"conditions":[{
- "type":"ScriptConditionEvaluator",
+ "type":"expression",
"values":["if ( ctx.isAccessedBefore('expiry') ) ctx.result = true;"]
}]
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
index c2cb0b3..6b2863a 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
@@ -149,11 +149,11 @@
"policyConditions": [
{
"itemId":1,
- "name":"ScriptConditionEvaluator",
- "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
- "evaluatorOptions" : {"engineName":"JavaScript"},
- "label":"Script",
- "description": "Script to execute"
+ "name":"expression",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+ "label":"Enter boolean expression",
+ "description": "Boolean expression"
},
{
"itemId":2,
@@ -172,8 +172,8 @@
{
"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
"conditions":[{
- "type":"ScriptConditionEvaluator",
- "values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"]
+ "type":"expression",
+ "values":["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}
]
@@ -203,7 +203,7 @@
"denyExceptions":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
"conditions":[{
- "type":"ScriptConditionEvaluator",
+ "type":"expression",
"values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"]
}]
}
[2/2] ranger git commit: RANGER-1647: Missed upgrade patch file from
previous checkin
Posted by sp...@apache.org.
RANGER-1647: Missed upgrade patch file from previous checkin
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/109f2218
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/109f2218
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/109f2218
Branch: refs/heads/ranger-0.7
Commit: 109f2218df687a2ce6085ec6e94d3c7d7664ff2d
Parents: dbe1a3a
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Wed Sep 13 16:32:49 2017 -0700
Committer: Sailaja Polavarapu <sp...@hortonworks.com>
Committed: Wed Sep 13 16:32:49 2017 -0700
----------------------------------------------------------------------
.../PatchForTagServiceDefUpdate_J10008.java | 202 +++++++++++++++++++
1 file changed, 202 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/109f2218/security-admin/src/main/java/org/apache/ranger/patch/PatchForTagServiceDefUpdate_J10008.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForTagServiceDefUpdate_J10008.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForTagServiceDefUpdate_J10008.java
new file mode 100644
index 0000000..918fe1e
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForTagServiceDefUpdate_J10008.java
@@ -0,0 +1,202 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+import org.apache.ranger.biz.RangerBizUtil;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.JSONUtil;
+import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
+import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.service.RangerPolicyService;
+import org.apache.ranger.service.XPermMapService;
+import org.apache.ranger.service.XPolicyService;
+import org.apache.ranger.util.CLIUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+import org.apache.ranger.entity.XXServiceDef;
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class PatchForTagServiceDefUpdate_J10008 extends BaseLoader {
+ private static final Logger logger = Logger.getLogger(PatchForTagServiceDefUpdate_J10008.class);
+ public static final String SERVICEDBSTORE_SERVICEDEFBYNAME_TAG_NAME = "tag";
+ public static final String SCRIPT_POLICY_CONDITION_NAME = "expression";
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ @Autowired
+ JSONUtil jsonUtil;
+
+ @Autowired
+ RangerPolicyService policyService;
+
+ @Autowired
+ StringUtil stringUtil;
+
+ @Autowired
+ XPolicyService xPolService;
+
+ @Autowired
+ XPermMapService xPermMapService;
+
+ @Autowired
+ RangerBizUtil bizUtil;
+
+ @Autowired
+ RangerValidatorFactory validatorFactory;
+
+ @Autowired
+ ServiceDBStore svcStore;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+ try {
+ PatchForTagServiceDefUpdate_J10008 loader = (PatchForTagServiceDefUpdate_J10008) CLIUtil.getBean(PatchForTagServiceDefUpdate_J10008.class);
+ loader.init();
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+ logger.info("Load complete. Exiting!!!");
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==> PatchForTagServiceDefUpdate.execLoad()");
+ try {
+ updateTagServiceDef();
+ } catch (Exception e) {
+ logger.error("Error whille updateTagServiceDef()data.", e);
+ }
+ logger.info("<== PatchForTagServiceDefUpdate.execLoad()");
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("PatchForTagServiceDefUpdate data ");
+ }
+
+ private void updateTagServiceDef(){
+ RangerServiceDef embeddedTagServiceDef = null;
+ RangerServiceDef dbTagServiceDef = null;
+ List<RangerServiceDef.RangerPolicyConditionDef> embeddedTagPolicyConditionDefs = null;
+ XXServiceDef xXServiceDefObj = null;
+ try{
+ embeddedTagServiceDef=EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(SERVICEDBSTORE_SERVICEDEFBYNAME_TAG_NAME);
+ if(embeddedTagServiceDef!=null){
+ embeddedTagPolicyConditionDefs = embeddedTagServiceDef.getPolicyConditions();
+ if (embeddedTagPolicyConditionDefs == null) {
+ logger.error("Policy Conditions are empyt in tag service def json");
+ return;
+ }
+
+ if (checkScriptPolicyCondPresent(embeddedTagPolicyConditionDefs) == false) {
+ logger.error(SCRIPT_POLICY_CONDITION_NAME + "policy condition not found!!");
+ return;
+ }
+
+ xXServiceDefObj = daoMgr.getXXServiceDef().findByName(SERVICEDBSTORE_SERVICEDEFBYNAME_TAG_NAME);
+ if (xXServiceDefObj == null) {
+ logger.error("Service def for " + SERVICEDBSTORE_SERVICEDEFBYNAME_TAG_NAME + " is not found!!");
+ return;
+ }
+
+ Map<String, String> serviceDefOptionsPreUpdate=null;
+ String jsonStrPreUpdate=null;
+ jsonStrPreUpdate=xXServiceDefObj.getDefOptions();
+ if (!StringUtils.isEmpty(jsonStrPreUpdate)) {
+ serviceDefOptionsPreUpdate=jsonUtil.jsonToMap(jsonStrPreUpdate);
+ }
+ xXServiceDefObj=null;
+ dbTagServiceDef=svcDBStore.getServiceDefByName(SERVICEDBSTORE_SERVICEDEFBYNAME_TAG_NAME);
+
+ if(dbTagServiceDef!=null){
+ dbTagServiceDef.setPolicyConditions(embeddedTagPolicyConditionDefs);
+ RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
+ validator.validate(dbTagServiceDef, Action.UPDATE);
+
+ svcStore.updateServiceDef(dbTagServiceDef);
+
+ xXServiceDefObj = daoMgr.getXXServiceDef().findByName(SERVICEDBSTORE_SERVICEDEFBYNAME_TAG_NAME);
+ if(xXServiceDefObj!=null) {
+ String jsonStrPostUpdate=xXServiceDefObj.getDefOptions();
+ Map<String, String> serviceDefOptionsPostUpdate = null;
+ if (!StringUtils.isEmpty(jsonStrPostUpdate)) {
+ serviceDefOptionsPostUpdate =jsonUtil.jsonToMap(jsonStrPostUpdate);
+ }
+ if (serviceDefOptionsPostUpdate != null && serviceDefOptionsPostUpdate.containsKey(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES)) {
+ if(serviceDefOptionsPreUpdate == null || !serviceDefOptionsPreUpdate.containsKey(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES)) {
+ String preUpdateValue = serviceDefOptionsPreUpdate == null ? null : serviceDefOptionsPreUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+ if (preUpdateValue == null) {
+ serviceDefOptionsPostUpdate.remove(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+ } else {
+ serviceDefOptionsPostUpdate.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, preUpdateValue);
+ }
+ xXServiceDefObj.setDefOptions(mapToJsonString(serviceDefOptionsPostUpdate));
+ daoMgr.getXXServiceDef().update(xXServiceDefObj);
+ }
+ }
+ }
+ }
+ }
+ }catch(Exception e)
+ {
+ logger.error("Error while updating "+SERVICEDBSTORE_SERVICEDEFBYNAME_TAG_NAME+"service-def", e);
+ }
+ }
+
+ private boolean checkScriptPolicyCondPresent(List<RangerServiceDef.RangerPolicyConditionDef> policyCondDefs) {
+ boolean ret = false;
+ for(RangerServiceDef.RangerPolicyConditionDef policyCondDef : policyCondDefs) {
+ if ( SCRIPT_POLICY_CONDITION_NAME.equals(policyCondDef.getName()) ) {
+ ret = true ;
+ break;
+ }
+ }
+ return ret;
+ }
+
+ private String mapToJsonString(Map<String, String> map) throws Exception{
+ String ret = null;
+ if(map != null) {
+ ret = jsonUtil.readMapToString(map);
+ }
+ return ret;
+ }
+}