You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2019/06/29 02:45:39 UTC
[ranger] branch master updated: Ranger-2467-similar to clusterName
custom condition, add clusterType custom condition
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 552d93c Ranger-2467-similar to clusterName custom condition, add clusterType custom condition
552d93c is described below
commit 552d93c7da27f245847a9557c3b5779e05f78a4d
Author: mateenmansoori <ma...@gmail.com>
AuthorDate: Fri Jun 28 15:07:24 2019 +0530
Ranger-2467-similar to clusterName custom condition, add clusterType custom condition
Signed-off-by: Pradeep <pr...@apache.org>
---
.../RangerAccessedFromClusterTypeCondition.java | 65 +++++++++++++++++++++
.../RangerAccessedNotFromClusterTypeCondition.java | 66 ++++++++++++++++++++++
.../plugin/policyengine/RangerAccessRequest.java | 2 +
.../policyengine/RangerAccessRequestImpl.java | 10 ++++
.../policyengine/RangerAccessRequestReadOnly.java | 3 +
.../plugin/policyengine/RangerPluginContext.java | 28 +++++++++
.../policyengine/RangerPolicyEngineImpl.java | 1 +
.../ranger/plugin/service/RangerAuthContext.java | 1 +
.../ranger/plugin/policyengine/TestPolicyACLs.java | 1 +
.../ranger/plugin/policyengine/TestPolicyDb.java | 1 +
.../plugin/policyengine/TestPolicyEngine.java | 1 +
.../authorization/hbase/TestPolicyEngine.java | 1 +
.../hive/authorizer/RangerHiveAccessRequest.java | 1 +
13 files changed, 181 insertions(+)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java
new file mode 100644
index 0000000..50a92bd
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+public class RangerAccessedFromClusterTypeCondition extends RangerAbstractConditionEvaluator{
+ private static final Log LOG = LogFactory.getLog(RangerAccessedFromClusterTypeCondition.class);
+
+ private boolean isAlwaysTrue = false;
+
+ @Override
+ public void init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAccessedFromClusterTypeCondition.init(" + condition + ")");
+ }
+
+ super.init();
+
+ isAlwaysTrue = CollectionUtils.isEmpty(condition.getValues());
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAccessedFromClusterTypeCondition.init(" + condition + ")");
+ }
+ }
+ @Override
+ public boolean isMatched(RangerAccessRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAccessedFromClusterTypeCondition.isMatched(" + condition + ")");
+ }
+
+ final boolean ret;
+
+ if (isAlwaysTrue || request.getClusterType() == null) {
+ ret = isAlwaysTrue;
+ } else {
+ ret = condition.getValues().contains(request.getClusterType());
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAccessedFromClusterTypeCondition.isMatched(" + condition + "): " + ret);
+ }
+
+ return ret;
+ }
+
+}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java
new file mode 100644
index 0000000..eb6c45c
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+public class RangerAccessedNotFromClusterTypeCondition extends RangerAbstractConditionEvaluator{
+ private static final Log LOG = LogFactory.getLog(RangerAccessedNotFromClusterTypeCondition.class);
+
+ private boolean isAlwaysTrue = false;
+
+ @Override
+ public void init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAccessedNotFromClusterTypeCondition.init(" + condition + ")");
+ }
+
+ super.init();
+
+ isAlwaysTrue = CollectionUtils.isEmpty(condition.getValues());
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAccessedNotFromClusterTypeCondition.init(" + condition + ")");
+ }
+ }
+
+ @Override
+ public boolean isMatched(RangerAccessRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAccessedNotFromClusterTypeCondition.isMatched(" + condition + ")");
+ }
+
+ final boolean ret;
+
+ if (isAlwaysTrue || request.getClusterType() == null) {
+ ret = true;
+ } else {
+ ret = !condition.getValues().contains(request.getClusterType());
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAccessedNotFromClusterTypeCondition.isMatched(" + condition + "): " + ret);
+ }
+
+ return ret;
+ }
+}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index cb06d26..89d585a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -55,6 +55,8 @@ public interface RangerAccessRequest {
String getClusterName();
+ String getClusterType();
+
Map<String, Object> getContext();
RangerAccessRequest getReadOnlyCopy();
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 1f2f8ea..0ccca21 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -48,6 +48,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
private String sessionId;
private Map<String, Object> context;
private String clusterName;
+ private String clusterType;
private boolean isAccessTypeAny;
private boolean isAccessTypeDelegatedAdmin;
@@ -212,6 +213,14 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
this.clusterName = clusterName;
}
+ public String getClusterType() {
+ return clusterType;
+ }
+
+ public void setClusterType(String clusterType) {
+ this.clusterType = clusterType;
+ }
+
public void setResourceMatchingScope(ResourceMatchingScope scope) { this.resourceMatchingScope = scope; }
public void setContext(Map<String, Object> context) {
@@ -290,6 +299,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
sb.append("sessionId={").append(sessionId).append("} ");
sb.append("resourceMatchingScope={").append(resourceMatchingScope).append("} ");
sb.append("clusterName={").append(clusterName).append("} ");
+ sb.append("clusterType={").append(clusterType).append("} ");
sb.append("context={");
if(context != null) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
index d5563bd..ea42c82 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
@@ -96,4 +96,7 @@ public class RangerAccessRequestReadOnly implements RangerAccessRequest {
@Override
public String getClusterName() { return source.getClusterName(); }
+ @Override
+ public String getClusterType() { return source.getClusterType(); }
+
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
index 36dcec1..e596b2a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
@@ -29,9 +29,11 @@ public class RangerPluginContext {
private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class);
private String clusterName;
+ private String clusterType;
public RangerPluginContext(String serviceType){
this.clusterName = findClusterName(serviceType);
+ this.clusterType = findClusterType(serviceType);
}
public String getClusterName() {
@@ -42,6 +44,14 @@ public class RangerPluginContext {
this.clusterName = clusterName;
}
+ public String getClusterType() {
+ return clusterType;
+ }
+
+ public void setClusterType(String clusterType) {
+ this.clusterType = clusterType;
+ }
+
private String findClusterName(String serviceType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPluginContext.findClusterName , serviceType = " + serviceType);
@@ -60,4 +70,22 @@ public class RangerPluginContext {
return clusterName;
}
+ private String findClusterType(String serviceType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPluginContext.findClusterType , serviceType = " + serviceType);
+ }
+
+ String propertyPrefix = "ranger.plugin." + serviceType;
+ String clusterType = RangerConfiguration.getInstance().get(propertyPrefix + ".access.cluster.type", "");
+ if(StringUtil.isEmpty(clusterType)){
+ clusterType = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.type", "");
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPluginContext.findClusterType ");
+ }
+
+ return clusterType;
+ }
+
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 0edf149..daa62f4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -427,6 +427,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
if(rangerPluginContext != null) {
reqImpl.setClusterName(rangerPluginContext.getClusterName());
+ reqImpl.setClusterType(rangerPluginContext.getClusterType());
}
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index 67c068b..02f3431 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -175,6 +175,7 @@ public class RangerAuthContext implements RangerPolicyEngine {
reqImpl.extractAndSetClientIPAddress(getUseForwardedIPAddress(), getTrustedProxyAddresses());
if(rangerPluginContext != null) {
reqImpl.setClusterName(rangerPluginContext.getClusterName());
+ reqImpl.setClusterType(rangerPluginContext.getClusterType());
}
}
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
index 33b26e0..6af6948 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -93,6 +93,7 @@ public class TestPolicyACLs {
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
RangerPluginContext pluginContext = new RangerPluginContext("hive");
pluginContext.setClusterName("cl1");
+ pluginContext.setClusterType("on-prem");
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext);
for(PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
index f373339..456d52c 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
@@ -117,6 +117,7 @@ public class TestPolicyDb {
policyEngineOptions.disableCustomConditions = true;
RangerPluginContext pluginContext = new RangerPluginContext("hive");
pluginContext.setClusterName("cl1");
+ pluginContext.setClusterType("on-prem");
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policydb", testCase.servicePolicies, policyEngineOptions, pluginContext);
for(TestData test : testCase.tests) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index cce5129..d1e0c23 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -437,6 +437,7 @@ public class TestPolicyEngine {
}
RangerPluginContext pluginContext = new RangerPluginContext("hive");
pluginContext.setClusterName("cl1");
+ pluginContext.setClusterType("on-prem");
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions, pluginContext);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
index 6dd81fa..919920d 100644
--- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
+++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
@@ -105,6 +105,7 @@ public class TestPolicyEngine {
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
RangerPluginContext pluginContext = new RangerPluginContext("hive");
pluginContext.setClusterName("cl1");
+ pluginContext.setClusterType("on-prem");
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions, pluginContext);
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
index ce5cf64..188f2b1 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
@@ -109,6 +109,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
ret.setContext(RangerAccessRequestUtil.copyContext(getContext()));
ret.accessType = accessType;
ret.setClusterName(getClusterName());
+ ret.setClusterType(getClusterType());
return ret;
}