You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2019/06/29 02:45:39 UTC
[ranger] branch master updated: Ranger-2467-similar to clusterName custom condition, add clusterType custom condition

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 552d93c  Ranger-2467-similar to clusterName custom condition, add clusterType custom condition
552d93c is described below

commit 552d93c7da27f245847a9557c3b5779e05f78a4d
Author: mateenmansoori <ma...@gmail.com>
AuthorDate: Fri Jun 28 15:07:24 2019 +0530

    Ranger-2467-similar to clusterName custom condition, add clusterType custom condition
    
    Signed-off-by: Pradeep <pr...@apache.org>
---
 .../RangerAccessedFromClusterTypeCondition.java    | 65 +++++++++++++++++++++
 .../RangerAccessedNotFromClusterTypeCondition.java | 66 ++++++++++++++++++++++
 .../plugin/policyengine/RangerAccessRequest.java   |  2 +
 .../policyengine/RangerAccessRequestImpl.java      | 10 ++++
 .../policyengine/RangerAccessRequestReadOnly.java  |  3 +
 .../plugin/policyengine/RangerPluginContext.java   | 28 +++++++++
 .../policyengine/RangerPolicyEngineImpl.java       |  1 +
 .../ranger/plugin/service/RangerAuthContext.java   |  1 +
 .../ranger/plugin/policyengine/TestPolicyACLs.java |  1 +
 .../ranger/plugin/policyengine/TestPolicyDb.java   |  1 +
 .../plugin/policyengine/TestPolicyEngine.java      |  1 +
 .../authorization/hbase/TestPolicyEngine.java      |  1 +
 .../hive/authorizer/RangerHiveAccessRequest.java   |  1 +
 13 files changed, 181 insertions(+)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java
new file mode 100644
index 0000000..50a92bd
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterTypeCondition.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+public class RangerAccessedFromClusterTypeCondition extends RangerAbstractConditionEvaluator{
+	private static final Log LOG = LogFactory.getLog(RangerAccessedFromClusterTypeCondition.class);
+
+	private boolean isAlwaysTrue = false;
+
+	@Override
+	public void init() {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAccessedFromClusterTypeCondition.init(" + condition + ")");
+		}
+
+		super.init();
+
+		isAlwaysTrue = CollectionUtils.isEmpty(condition.getValues());
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAccessedFromClusterTypeCondition.init(" + condition + ")");
+		}
+	}
+	@Override
+	public boolean isMatched(RangerAccessRequest request) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAccessedFromClusterTypeCondition.isMatched(" + condition + ")");
+		}
+
+		final boolean ret;
+
+		if (isAlwaysTrue || request.getClusterType() == null) {
+			ret = isAlwaysTrue;
+		} else {
+			ret = condition.getValues().contains(request.getClusterType());
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAccessedFromClusterTypeCondition.isMatched(" + condition + "): " + ret);
+		}
+
+		return ret;
+	}
+
+}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java
new file mode 100644
index 0000000..eb6c45c
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterTypeCondition.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+public class RangerAccessedNotFromClusterTypeCondition extends RangerAbstractConditionEvaluator{
+	private static final Log LOG = LogFactory.getLog(RangerAccessedNotFromClusterTypeCondition.class);
+
+	private boolean isAlwaysTrue = false;
+
+	@Override
+	public void init() {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAccessedNotFromClusterTypeCondition.init(" + condition + ")");
+		}
+
+		super.init();
+
+		isAlwaysTrue = CollectionUtils.isEmpty(condition.getValues());
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAccessedNotFromClusterTypeCondition.init(" + condition + ")");
+		}
+	}
+
+	@Override
+	public boolean isMatched(RangerAccessRequest request) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerAccessedNotFromClusterTypeCondition.isMatched(" + condition + ")");
+		}
+
+		final boolean ret;
+
+		if (isAlwaysTrue || request.getClusterType() == null) {
+			ret = true;
+		} else {
+			ret = !condition.getValues().contains(request.getClusterType());
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerAccessedNotFromClusterTypeCondition.isMatched(" + condition + "): " + ret);
+		}
+
+		return ret;
+	}
+}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index cb06d26..89d585a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -55,6 +55,8 @@ public interface RangerAccessRequest {
 	
 	String getClusterName();
 
+	String getClusterType();
+
 	Map<String, Object> getContext();
 
 	RangerAccessRequest getReadOnlyCopy();
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 1f2f8ea..0ccca21 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -48,6 +48,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 	private String               sessionId;
 	private Map<String, Object>  context;
 	private String				 clusterName;
+	private String				 clusterType;
 
 	private boolean isAccessTypeAny;
 	private boolean isAccessTypeDelegatedAdmin;
@@ -212,6 +213,14 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 		this.clusterName = clusterName;
 	}
 
+	public String getClusterType() {
+		return clusterType;
+	}
+
+	public void setClusterType(String clusterType) {
+		this.clusterType = clusterType;
+	}
+
 	public void setResourceMatchingScope(ResourceMatchingScope scope) { this.resourceMatchingScope = scope; }
 
 	public void setContext(Map<String, Object> context) {
@@ -290,6 +299,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 		sb.append("sessionId={").append(sessionId).append("} ");
 		sb.append("resourceMatchingScope={").append(resourceMatchingScope).append("} ");
 		sb.append("clusterName={").append(clusterName).append("} ");
+		sb.append("clusterType={").append(clusterType).append("} ");
 
 		sb.append("context={");
 		if(context != null) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
index d5563bd..ea42c82 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
@@ -96,4 +96,7 @@ public class RangerAccessRequestReadOnly implements RangerAccessRequest {
 	@Override
 	public String getClusterName() { return source.getClusterName();	}
 
+	@Override
+	public String getClusterType() {  return source.getClusterType();	}
+
 }
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
index 36dcec1..e596b2a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
@@ -29,9 +29,11 @@ public class RangerPluginContext {
 
 	private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class);
 	private String clusterName;
+	private String clusterType;
 
 	public RangerPluginContext(String serviceType){
 		this.clusterName = findClusterName(serviceType);
+		this.clusterType = findClusterType(serviceType);
 	}
 
 	public String getClusterName() {
@@ -42,6 +44,14 @@ public class RangerPluginContext {
 		this.clusterName = clusterName;
 	}
 
+	public String getClusterType() {
+		return clusterType;
+	}
+
+	public void setClusterType(String clusterType) {
+		this.clusterType = clusterType;
+	}
+
 	private String findClusterName(String serviceType) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerPluginContext.findClusterName , serviceType = " + serviceType);
@@ -60,4 +70,22 @@ public class RangerPluginContext {
 		return clusterName;
 	}
 
+	private String findClusterType(String serviceType) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPluginContext.findClusterType , serviceType = " + serviceType);
+		}
+
+		String propertyPrefix    = "ranger.plugin." + serviceType;
+		String clusterType = RangerConfiguration.getInstance().get(propertyPrefix + ".access.cluster.type", "");
+		if(StringUtil.isEmpty(clusterType)){
+			clusterType = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.type", "");
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPluginContext.findClusterType ");
+		}
+
+		return clusterType;
+	}
+
 }
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 0edf149..daa62f4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -427,6 +427,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 
 			if(rangerPluginContext != null) {
 				reqImpl.setClusterName(rangerPluginContext.getClusterName());
+				reqImpl.setClusterType(rangerPluginContext.getClusterType());
 			}
 		}
 
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index 67c068b..02f3431 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -175,6 +175,7 @@ public class RangerAuthContext implements RangerPolicyEngine {
 		    reqImpl.extractAndSetClientIPAddress(getUseForwardedIPAddress(), getTrustedProxyAddresses());
 		    if(rangerPluginContext != null) {
 		        reqImpl.setClusterName(rangerPluginContext.getClusterName());
+		        reqImpl.setClusterType(rangerPluginContext.getClusterType());
 		    }
 	    }
 
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
index 33b26e0..6af6948 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -93,6 +93,7 @@ public class TestPolicyACLs {
 			RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
 			RangerPluginContext pluginContext = new RangerPluginContext("hive");
 			pluginContext.setClusterName("cl1");
+			pluginContext.setClusterType("on-prem");
 			RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext);
 
 			for(PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
index f373339..456d52c 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
@@ -117,6 +117,7 @@ public class TestPolicyDb {
 		policyEngineOptions.disableCustomConditions = true;
 		RangerPluginContext pluginContext = new RangerPluginContext("hive");
 		pluginContext.setClusterName("cl1");
+		pluginContext.setClusterType("on-prem");
 		RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policydb", testCase.servicePolicies, policyEngineOptions, pluginContext);
 
 		for(TestData test : testCase.tests) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index cce5129..d1e0c23 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -437,6 +437,7 @@ public class TestPolicyEngine {
 		}
 		RangerPluginContext pluginContext = new RangerPluginContext("hive");
 		pluginContext.setClusterName("cl1");
+		pluginContext.setClusterType("on-prem");
 		RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions,  pluginContext);
 
 		policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
index 6dd81fa..919920d 100644
--- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
+++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java
@@ -105,6 +105,7 @@ public class TestPolicyEngine {
 			RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
 			RangerPluginContext pluginContext = new RangerPluginContext("hive");
 			pluginContext.setClusterName("cl1");
+			pluginContext.setClusterType("on-prem");
 			RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions, pluginContext);
 
 			RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
index ce5cf64..188f2b1 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
@@ -109,6 +109,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
 		ret.setContext(RangerAccessRequestUtil.copyContext(getContext()));
 		ret.accessType = accessType;
 		ret.setClusterName(getClusterName());
+		ret.setClusterType(getClusterType());
 
 		return ret;
 	}