You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2018/10/19 02:28:43 UTC
[7/8] ranger git commit: RANGER-2203, RANGER-2219: Review and update
database schema for ranger policies and tag objects to minimize database
queries/updates; back-port of RANGER-2186, RANGER-2195
http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/db/sqlserver/patches/035-update-schema-for-x-policy.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlserver/patches/035-update-schema-for-x-policy.sql b/security-admin/db/sqlserver/patches/035-update-schema-for-x-policy.sql
new file mode 100644
index 0000000..ebf44ac
--- /dev/null
+++ b/security-admin/db/sqlserver/patches/035-update-schema-for-x-policy.sql
@@ -0,0 +1,453 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+GO
+IF (OBJECT_ID('x_policy_ref_resource_FK_policy_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_resource] DROP CONSTRAINT x_policy_ref_resource_FK_policy_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_resource_FK_resource_def_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_resource] DROP CONSTRAINT x_policy_ref_resource_FK_resource_def_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_resource_UK') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_resource] DROP CONSTRAINT x_policy_ref_resource_UK
+END
+GO
+IF (OBJECT_ID('x_policy_ref_resource') IS NOT NULL)
+BEGIN
+ DROP TABLE [dbo].[x_policy_ref_resource]
+END
+GO
+IF (OBJECT_ID('x_policy_ref_access_type_FK_policy_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_access_type] DROP CONSTRAINT x_policy_ref_access_type_FK_policy_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_access_type_FK_access_def_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_access_type] DROP CONSTRAINT x_policy_ref_access_type_FK_access_def_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_access_type_UK') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_access_type] DROP CONSTRAINT x_policy_ref_access_type_UK
+END
+GO
+IF (OBJECT_ID('x_policy_ref_access_type') IS NOT NULL)
+BEGIN
+ DROP TABLE [dbo].[x_policy_ref_access_type]
+END
+GO
+IF (OBJECT_ID('x_policy_ref_condition_FK_policy_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_condition] DROP CONSTRAINT x_policy_ref_condition_FK_policy_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_condition_FK_condition_def_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_condition] DROP CONSTRAINT x_policy_ref_condition_FK_condition_def_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_condition_UK') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_condition] DROP CONSTRAINT x_policy_ref_condition_UK
+END
+GO
+IF (OBJECT_ID('x_policy_ref_condition') IS NOT NULL)
+BEGIN
+ DROP TABLE [dbo].[x_policy_ref_condition]
+END
+GO
+IF (OBJECT_ID('x_policy_ref_datamask_type_FK_policy_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_datamask_type] DROP CONSTRAINT x_policy_ref_datamask_type_FK_policy_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_datamask_type_FK_datamask_def_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_datamask_type] DROP CONSTRAINT x_policy_ref_datamask_type_FK_datamask_def_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_datamask_type_UK') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_datamask_type] DROP CONSTRAINT x_policy_ref_datamask_type_UK
+END
+GO
+IF (OBJECT_ID('x_policy_ref_datamask_type') IS NOT NULL)
+BEGIN
+ DROP TABLE [dbo].[x_policy_ref_datamask_type]
+END
+GO
+IF (OBJECT_ID('x_policy_ref_user_FK_policy_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_user] DROP CONSTRAINT x_policy_ref_user_FK_policy_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_user_FK_user_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_user] DROP CONSTRAINT x_policy_ref_user_FK_user_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_user_UK') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_user] DROP CONSTRAINT x_policy_ref_user_UK
+END
+GO
+IF (OBJECT_ID('x_policy_ref_user') IS NOT NULL)
+BEGIN
+ DROP TABLE [dbo].[x_policy_ref_user]
+END
+GO
+IF (OBJECT_ID('x_policy_ref_group_FK_policy_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_group] DROP CONSTRAINT x_policy_ref_group_FK_policy_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_group_FK_group_id') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_group] DROP CONSTRAINT x_policy_ref_group_FK_group_id
+END
+GO
+IF (OBJECT_ID('x_policy_ref_group_UK') IS NOT NULL)
+BEGIN
+ ALTER TABLE [dbo].[x_policy_ref_group] DROP CONSTRAINT x_policy_ref_group_UK
+END
+GO
+IF (OBJECT_ID('x_policy_ref_group') IS NOT NULL)
+BEGIN
+ DROP TABLE [dbo].[x_policy_ref_group]
+END
+GO
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET ANSI_PADDING ON
+GO
+CREATE TABLE [dbo].[x_policy_ref_resource] (
+ [id] [bigint] IDENTITY (1, 1) NOT NULL,
+ [guid] [varchar](1024) DEFAULT NULL NULL,
+ [create_time] [datetime2] DEFAULT NULL NULL,
+ [update_time] [datetime2] DEFAULT NULL NULL,
+ [added_by_id] [bigint] DEFAULT NULL NULL,
+ [upd_by_id] [bigint] DEFAULT NULL NULL,
+ [policy_id] [bigint] NOT NULL,
+ [resource_def_id] [bigint] NOT NULL,
+ [resource_name] [varchar](4000) DEFAULT NULL NULL,
+ PRIMARY KEY CLUSTERED
+ (
+ [id] ASC
+ ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY],
+ CONSTRAINT [x_policy_ref_resource$x_policy_ref_resource_UK] UNIQUE NONCLUSTERED
+ (
+ [policy_id] ASC, [resource_def_id] ASC
+ )WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
+) ON [PRIMARY]
+GO
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET ANSI_PADDING ON
+GO
+CREATE TABLE [dbo].[x_policy_ref_access_type] (
+ [id] [bigint] IDENTITY (1, 1) NOT NULL,
+ [guid] [varchar](1024) DEFAULT NULL NULL,
+ [create_time] [datetime2] DEFAULT NULL NULL,
+ [update_time] [datetime2] DEFAULT NULL NULL,
+ [added_by_id] [bigint] DEFAULT NULL NULL,
+ [upd_by_id] [bigint] DEFAULT NULL NULL,
+ [policy_id] [bigint] NOT NULL,
+ [access_def_id] [bigint] NOT NULL,
+ [access_type_name] [varchar](4000) DEFAULT NULL NULL,
+ PRIMARY KEY CLUSTERED
+ (
+ [id] ASC
+ ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY],
+ CONSTRAINT [x_policy_ref_access_type$x_policy_ref_access_type_UK] UNIQUE NONCLUSTERED
+(
+ [policy_id] ASC, [access_def_id] ASC
+)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
+) ON [PRIMARY]
+GO
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET ANSI_PADDING ON
+GO
+CREATE TABLE [dbo].[x_policy_ref_condition] (
+ [id] [bigint] IDENTITY (1, 1) NOT NULL,
+ [guid] [varchar](1024) DEFAULT NULL NULL,
+ [create_time] [datetime2] DEFAULT NULL NULL,
+ [update_time] [datetime2] DEFAULT NULL NULL,
+ [added_by_id] [bigint] DEFAULT NULL NULL,
+ [upd_by_id] [bigint] DEFAULT NULL NULL,
+ [policy_id] [bigint] NOT NULL,
+ [condition_def_id] [bigint] NOT NULL,
+ [condition_name] [varchar](4000) DEFAULT NULL NULL,
+ PRIMARY KEY CLUSTERED
+ (
+ [id] ASC
+ ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY],
+ CONSTRAINT [x_policy_ref_condition$x_policy_ref_condition_UK] UNIQUE NONCLUSTERED
+(
+ [policy_id] ASC, [condition_def_id] ASC
+)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
+) ON [PRIMARY]
+GO
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET ANSI_PADDING ON
+GO
+CREATE TABLE [dbo].[x_policy_ref_datamask_type] (
+ [id] [bigint] IDENTITY (1, 1) NOT NULL,
+ [guid] [varchar](1024) DEFAULT NULL NULL,
+ [create_time] [datetime2] DEFAULT NULL NULL,
+ [update_time] [datetime2] DEFAULT NULL NULL,
+ [added_by_id] [bigint] DEFAULT NULL NULL,
+ [upd_by_id] [bigint] DEFAULT NULL NULL,
+ [policy_id] [bigint] NOT NULL,
+ [datamask_def_id] [bigint] NOT NULL,
+ [datamask_type_name] [varchar](4000) DEFAULT NULL NULL,
+ PRIMARY KEY CLUSTERED
+ (
+ [id] ASC
+ ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY],
+ CONSTRAINT [x_policy_ref_datamask_type$x_policy_ref_datamask_type_UK] UNIQUE NONCLUSTERED
+(
+ [policy_id] ASC, [datamask_def_id] ASC
+)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
+) ON [PRIMARY]
+GO
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET ANSI_PADDING ON
+GO
+CREATE TABLE [dbo].[x_policy_ref_user] (
+ [id] [bigint] IDENTITY (1, 1) NOT NULL,
+ [guid] [varchar](1024) DEFAULT NULL NULL,
+ [create_time] [datetime2] DEFAULT NULL NULL,
+ [update_time] [datetime2] DEFAULT NULL NULL,
+ [added_by_id] [bigint] DEFAULT NULL NULL,
+ [upd_by_id] [bigint] DEFAULT NULL NULL,
+ [policy_id] [bigint] NOT NULL,
+ [user_id] [bigint] NOT NULL,
+ [user_name] [varchar](4000) DEFAULT NULL NULL,
+ PRIMARY KEY CLUSTERED
+ (
+ [id] ASC
+ ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY],
+ CONSTRAINT [x_policy_ref_user$x_policy_ref_user_UK] UNIQUE NONCLUSTERED
+(
+ [policy_id] ASC, [user_id] ASC
+)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
+) ON [PRIMARY]
+GO
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET ANSI_PADDING ON
+GO
+CREATE TABLE [dbo].[x_policy_ref_group] (
+ [id] [bigint] IDENTITY (1, 1) NOT NULL,
+ [guid] [varchar](1024) DEFAULT NULL NULL,
+ [create_time] [datetime2] DEFAULT NULL NULL,
+ [update_time] [datetime2] DEFAULT NULL NULL,
+ [added_by_id] [bigint] DEFAULT NULL NULL,
+ [upd_by_id] [bigint] DEFAULT NULL NULL,
+ [policy_id] [bigint] NOT NULL,
+ [group_id] [bigint] NOT NULL,
+ [group_name] [varchar](4000) DEFAULT NULL NULL,
+ PRIMARY KEY CLUSTERED
+ (
+ [id] ASC
+ ) WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY],
+ CONSTRAINT [x_policy_ref_group$x_policy_ref_group_UK] UNIQUE NONCLUSTERED
+(
+ [policy_id] ASC, [group_id] ASC
+)WITH (PAD_INDEX = OFF,STATISTICS_NORECOMPUTE = OFF,IGNORE_DUP_KEY = OFF,ALLOW_ROW_LOCKS = ON,ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
+) ON [PRIMARY]
+GO
+ALTER TABLE [dbo].[x_policy_ref_resource] WITH CHECK ADD CONSTRAINT [x_policy_ref_resource_FK_policy_id] FOREIGN KEY ([policy_id])
+REFERENCES [dbo].[x_policy] ([id])
+ALTER TABLE [dbo].[x_policy_ref_resource] CHECK CONSTRAINT [x_policy_ref_resource_FK_policy_id]
+ALTER TABLE [dbo].[x_policy_ref_resource] WITH CHECK ADD CONSTRAINT [x_policy_ref_resource_FK_resource_def_id] FOREIGN KEY ([resource_def_id])
+REFERENCES [dbo].[x_resource_def] ([id])
+ALTER TABLE [dbo].[x_policy_ref_resource] CHECK CONSTRAINT [x_policy_ref_resource_FK_resource_def_id]
+ALTER TABLE [dbo].[x_policy_ref_resource] WITH CHECK ADD CONSTRAINT [x_policy_ref_resource_FK_added_by] FOREIGN KEY ([added_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_resource] CHECK CONSTRAINT [x_policy_ref_resource_FK_added_by]
+ALTER TABLE [dbo].[x_policy_ref_resource] WITH CHECK ADD CONSTRAINT [x_policy_ref_resource_FK_upd_by] FOREIGN KEY ([upd_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_access_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_access_type_FK_policy_id] FOREIGN KEY ([policy_id])
+REFERENCES [dbo].[x_policy] ([id])
+ALTER TABLE [dbo].[x_policy_ref_access_type] CHECK CONSTRAINT [x_policy_ref_access_type_FK_policy_id]
+ALTER TABLE [dbo].[x_policy_ref_access_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_access_type_FK_access_def_id] FOREIGN KEY ([access_def_id])
+REFERENCES [dbo].[x_access_type_def] ([id])
+ALTER TABLE [dbo].[x_policy_ref_access_type] CHECK CONSTRAINT [x_policy_ref_access_type_FK_access_def_id]
+ALTER TABLE [dbo].[x_policy_ref_access_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_access_type_FK_added_by] FOREIGN KEY ([added_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_access_type] CHECK CONSTRAINT [x_policy_ref_access_type_FK_added_by]
+ALTER TABLE [dbo].[x_policy_ref_access_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_access_type_FK_upd_by] FOREIGN KEY ([upd_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_condition] WITH CHECK ADD CONSTRAINT [x_policy_ref_condition_FK_policy_id] FOREIGN KEY ([policy_id])
+REFERENCES [dbo].[x_policy] ([id])
+ALTER TABLE [dbo].[x_policy_ref_condition] CHECK CONSTRAINT [x_policy_ref_condition_FK_policy_id]
+ALTER TABLE [dbo].[x_policy_ref_condition] WITH CHECK ADD CONSTRAINT [x_policy_ref_condition_FK_condition_def_id] FOREIGN KEY ([condition_def_id])
+REFERENCES [dbo].[x_policy_condition_def] ([id])
+ALTER TABLE [dbo].[x_policy_ref_condition] CHECK CONSTRAINT [x_policy_ref_condition_FK_condition_def_id]
+ALTER TABLE [dbo].[x_policy_ref_condition] WITH CHECK ADD CONSTRAINT [x_policy_ref_condition_FK_added_by] FOREIGN KEY ([added_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_condition] CHECK CONSTRAINT [x_policy_ref_condition_FK_added_by]
+ALTER TABLE [dbo].[x_policy_ref_condition] WITH CHECK ADD CONSTRAINT [x_policy_ref_condition_FK_upd_by] FOREIGN KEY ([upd_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_datamask_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_datamask_type_FK_policy_id] FOREIGN KEY ([policy_id])
+REFERENCES [dbo].[x_policy] ([id])
+ALTER TABLE [dbo].[x_policy_ref_datamask_type] CHECK CONSTRAINT [x_policy_ref_datamask_type_FK_policy_id]
+ALTER TABLE [dbo].[x_policy_ref_datamask_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_datamask_type_FK_datamask_def_id] FOREIGN KEY ([datamask_def_id])
+REFERENCES [dbo].[x_datamask_type_def] ([id])
+ALTER TABLE [dbo].[x_policy_ref_datamask_type] CHECK CONSTRAINT [x_policy_ref_datamask_type_FK_datamask_def_id]
+ALTER TABLE [dbo].[x_policy_ref_datamask_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_datamask_type_FK_added_by] FOREIGN KEY ([added_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_datamask_type] CHECK CONSTRAINT [x_policy_ref_datamask_type_FK_added_by]
+ALTER TABLE [dbo].[x_policy_ref_datamask_type] WITH CHECK ADD CONSTRAINT [x_policy_ref_datamask_type_FK_upd_by] FOREIGN KEY ([upd_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+
+
+ALTER TABLE [dbo].[x_policy_ref_user] WITH CHECK ADD CONSTRAINT [x_policy_ref_user_FK_policy_id] FOREIGN KEY ([policy_id])
+REFERENCES [dbo].[x_policy] ([id])
+ALTER TABLE [dbo].[x_policy_ref_user] CHECK CONSTRAINT [x_policy_ref_user_FK_policy_id]
+
+ALTER TABLE [dbo].[x_policy_ref_user] WITH CHECK ADD CONSTRAINT [x_policy_ref_user_FK_user_id] FOREIGN KEY ([user_id])
+REFERENCES [dbo].[x_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_user] CHECK CONSTRAINT [x_policy_ref_user_FK_user_id]
+
+ALTER TABLE [dbo].[x_policy_ref_user] WITH CHECK ADD CONSTRAINT [x_policy_ref_user_FK_added_by] FOREIGN KEY ([added_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_user] CHECK CONSTRAINT [x_policy_ref_user_FK_added_by]
+
+ALTER TABLE [dbo].[x_policy_ref_user] WITH CHECK ADD CONSTRAINT [x_policy_ref_user_FK_upd_by] FOREIGN KEY ([upd_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_user] CHECK CONSTRAINT [x_policy_ref_user_FK_upd_by]
+
+ALTER TABLE [dbo].[x_policy_ref_group] WITH CHECK ADD CONSTRAINT [x_policy_ref_group_FK_policy_id] FOREIGN KEY ([policy_id])
+REFERENCES [dbo].[x_policy] ([id])
+ALTER TABLE [dbo].[x_policy_ref_group] CHECK CONSTRAINT [x_policy_ref_group_FK_policy_id]
+ALTER TABLE [dbo].[x_policy_ref_group] WITH CHECK ADD CONSTRAINT [x_policy_ref_group_FK_group_id] FOREIGN KEY ([group_id])
+REFERENCES [dbo].[x_group] ([id])
+ALTER TABLE [dbo].[x_policy_ref_group] CHECK CONSTRAINT [x_policy_ref_group_FK_group_id]
+ALTER TABLE [dbo].[x_policy_ref_group] WITH CHECK ADD CONSTRAINT [x_policy_ref_group_FK_added_by] FOREIGN KEY ([added_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+ALTER TABLE [dbo].[x_policy_ref_group] CHECK CONSTRAINT [x_policy_ref_group_FK_added_by]
+ALTER TABLE [dbo].[x_policy_ref_group] WITH CHECK ADD CONSTRAINT [x_policy_ref_group_FK_upd_by] FOREIGN KEY ([upd_by_id])
+REFERENCES [dbo].[x_portal_user] ([id])
+GO
+IF NOT EXISTS (SELECT
+ *
+ FROM INFORMATION_SCHEMA.columns
+ WHERE table_name = 'x_policy'
+ AND column_name = 'policy_text')
+BEGIN
+ ALTER TABLE [dbo].[x_policy] ADD [policy_text] [nvarchar](max) DEFAULT NULL NULL;
+END
+GO
+
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET ANSI_PADDING ON
+GO
+IF EXISTS (
+ SELECT type_desc, type
+ FROM sys.procedures WITH(NOLOCK)
+ WHERE NAME = 'removeConstraints'
+ AND type = 'P'
+ )
+BEGIN
+ PRINT 'Proc exist with name dbo.removeConstraints'
+ DROP PROCEDURE dbo.removeConstraints
+ PRINT 'Proc dropped dbo.removeConstraints'
+END
+GO
+CREATE PROCEDURE dbo.removeConstraints
+ -- Add the parameters for the stored procedure here
+ @tablename nvarchar(100)
+AS
+BEGIN
+
+ DECLARE @stmt VARCHAR(300);
+
+ -- Cursor to generate ALTER TABLE DROP CONSTRAINT statements
+ DECLARE cur CURSOR FOR
+ SELECT 'ALTER TABLE ' + OBJECT_SCHEMA_NAME(parent_object_id) + '.' + OBJECT_NAME(parent_object_id) +
+ ' DROP CONSTRAINT ' + name
+ FROM sys.foreign_keys
+ WHERE OBJECT_SCHEMA_NAME(referenced_object_id) = 'dbo' AND
+ OBJECT_NAME(referenced_object_id) = @tablename;
+
+ OPEN cur;
+ FETCH cur INTO @stmt;
+
+ -- Drop each found foreign key constraint
+ WHILE @@FETCH_STATUS = 0
+ BEGIN
+ EXEC (@stmt);
+ FETCH cur INTO @stmt;
+ END
+
+ CLOSE cur;
+ DEALLOCATE cur;
+
+END
+GO
+
+EXEC dbo.removeConstraints 'x_policy_item'
+GO
+
+EXEC dbo.removeConstraints 'x_policy_item_access'
+GO
+
+EXEC dbo.removeConstraints 'x_policy_item_condition'
+GO
+
+EXEC dbo.removeConstraints 'x_policy_item_datamask'
+GO
+
+EXEC dbo.removeConstraints 'x_policy_item_group_perm'
+GO
+
+EXEC dbo.removeConstraints 'x_policy_item_user_perm'
+GO
+
+EXEC dbo.removeConstraints 'x_policy_item_rowfilter'
+GO
+
+EXEC dbo.removeConstraints 'x_policy_resource'
+GO
+
+EXEC dbo.removeConstraints 'x_policy_resource_map'
+GO
+
+EXIT
http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/db/sqlserver/patches/036-denormalize-tag-tables.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlserver/patches/036-denormalize-tag-tables.sql b/security-admin/db/sqlserver/patches/036-denormalize-tag-tables.sql
new file mode 100644
index 0000000..9bfae30
--- /dev/null
+++ b/security-admin/db/sqlserver/patches/036-denormalize-tag-tables.sql
@@ -0,0 +1,97 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+GO
+IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_tag_def' and column_name = 'tag_attrs_def_text')
+BEGIN
+ ALTER TABLE [dbo].[x_tag_def] ADD [tag_attrs_def_text] [nvarchar](max) DEFAULT NULL NULL;
+END
+IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_tag' and column_name = 'tag_attrs_text')
+BEGIN
+ ALTER TABLE [dbo].[x_tag] ADD [tag_attrs_text] [nvarchar](max) DEFAULT NULL NULL;
+END
+IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_service_resource' and column_name = 'service_resource_elements_text')
+BEGIN
+ ALTER TABLE [dbo].[x_service_resource] ADD [service_resource_elements_text] [nvarchar](max) DEFAULT NULL NULL;
+END
+IF NOT EXISTS(select * from INFORMATION_SCHEMA.columns where table_name = 'x_service_resource' and column_name = 'tags_text')
+BEGIN
+ ALTER TABLE [dbo].[x_service_resource] ADD [tags_text] [nvarchar](max) DEFAULT NULL NULL;
+END
+GO
+
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+SET ANSI_PADDING ON
+GO
+IF EXISTS (
+ SELECT type_desc, type
+ FROM sys.procedures WITH(NOLOCK)
+ WHERE NAME = 'removeConstraints'
+ AND type = 'P'
+ )
+BEGIN
+ PRINT 'Proc exist with name dbo.removeConstraints'
+ DROP PROCEDURE dbo.removeConstraints
+ PRINT 'Proc dropped dbo.removeConstraints'
+END
+GO
+CREATE PROCEDURE dbo.removeConstraints
+ -- Add the parameters for the stored procedure here
+ @tablename nvarchar(100)
+AS
+BEGIN
+
+ DECLARE @stmt VARCHAR(300);
+
+ -- Cursor to generate ALTER TABLE DROP CONSTRAINT statements
+ DECLARE cur CURSOR FOR
+ SELECT 'ALTER TABLE ' + OBJECT_SCHEMA_NAME(parent_object_id) + '.' + OBJECT_NAME(parent_object_id) +
+ ' DROP CONSTRAINT ' + name
+ FROM sys.foreign_keys
+ WHERE OBJECT_SCHEMA_NAME(referenced_object_id) = 'dbo' AND
+ OBJECT_NAME(referenced_object_id) = @tablename;
+
+ OPEN cur;
+ FETCH cur INTO @stmt;
+
+ -- Drop each found foreign key constraint
+ WHILE @@FETCH_STATUS = 0
+ BEGIN
+ EXEC (@stmt);
+ FETCH cur INTO @stmt;
+ END
+
+ CLOSE cur;
+ DEALLOCATE cur;
+
+END
+GO
+
+EXEC dbo.removeConstraints 'x_tag_attr_def'
+GO
+
+EXEC dbo.removeConstraints 'x_tag_attr'
+GO
+
+EXEC dbo.removeConstraints 'x_service_resource_element'
+GO
+
+EXEC dbo.removeConstraints 'x_service_resource_element_val'
+GO
+
+EXIT
http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index d4f37ed..83463cf 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -35,8 +35,9 @@ os_name = os_name.upper()
ranger_version=''
jisql_debug=True
retryPatchAfterSeconds=120
-
+java_patch_regex="^Patch.*?J\d{5}.class$"
is_unix = os_name == "LINUX" or os_name == "DARWIN"
+max_memory='1g'
if is_unix:
RANGER_ADMIN_HOME = os.getenv("RANGER_ADMIN_HOME")
@@ -183,14 +184,14 @@ class BaseDB(object):
class MysqlConf(BaseDB):
# Constructor
- def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
self.host = host
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
self.db_ssl_enabled=db_ssl_enabled.lower()
self.db_ssl_required=db_ssl_required.lower()
self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
- self.db_ssl_auth_type=db_ssl_auth_type.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
@@ -203,10 +204,10 @@ class MysqlConf(BaseDB):
if self.db_ssl_enabled == 'true':
db_ssl_param="?useSSL=%s&requireSSL=%s&verifyServerCertificate=%s" %(self.db_ssl_enabled,self.db_ssl_required,self.db_ssl_verifyServerCertificate)
if self.db_ssl_verifyServerCertificate == 'true':
- if self.db_ssl_auth_type == '1-way':
- db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
- else:
- db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if is_unix:
jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path,self.host,db_name,db_ssl_param,user,password)
@@ -498,7 +499,7 @@ class MysqlConf(BaseDB):
files = os.listdir(javaFiles)
if files:
for filename in files:
- f = re.match("^Patch.*?.class$",filename)
+ f = re.match(java_patch_regex,filename)
if f:
className = re.match("(Patch.*?)_.*.class",filename)
className = className.group(1)
@@ -555,7 +556,7 @@ class MysqlConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className)
if is_unix:
ret = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -1188,7 +1189,7 @@ class OracleConf(BaseDB):
files = os.listdir(javaFiles)
if files:
for filename in files:
- f = re.match("^Patch.*?.class$",filename)
+ f = re.match(java_patch_regex,filename)
if f:
className = re.match("(Patch.*?)_.*.class",filename)
className = className.group(1)
@@ -1270,7 +1271,7 @@ class OracleConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Djava.security.egd=file:///dev/urandom -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Djava.security.egd=file:///dev/urandom -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className)
if is_unix:
ret = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -1359,7 +1360,7 @@ class OracleConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,max_memory,ranger_log,path,className,userName,oldPassword,newPassword)
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -1883,7 +1884,7 @@ class PostgresConf(BaseDB):
files = os.listdir(javaFiles)
if files:
for filename in files:
- f = re.match("^Patch.*?.class$",filename)
+ f = re.match(java_patch_regex,filename)
if f:
className = re.match("(Patch.*?)_.*.class",filename)
className = className.group(1)
@@ -1940,7 +1941,7 @@ class PostgresConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className)
if is_unix:
ret = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -2029,7 +2030,7 @@ class PostgresConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,max_memory,ranger_log,path,className,userName,oldPassword,newPassword)
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -2515,7 +2516,7 @@ class SqlServerConf(BaseDB):
files = os.listdir(javaFiles)
if files:
for filename in files:
- f = re.match("^Patch.*?.class$",filename)
+ f = re.match(java_patch_regex,filename)
if f:
className = re.match("(Patch.*?)_.*.class",filename)
className = className.group(1)
@@ -2572,7 +2573,7 @@ class SqlServerConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className)
if is_unix:
ret = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -2661,7 +2662,7 @@ class SqlServerConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,max_memory,ranger_log,path,className,userName,oldPassword,newPassword)
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -3139,7 +3140,7 @@ class SqlAnywhereConf(BaseDB):
files = os.listdir(javaFiles)
if files:
for filename in files:
- f = re.match("^Patch.*?.class$",filename)
+ f = re.match(java_patch_regex,filename)
if f:
className = re.match("(Patch.*?)_.*.class",filename)
className = className.group(1)
@@ -3196,7 +3197,7 @@ class SqlAnywhereConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,max_memory,ranger_log,path,className)
if is_unix:
ret = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -3306,7 +3307,7 @@ class SqlAnywhereConf(BaseDB):
path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
elif os_name == "WINDOWS":
path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR)
- get_java_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,ranger_log,path,className,userName,oldPassword,newPassword)
+ get_java_cmd = "%s -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx%s -Xms1g -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.cliutil.%s %s %s %s -default"%(self.JAVA_BIN,max_memory,ranger_log,path,className,userName,oldPassword,newPassword)
if is_unix:
status = subprocess.call(shlex.split(get_java_cmd))
elif os_name == "WINDOWS":
@@ -3608,7 +3609,7 @@ def main(argv):
db_ssl_enabled='false'
db_ssl_required='false'
db_ssl_verifyServerCertificate='false'
- db_ssl_auth_type='2-way'
+ db_ssl_auth_type='2-way'
javax_net_ssl_keyStore=''
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
@@ -3622,8 +3623,8 @@ def main(argv):
db_ssl_required=globalDict['db_ssl_required'].lower()
if 'db_ssl_verifyServerCertificate' in globalDict:
db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower()
- if 'db_ssl_auth_type' in globalDict:
- db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
+ if 'db_ssl_auth_type' in globalDict:
+ db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
if db_ssl_verifyServerCertificate == 'true':
if 'javax_net_ssl_trustStore' in globalDict:
javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
@@ -3635,20 +3636,20 @@ def main(argv):
if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="":
log("[E] Invalid ssl truststore password!","error")
sys.exit(1)
- if db_ssl_auth_type == '2-way':
- if 'javax_net_ssl_keyStore' in globalDict:
- javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
- if 'javax_net_ssl_keyStorePassword' in globalDict:
- javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
- if not os.path.exists(javax_net_ssl_keyStore):
- log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
- sys.exit(1)
- if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
- log("[E] Invalid ssl keystore password!","error")
- sys.exit(1)
+ if db_ssl_auth_type == '2-way':
+ if 'javax_net_ssl_keyStore' in globalDict:
+ javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
+ if 'javax_net_ssl_keyStorePassword' in globalDict:
+ javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
+ if not os.path.exists(javax_net_ssl_keyStore):
+ log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
+ sys.exit(1)
+ if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
+ log("[E] Invalid ssl keystore password!","error")
+ sys.exit(1)
MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR']
- xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
+ xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , mysql_dbversion_catalog)
xa_db_core_file = os.path.join(RANGER_ADMIN_HOME , mysql_core_file)
xa_patch_file = os.path.join(RANGER_ADMIN_HOME ,mysql_patches)
@@ -3708,7 +3709,7 @@ def main(argv):
if AUDIT_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR']
- audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
+ audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
audit_db_file = os.path.join(RANGER_ADMIN_HOME ,mysql_audit_file)
elif AUDIT_DB_FLAVOR == "ORACLE":
http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
new file mode 100644
index 0000000..25b48bb
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
@@ -0,0 +1,286 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.biz;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.db.XXPolicyRefAccessTypeDao;
+import org.apache.ranger.db.XXPolicyRefConditionDao;
+import org.apache.ranger.db.XXPolicyRefDataMaskTypeDao;
+import org.apache.ranger.db.XXPolicyRefGroupDao;
+import org.apache.ranger.db.XXPolicyRefResourceDao;
+import org.apache.ranger.db.XXPolicyRefUserDao;
+import org.apache.ranger.entity.XXAccessTypeDef;
+import org.apache.ranger.entity.XXDataMaskTypeDef;
+import org.apache.ranger.entity.XXGroup;
+import org.apache.ranger.entity.XXPolicy;
+import org.apache.ranger.entity.XXPolicyConditionDef;
+import org.apache.ranger.entity.XXPolicyRefAccessType;
+import org.apache.ranger.entity.XXPolicyRefCondition;
+import org.apache.ranger.entity.XXPolicyRefDataMaskType;
+import org.apache.ranger.entity.XXPolicyRefGroup;
+import org.apache.ranger.entity.XXPolicyRefResource;
+import org.apache.ranger.entity.XXPolicyRefUser;
+import org.apache.ranger.entity.XXResourceDef;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.entity.XXUser;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
+import org.apache.ranger.service.RangerAuditFields;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+@Component
+public class PolicyRefUpdater {
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ RangerAuditFields<?> rangerAuditFields;
+
+ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception {
+ if(policy == null) {
+ return;
+ }
+
+ cleanupRefTables(policy);
+
+ final Set<String> resourceNames = policy.getResources().keySet();
+ final Set<String> groupNames = new HashSet<>();
+ final Set<String> userNames = new HashSet<>();
+ final Set<String> accessTypes = new HashSet<>();
+ final Set<String> conditionTypes = new HashSet<>();
+ final Set<String> dataMaskTypes = new HashSet<>();
+
+ for (List<? extends RangerPolicyItem> policyItems : getAllPolicyItems(policy)) {
+ if (CollectionUtils.isEmpty(policyItems)) {
+ continue;
+ }
+
+ for (RangerPolicyItem policyItem : policyItems) {
+ groupNames.addAll(policyItem.getGroups());
+ userNames.addAll(policyItem.getUsers());
+
+ if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) {
+ for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
+ accessTypes.add(access.getType());
+ }
+ }
+
+ if (CollectionUtils.isNotEmpty(policyItem.getConditions())) {
+ for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
+ conditionTypes.add(condition.getType());
+ }
+ }
+
+ if (policyItem instanceof RangerDataMaskPolicyItem) {
+ RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerDataMaskPolicyItem) policyItem).getDataMaskInfo();
+
+ dataMaskTypes.add(dataMaskInfo.getDataMaskType());
+ }
+ }
+ }
+
+ for (String resource : resourceNames) {
+ XXResourceDef xResDef = daoMgr.getXXResourceDef().findByNameAndPolicyId(resource, policy.getId());
+
+ if (xResDef == null) {
+ throw new Exception(resource + ": is not a valid resource-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
+ }
+
+ XXPolicyRefResource xPolRes = rangerAuditFields.populateAuditFields(new XXPolicyRefResource(), xPolicy);
+
+ xPolRes.setPolicyId(policy.getId());
+ xPolRes.setResourceDefId(xResDef.getId());
+ xPolRes.setResourceName(resource);
+
+ daoMgr.getXXPolicyRefResource().create(xPolRes);
+ }
+
+ for (String group : groupNames) {
+ if (StringUtils.isBlank(group)) {
+ continue;
+ }
+
+ XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(group);
+
+ if (xGroup == null) {
+ throw new Exception(group + ": group does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' group='" + group + "'");
+ }
+
+ XXPolicyRefGroup xPolGroup = rangerAuditFields.populateAuditFields(new XXPolicyRefGroup(), xPolicy);
+
+ xPolGroup.setPolicyId(policy.getId());
+ xPolGroup.setGroupId(xGroup.getId());
+ xPolGroup.setGroupName(group);
+
+ daoMgr.getXXPolicyRefGroup().create(xPolGroup);
+ }
+
+ for (String user : userNames) {
+ if (StringUtils.isBlank(user)) {
+ continue;
+ }
+
+ XXUser xUser = daoMgr.getXXUser().findByUserName(user);
+
+ if (xUser == null) {
+ throw new Exception(user + ": user does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' user='" + user +"'");
+ }
+
+ XXPolicyRefUser xPolUser = rangerAuditFields.populateAuditFields(new XXPolicyRefUser(), xPolicy);
+
+ xPolUser.setPolicyId(policy.getId());
+ xPolUser.setUserId(xUser.getId());
+ xPolUser.setUserName(user);
+
+ daoMgr.getXXPolicyRefUser().create(xPolUser);
+ }
+
+ for (String accessType : accessTypes) {
+ XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(accessType, xPolicy.getService());
+
+ if (xAccTypeDef == null) {
+ throw new Exception(accessType + ": is not a valid access-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
+ }
+
+ XXPolicyRefAccessType xPolAccess = rangerAuditFields.populateAuditFields(new XXPolicyRefAccessType(), xPolicy);
+
+ xPolAccess.setPolicyId(policy.getId());
+ xPolAccess.setAccessDefId(xAccTypeDef.getId());
+ xPolAccess.setAccessTypeName(accessType);
+
+ daoMgr.getXXPolicyRefAccessType().create(xPolAccess);
+ }
+
+ for (String condition : conditionTypes) {
+ XXPolicyConditionDef xPolCondDef = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition);
+
+ if (xPolCondDef == null) {
+ throw new Exception(condition + ": is not a valid condition-type. policy='"+ xPolicy.getName() + "' service='"+ xPolicy.getService() + "'");
+ }
+
+ XXPolicyRefCondition xPolCond = rangerAuditFields.populateAuditFields(new XXPolicyRefCondition(), xPolicy);
+
+ xPolCond.setPolicyId(policy.getId());
+ xPolCond.setConditionDefId(xPolCondDef.getId());
+ xPolCond.setConditionName(condition);
+
+ daoMgr.getXXPolicyRefCondition().create(xPolCond);
+ }
+
+ for (String dataMaskType : dataMaskTypes ) {
+ XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskType, xPolicy.getService());
+
+ if (dataMaskDef == null) {
+ throw new Exception(dataMaskType + ": is not a valid datamask-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
+ }
+
+ XXPolicyRefDataMaskType xxDataMaskInfo = new XXPolicyRefDataMaskType();
+
+ xxDataMaskInfo.setPolicyId(policy.getId());
+ xxDataMaskInfo.setDataMaskDefId(dataMaskDef.getId());
+ xxDataMaskInfo.setDataMaskTypeName(dataMaskType);
+
+ daoMgr.getXXPolicyRefDataMaskType().create(xxDataMaskInfo);
+ }
+ }
+
+ public Boolean cleanupRefTables(RangerPolicy policy) {
+ final Long policyId = policy == null ? null : policy.getId();
+
+ if (policyId == null) {
+ return false;
+ }
+
+ XXPolicyRefResourceDao xPolResDao = daoMgr.getXXPolicyRefResource();
+ XXPolicyRefGroupDao xPolGroupDao = daoMgr.getXXPolicyRefGroup();
+ XXPolicyRefUserDao xPolUserDao = daoMgr.getXXPolicyRefUser();
+ XXPolicyRefAccessTypeDao xPolAccessDao = daoMgr.getXXPolicyRefAccessType();
+ XXPolicyRefConditionDao xPolCondDao = daoMgr.getXXPolicyRefCondition();
+ XXPolicyRefDataMaskTypeDao xPolDataMaskDao = daoMgr.getXXPolicyRefDataMaskType();
+
+ for (XXPolicyRefResource resource : xPolResDao.findByPolicyId(policyId)) {
+ xPolResDao.remove(resource);
+ }
+
+ for(XXPolicyRefGroup group : xPolGroupDao.findByPolicyId(policyId)) {
+ xPolGroupDao.remove(group);
+ }
+
+ for(XXPolicyRefUser user : xPolUserDao.findByPolicyId(policyId)) {
+ xPolUserDao.remove(user);
+ }
+
+ for(XXPolicyRefAccessType access : xPolAccessDao.findByPolicyId(policyId)) {
+ xPolAccessDao.remove(access);
+ }
+
+ for(XXPolicyRefCondition condVal : xPolCondDao.findByPolicyId(policyId)) {
+ xPolCondDao.remove(condVal);
+ }
+
+ for(XXPolicyRefDataMaskType dataMask : xPolDataMaskDao.findByPolicyId(policyId)) {
+ xPolDataMaskDao.remove(dataMask);
+ }
+
+ return true;
+ }
+
+ static List<List<? extends RangerPolicyItem>> getAllPolicyItems(RangerPolicy policy) {
+ List<List<? extends RangerPolicyItem>> ret = new ArrayList<>();
+
+ if (CollectionUtils.isNotEmpty(policy.getPolicyItems())) {
+ ret.add(policy.getPolicyItems());
+ }
+
+ if (CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())) {
+ ret.add(policy.getDenyPolicyItems());
+ }
+
+ if (CollectionUtils.isNotEmpty(policy.getAllowExceptions())) {
+ ret.add(policy.getAllowExceptions());
+ }
+
+ if (CollectionUtils.isNotEmpty(policy.getDenyExceptions())) {
+ ret.add(policy.getDenyExceptions());
+ }
+
+ if (CollectionUtils.isNotEmpty(policy.getDataMaskPolicyItems())) {
+ ret.add(policy.getDataMaskPolicyItems());
+ }
+
+ if (CollectionUtils.isNotEmpty(policy.getRowFilterPolicyItems())) {
+ ret.add(policy.getRowFilterPolicyItems());
+ }
+
+ return ret;
+ }
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
index 354ab1c..b0734e4 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
@@ -26,28 +26,28 @@ import java.util.ListIterator;
import java.util.Map;
import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.collections.MapUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.utils.JsonUtils;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.db.RangerDaoManager;
-import org.apache.ranger.entity.*;
+import org.apache.ranger.entity.XXPolicy;
+import org.apache.ranger.entity.XXPortalUser;
+import org.apache.ranger.entity.XXService;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.springframework.transaction.PlatformTransactionManager;
import org.springframework.transaction.TransactionStatus;
import org.springframework.transaction.support.TransactionCallback;
import org.springframework.transaction.support.TransactionTemplate;
+
public class RangerPolicyRetriever {
static final Log LOG = LogFactory.getLog(RangerPolicyRetriever.class);
static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("db.RangerPolicyRetriever");
@@ -299,33 +299,13 @@ public class RangerPolicyRetriever {
}
class LookupCache {
- final Map<Long, String> userNames = new HashMap<Long, String>();
- final Map<Long, String> userScreenNames = new HashMap<Long, String>();
- final Map<Long, String> groupNames = new HashMap<Long, String>();
- final Map<Long, String> accessTypes = new HashMap<Long, String>();
- final Map<Long, String> conditions = new HashMap<Long, String>();
- final Map<Long, String> resourceDefs = new HashMap<Long, String>();
- final Map<Long, String> dataMasks = new HashMap<Long, String>();
-
- String getUserName(Long userId) {
- String ret = null;
-
- if(userId != null) {
- ret = userNames.get(userId);
-
- if(ret == null) {
- XXUser user = daoMgr.getXXUser().getById(userId);
-
- if(user != null) {
- ret = user.getName(); // Name is `loginId`
-
- userNames.put(userId, ret);
- }
- }
- }
-
- return ret;
- }
+ final Map<Long, String> userScreenNames = new HashMap<Long, String>();
+ final Map<Long, Map<String, String>> groupMappingsPerPolicy = new HashMap<>();
+ final Map<Long, Map<String, String>> userMappingsPerPolicy = new HashMap<>();
+ final Map<Long, Map<String, String>> accessMappingsPerPolicy = new HashMap<>();
+ final Map<Long, Map<String, String>> resourceMappingsPerPolicy = new HashMap<>();
+ final Map<Long, Map<String, String>> dataMaskMappingsPerPolicy = new HashMap<>();
+ final Map<Long, Map<String, String>> conditionMappingsPerPolicy = new HashMap<>();
String getUserScreenName(Long userId) {
String ret = null;
@@ -361,257 +341,135 @@ public class RangerPolicyRetriever {
return ret;
}
- String getGroupName(Long groupId) {
- String ret = null;
-
- if(groupId != null) {
- ret = groupNames.get(groupId);
+ void setNameMapping(Map<Long, Map<String, String>> nameMappingContainer, List<PolicyTextNameMap> nameMappings) {
+ nameMappingContainer.clear();
- if(ret == null) {
- XXGroup group = daoMgr.getXXGroup().getById(groupId);
+ for (PolicyTextNameMap nameMapping : nameMappings) {
+ Map<String, String> policyNameMap = nameMappingContainer.get(nameMapping.policyId);
- if(group != null) {
- ret = group.getName();
+ if (policyNameMap == null) {
+ policyNameMap = new HashMap<>();
- groupNames.put(groupId, ret);
- }
+ nameMappingContainer.put(nameMapping.policyId, policyNameMap);
}
- }
-
- return ret;
- }
- String getAccessType(Long accessTypeId) {
- String ret = null;
-
- if(accessTypeId != null) {
- ret = accessTypes.get(accessTypeId);
-
- if(ret == null) {
- XXAccessTypeDef xAccessType = daoMgr.getXXAccessTypeDef().getById(accessTypeId);
-
- if(xAccessType != null) {
- ret = xAccessType.getName();
-
- accessTypes.put(accessTypeId, ret);
- }
- }
+ policyNameMap.put(nameMapping.oldName, nameMapping.currentName);
}
-
- return ret;
}
- String getConditionType(Long conditionDefId) {
- String ret = null;
-
- if(conditionDefId != null) {
- ret = conditions.get(conditionDefId);
+ String getMappedName(Map<Long, Map<String, String>> nameMappingContainer, Long policyId, String nameToMap) {
+ Map<String, String> policyNameMap = nameMappingContainer.get(policyId);
- if(ret == null) {
- XXPolicyConditionDef xPolicyConditionDef = daoMgr.getXXPolicyConditionDef().getById(conditionDefId);
-
- if(xPolicyConditionDef != null) {
- ret = xPolicyConditionDef.getName();
-
- conditions.put(conditionDefId, ret);
- }
- }
- }
-
- return ret;
+ return policyNameMap != null ? policyNameMap.get(nameToMap) : null;
}
- String getResourceName(Long resourceDefId) {
- String ret = null;
-
- if(resourceDefId != null) {
- ret = resourceDefs.get(resourceDefId);
-
- if(ret == null) {
- XXResourceDef xResourceDef = daoMgr.getXXResourceDef().getById(resourceDefId);
-
- if(xResourceDef != null) {
- ret = xResourceDef.getName();
+ void setGroupNameMapping(List<PolicyTextNameMap> groupNameMapping) {
+ setNameMapping(groupMappingsPerPolicy, groupNameMapping);
+ }
- resourceDefs.put(resourceDefId, ret);
- }
- }
- }
+ void setUserNameMapping(List<PolicyTextNameMap> userNameMapping) {
+ setNameMapping(userMappingsPerPolicy, userNameMapping);
+ }
- return ret;
+ void setAccessNameMapping(List<PolicyTextNameMap> accessNameMapping) {
+ setNameMapping(accessMappingsPerPolicy, accessNameMapping);
}
- String getDataMaskName(Long dataMaskDefId) {
- String ret = null;
+ public void setResourceNameMapping(List<PolicyTextNameMap> resourceNameMapping) {
+ setNameMapping(resourceMappingsPerPolicy, resourceNameMapping);
+ }
- if(dataMaskDefId != null) {
- ret = dataMasks.get(dataMaskDefId);
+ public void setDataMaskNameMapping(List<PolicyTextNameMap> dataMaskMapping) {
+ setNameMapping(dataMaskMappingsPerPolicy, dataMaskMapping);
+ }
- if(ret == null) {
- XXDataMaskTypeDef xDataMaskDef = daoMgr.getXXDataMaskTypeDef().getById(dataMaskDefId);
+ public void setConditionNameMapping(List<PolicyTextNameMap> conditionNameMapping) {
+ setNameMapping(conditionMappingsPerPolicy, conditionNameMapping);
+ }
- if(xDataMaskDef != null) {
- ret = xDataMaskDef.getName();
+ }
- dataMasks.put(dataMaskDefId, ret);
- }
- }
- }
+ public static class PolicyTextNameMap {
+ final Long policyId;
+ final String oldName;
+ final String currentName;
- return ret;
+ public PolicyTextNameMap(Long policyId, String oldName, String currentName) {
+ this.policyId = policyId;
+ this.oldName = oldName;
+ this.currentName = currentName;
}
}
- static List<XXPolicy> asList(XXPolicy policy) {
- List<XXPolicy> ret = new ArrayList<XXPolicy>();
+ static List<XXPolicy> asList(XXPolicy policy) {
+ List<XXPolicy> ret = new ArrayList<>();
- if(policy != null) {
- ret.add(policy);
- }
+ if (policy != null) {
+ ret.add(policy);
+ }
- return ret;
- }
+ return ret;
+ }
class RetrieverContext {
- final XXService service;
- final ListIterator<XXPolicy> iterPolicy;
- final ListIterator<XXPolicyResource> iterResources;
- final ListIterator<XXPolicyResourceMap> iterResourceMaps;
- final ListIterator<XXPolicyItem> iterPolicyItems;
- final ListIterator<XXPolicyItemUserPerm> iterUserPerms;
- final ListIterator<XXPolicyItemGroupPerm> iterGroupPerms;
- final ListIterator<XXPolicyItemAccess> iterAccesses;
- final ListIterator<XXPolicyItemCondition> iterConditions;
- final ListIterator<XXPolicyItemDataMaskInfo> iterDataMaskInfos;
- final ListIterator<XXPolicyItemRowFilterInfo> iterRowFilterInfos;
+ final XXService service;
+ final ListIterator<XXPolicy> iterPolicy;
RetrieverContext(XXService xService) {
- Long serviceId = xService == null ? null : xService.getId();
-
- List<XXPolicy> xPolicies = daoMgr.getXXPolicy().findByServiceId(serviceId);
- List<XXPolicyResource> xResources = daoMgr.getXXPolicyResource().findByServiceId(serviceId);
- List<XXPolicyResourceMap> xResourceMaps = daoMgr.getXXPolicyResourceMap().findByServiceId(serviceId);
- List<XXPolicyItem> xPolicyItems = daoMgr.getXXPolicyItem().findByServiceId(serviceId);
- List<XXPolicyItemUserPerm> xUserPerms = daoMgr.getXXPolicyItemUserPerm().findByServiceId(serviceId);
- List<XXPolicyItemGroupPerm> xGroupPerms = daoMgr.getXXPolicyItemGroupPerm().findByServiceId(serviceId);
- List<XXPolicyItemAccess> xAccesses = daoMgr.getXXPolicyItemAccess().findByServiceId(serviceId);
- List<XXPolicyItemCondition> xConditions = daoMgr.getXXPolicyItemCondition().findByServiceId(serviceId);
- List<XXPolicyItemDataMaskInfo> xDataMaskInfos = daoMgr.getXXPolicyItemDataMaskInfo().findByServiceId(serviceId);
- List<XXPolicyItemRowFilterInfo> xRowFilterInfos = daoMgr.getXXPolicyItemRowFilterInfo().findByServiceId(serviceId);
-
- this.service = xService;
- this.iterPolicy = xPolicies.listIterator();
- this.iterResources = xResources.listIterator();
- this.iterResourceMaps = xResourceMaps.listIterator();
- this.iterPolicyItems = xPolicyItems.listIterator();
- this.iterUserPerms = xUserPerms.listIterator();
- this.iterGroupPerms = xGroupPerms.listIterator();
- this.iterAccesses = xAccesses.listIterator();
- this.iterConditions = xConditions.listIterator();
- this.iterDataMaskInfos = xDataMaskInfos.listIterator();
- this.iterRowFilterInfos = xRowFilterInfos.listIterator();
- }
-
- RetrieverContext(XXPolicy xPolicy) {
- this(xPolicy, getXXService(xPolicy.getService()));
+ if (xService != null) {
+ Long serviceId = xService.getId();
+
+ lookupCache.setGroupNameMapping(daoMgr.getXXPolicyRefGroup().findUpdatedGroupNamesByService(serviceId));
+ lookupCache.setUserNameMapping(daoMgr.getXXPolicyRefUser().findUpdatedUserNamesByService(serviceId));
+ lookupCache.setAccessNameMapping(daoMgr.getXXPolicyRefAccessType().findUpdatedAccessNamesByService(serviceId));
+ lookupCache.setResourceNameMapping(daoMgr.getXXPolicyRefResource().findUpdatedResourceNamesByService(serviceId));
+ lookupCache.setDataMaskNameMapping(daoMgr.getXXPolicyRefDataMaskType().findUpdatedDataMaskNamesByService(serviceId));
+ lookupCache.setConditionNameMapping(daoMgr.getXXPolicyRefCondition().findUpdatedConditionNamesByService(serviceId));
+
+ this.service = xService;
+ this.iterPolicy = daoMgr.getXXPolicy().findByServiceId(serviceId).listIterator();
+ } else {
+ this.service = null;
+ this.iterPolicy = null;
+ }
}
RetrieverContext(XXPolicy xPolicy, XXService xService) {
- Long policyId = xPolicy == null ? null : xPolicy.getId();
-
- List<XXPolicy> xPolicies = asList(xPolicy);
- List<XXPolicyResource> xResources = daoMgr.getXXPolicyResource().findByPolicyId(policyId);
- List<XXPolicyResourceMap> xResourceMaps = daoMgr.getXXPolicyResourceMap().findByPolicyId(policyId);
- List<XXPolicyItem> xPolicyItems = daoMgr.getXXPolicyItem().findByPolicyId(policyId);
- List<XXPolicyItemUserPerm> xUserPerms = daoMgr.getXXPolicyItemUserPerm().findByPolicyId(policyId);
- List<XXPolicyItemGroupPerm> xGroupPerms = daoMgr.getXXPolicyItemGroupPerm().findByPolicyId(policyId);
- List<XXPolicyItemAccess> xAccesses = daoMgr.getXXPolicyItemAccess().findByPolicyId(policyId);
- List<XXPolicyItemCondition> xConditions = daoMgr.getXXPolicyItemCondition().findByPolicyId(policyId);
- List<XXPolicyItemDataMaskInfo> xDataMaskInfos = daoMgr.getXXPolicyItemDataMaskInfo().findByPolicyId(policyId);
- List<XXPolicyItemRowFilterInfo> xRowFilterInfos = daoMgr.getXXPolicyItemRowFilterInfo().findByPolicyId(policyId);
-
- this.service = xService;
- this.iterPolicy = xPolicies.listIterator();
- this.iterResources = xResources.listIterator();
- this.iterResourceMaps = xResourceMaps.listIterator();
- this.iterPolicyItems = xPolicyItems.listIterator();
- this.iterUserPerms = xUserPerms.listIterator();
- this.iterGroupPerms = xGroupPerms.listIterator();
- this.iterAccesses = xAccesses.listIterator();
- this.iterConditions = xConditions.listIterator();
- this.iterDataMaskInfos = xDataMaskInfos.listIterator();
- this.iterRowFilterInfos = xRowFilterInfos.listIterator();
+ Long policyId = xPolicy.getId();
+
+ lookupCache.setGroupNameMapping(daoMgr.getXXPolicyRefGroup().findUpdatedGroupNamesByPolicy(policyId));
+ lookupCache.setUserNameMapping(daoMgr.getXXPolicyRefUser().findUpdatedUserNamesByPolicy(policyId));
+ lookupCache.setAccessNameMapping(daoMgr.getXXPolicyRefAccessType().findUpdatedAccessNamesByPolicy(policyId));
+ lookupCache.setResourceNameMapping(daoMgr.getXXPolicyRefResource().findUpdatedResourceNamesByPolicy(policyId));
+ lookupCache.setDataMaskNameMapping(daoMgr.getXXPolicyRefDataMaskType().findUpdatedDataMaskNamesByPolicy(policyId));
+ lookupCache.setConditionNameMapping(daoMgr.getXXPolicyRefCondition().findUpdatedConditionNamesByPolicy(policyId));
+
+ this.service = xService;
+ this.iterPolicy = asList(xPolicy).listIterator();
}
RangerPolicy getNextPolicy() {
RangerPolicy ret = null;
- if(iterPolicy.hasNext()) {
+ if (service != null && iterPolicy != null && iterPolicy.hasNext()) {
XXPolicy xPolicy = iterPolicy.next();
- if(xPolicy != null) {
- ret = new RangerPolicy();
-
- ret.setId(xPolicy.getId());
- ret.setGuid(xPolicy.getGuid());
- ret.setIsEnabled(xPolicy.getIsEnabled());
- ret.setCreatedBy(lookupCache.getUserScreenName(xPolicy.getAddedByUserId()));
- ret.setUpdatedBy(lookupCache.getUserScreenName(xPolicy.getUpdatedByUserId()));
- ret.setCreateTime(xPolicy.getCreateTime());
- ret.setUpdateTime(xPolicy.getUpdateTime());
- ret.setVersion(xPolicy.getVersion());
- ret.setService(service == null ? null : service.getName());
- ret.setName(StringUtils.trim(xPolicy.getName()));
- ret.setPolicyType(xPolicy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : xPolicy.getPolicyType());
- ret.setDescription(xPolicy.getDescription());
- ret.setResourceSignature(xPolicy.getResourceSignature());
- ret.setIsAuditEnabled(xPolicy.getIsAuditEnabled());
-
- getResource(ret);
- getPolicyItems(ret);
- }
- }
-
- return ret;
- }
-
- List<RangerPolicy> getAllPolicies() {
- List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
-
- while(iterPolicy.hasNext()) {
- RangerPolicy policy = getNextPolicy();
-
- if(policy != null) {
- ret.add(policy);
- }
- }
-
- if(! hasProcessedAll()) {
- LOG.warn("getAllPolicies(): perhaps one or more policies got updated during retrieval. Falling back to secondary method");
-
- ret = getAllPoliciesBySecondary();
- }
-
- return ret;
- }
-
- List<RangerPolicy> getAllPoliciesBySecondary() {
- List<RangerPolicy> ret = null;
-
- if(service != null) {
- List<XXPolicy> xPolicies = daoMgr.getXXPolicy().findByServiceId(service.getId());
-
- if(CollectionUtils.isNotEmpty(xPolicies)) {
- ret = new ArrayList<RangerPolicy>(xPolicies.size());
-
- for(XXPolicy xPolicy : xPolicies) {
- RetrieverContext ctx = new RetrieverContext(xPolicy, service);
-
- RangerPolicy policy = ctx.getNextPolicy();
-
- if(policy != null) {
- ret.add(policy);
- }
+ if (xPolicy != null) {
+ String policyText = xPolicy.getPolicyText();
+
+ ret = JsonUtils.jsonToObject(policyText, RangerPolicy.class);
+
+ if (ret != null) {
+ ret.setId(xPolicy.getId());
+ ret.setGuid(xPolicy.getGuid());
+ ret.setCreatedBy(lookupCache.getUserScreenName(xPolicy.getAddedByUserId()));
+ ret.setUpdatedBy(lookupCache.getUserScreenName(xPolicy.getUpdatedByUserId()));
+ ret.setCreateTime(xPolicy.getCreateTime());
+ ret.setUpdateTime(xPolicy.getUpdateTime());
+ ret.setVersion(xPolicy.getVersion());
+ ret.setPolicyType(xPolicy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : xPolicy.getPolicyType());
+ ret.setService(service.getName());
+ updatePolicyReferenceFields(ret);
}
}
}
@@ -619,206 +477,121 @@ public class RangerPolicyRetriever {
return ret;
}
- private boolean hasProcessedAll() {
- boolean moreToProcess = iterPolicy.hasNext()
- || iterResources.hasNext()
- || iterResourceMaps.hasNext()
- || iterPolicyItems.hasNext()
- || iterUserPerms.hasNext()
- || iterGroupPerms.hasNext()
- || iterAccesses.hasNext()
- || iterConditions.hasNext()
- || iterDataMaskInfos.hasNext()
- || iterRowFilterInfos.hasNext();
-
- return !moreToProcess;
- }
+ void updatePolicyReferenceFields(final RangerPolicy policy) {
+ final Long policyId = policy.getId();
- private void getResource(RangerPolicy policy) {
- while(iterResources.hasNext()) {
- XXPolicyResource xResource = iterResources.next();
+ Map<String, String> policyResourceNameMap = lookupCache.resourceMappingsPerPolicy.get(policyId);
- if(xResource.getPolicyid().equals(policy.getId())) {
- RangerPolicyResource resource = new RangerPolicyResource();
+ if (MapUtils.isNotEmpty(policyResourceNameMap) && CollectionUtils.containsAny(policyResourceNameMap.keySet(), policy.getResources().keySet())) {
+ Map<String, RangerPolicyResource> updatedResources = new HashMap<>();
- resource.setIsExcludes(xResource.getIsexcludes());
- resource.setIsRecursive(xResource.getIsrecursive());
+ for (Map.Entry<String, RangerPolicyResource> entry : policy.getResources().entrySet()) {
+ String resourceName = entry.getKey();
+ RangerPolicyResource policyResource = entry.getValue();
+ String updatedName = policyResourceNameMap.get(resourceName);
- while(iterResourceMaps.hasNext()) {
- XXPolicyResourceMap xResourceMap = iterResourceMaps.next();
-
- if(xResourceMap.getResourceid().equals(xResource.getId())) {
- resource.getValues().add(xResourceMap.getValue());
- } else {
- if(iterResourceMaps.hasPrevious()) {
- iterResourceMaps.previous();
- }
- break;
- }
+ if (updatedName == null) {
+ updatedName = resourceName;
}
- policy.getResources().put(lookupCache.getResourceName(xResource.getResdefid()), resource);
- } else if(xResource.getPolicyid().compareTo(policy.getId()) > 0) {
- if(iterResources.hasPrevious()) {
- iterResources.previous();
- }
- break;
+ updatedResources.put(updatedName, policyResource);
}
+
+ policy.setResources(updatedResources);
}
- }
- private void getPolicyItems(RangerPolicy policy) {
- while(iterPolicyItems.hasNext()) {
- XXPolicyItem xPolicyItem = iterPolicyItems.next();
+ for (List<? extends RangerPolicyItem> policyItems : PolicyRefUpdater.getAllPolicyItems(policy)) {
+ if (CollectionUtils.isEmpty(policyItems)) {
+ continue;
+ }
- if(xPolicyItem.getPolicyid().equals(policy.getId())) {
- final RangerPolicyItem policyItem;
- final RangerDataMaskPolicyItem dataMaskPolicyItem;
- final RangerRowFilterPolicyItem rowFilterPolicyItem;
+ for (RangerPolicyItem policyItem : policyItems) {
+ if (lookupCache.groupMappingsPerPolicy.containsKey(policyId)) {
+ List<String> updatedGroups = getUpdatedNames(lookupCache.groupMappingsPerPolicy, policyId, policyItem.getGroups());
- if(xPolicyItem.getItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK) {
- dataMaskPolicyItem = new RangerDataMaskPolicyItem();
- rowFilterPolicyItem = null;
- policyItem = dataMaskPolicyItem;
- } else if(xPolicyItem.getItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER) {
- dataMaskPolicyItem = null;
- rowFilterPolicyItem = new RangerRowFilterPolicyItem();
- policyItem = rowFilterPolicyItem;
- } else {
- dataMaskPolicyItem = null;
- rowFilterPolicyItem = null;
- policyItem = new RangerPolicyItem();
+ if (updatedGroups != null) {
+ policyItem.setGroups(updatedGroups);
+ }
}
+ if (lookupCache.userMappingsPerPolicy.containsKey(policyId)) {
+ List<String> updatedUsers = getUpdatedNames(lookupCache.userMappingsPerPolicy, policyId, policyItem.getUsers());
- while(iterAccesses.hasNext()) {
- XXPolicyItemAccess xAccess = iterAccesses.next();
-
- if(xAccess.getPolicyitemid().equals(xPolicyItem.getId())) {
- policyItem.getAccesses().add(new RangerPolicyItemAccess(lookupCache.getAccessType(xAccess.getType()), xAccess.getIsallowed()));
- } else {
- if(iterAccesses.hasPrevious()) {
- iterAccesses.previous();
- }
- break;
+ if (updatedUsers != null) {
+ policyItem.setUsers(updatedUsers);
}
}
- while(iterUserPerms.hasNext()) {
- XXPolicyItemUserPerm xUserPerm = iterUserPerms.next();
+ if (lookupCache.accessMappingsPerPolicy.containsKey(policyId)) {
+ for (RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) {
+ String updatedName = lookupCache.getMappedName(lookupCache.accessMappingsPerPolicy, policyId, itemAccess.getType());
- if(xUserPerm.getPolicyitemid().equals(xPolicyItem.getId())) {
- String userName = lookupCache.getUserName(xUserPerm.getUserid());
- if (userName != null) {
- policyItem.getUsers().add(userName);
+ if (updatedName != null) {
+ itemAccess.setType(updatedName);
}
- } else {
- if(iterUserPerms.hasPrevious()) {
- iterUserPerms.previous();
- }
- break;
}
}
- while(iterGroupPerms.hasNext()) {
- XXPolicyItemGroupPerm xGroupPerm = iterGroupPerms.next();
+ if (lookupCache.conditionMappingsPerPolicy.containsKey(policyId)) {
+ for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
+ String updatedName = lookupCache.getMappedName(lookupCache.conditionMappingsPerPolicy, policyId, condition.getType());
- if(xGroupPerm.getPolicyitemid().equals(xPolicyItem.getId())) {
- String groupName = lookupCache.getGroupName(xGroupPerm.getGroupid());
- if (groupName != null) {
- policyItem.getGroups().add(groupName);
- }
- } else {
- if(iterGroupPerms.hasPrevious()) {
- iterGroupPerms.previous();
+ if (updatedName != null) {
+ condition.setType(updatedName);
}
- break;
}
}
- RangerPolicyItemCondition condition = null;
- Long prevConditionType = null;
- while(iterConditions.hasNext()) {
- XXPolicyItemCondition xCondition = iterConditions.next();
+ if (policyItem instanceof RangerDataMaskPolicyItem && lookupCache.dataMaskMappingsPerPolicy.containsKey(policyId)) {
+ RangerDataMaskPolicyItem dataMaskItem = (RangerDataMaskPolicyItem) policyItem;
+ String updatedName = lookupCache.getMappedName(lookupCache.dataMaskMappingsPerPolicy, policyId, dataMaskItem.getDataMaskInfo().getDataMaskType());
- if(xCondition.getPolicyitemid().equals(xPolicyItem.getId())) {
- if(! xCondition.getType().equals(prevConditionType)) {
- condition = new RangerPolicyItemCondition();
- condition.setType(lookupCache.getConditionType(xCondition.getType()));
- condition.getValues().add(xCondition.getValue());
-
- policyItem.getConditions().add(condition);
-
- prevConditionType = xCondition.getType();
- } else {
- condition.getValues().add(xCondition.getValue());
- }
- } else {
- if(iterConditions.hasPrevious()) {
- iterConditions.previous();
- }
- break;
+ if (updatedName != null) {
+ dataMaskItem.getDataMaskInfo().setDataMaskType(updatedName);
}
}
+ }
+ }
+ }
- policyItem.setDelegateAdmin(xPolicyItem.getDelegateAdmin());
+ List<String> getUpdatedNames(final Map<Long, Map<String, String>> nameMappingContainer, final Long policyId, final List<String> namesToMap) {
+ List<String> ret = null;
+ Map<String, String> policyNameMap = nameMappingContainer.get(policyId);
- if(dataMaskPolicyItem != null) {
- while (iterDataMaskInfos.hasNext()) {
- XXPolicyItemDataMaskInfo xDataMaskInfo = iterDataMaskInfos.next();
+ if (MapUtils.isNotEmpty(policyNameMap) && CollectionUtils.containsAny(policyNameMap.keySet(), namesToMap)) {
+ ret = new ArrayList<>();
- if (xDataMaskInfo.getPolicyItemId().equals(xPolicyItem.getId())) {
- dataMaskPolicyItem.setDataMaskInfo(new RangerPolicyItemDataMaskInfo(lookupCache.getDataMaskName(xDataMaskInfo.getType()), xDataMaskInfo.getConditionExpr(), xDataMaskInfo.getValueExpr()));
- } else {
- if (iterDataMaskInfos.hasPrevious()) {
- iterDataMaskInfos.previous();
- }
- break;
- }
- }
+ for (String nameToMap : namesToMap) {
+ String mappedName = policyNameMap.get(nameToMap);
+
+ if (mappedName != null) {
+ ret.add(mappedName);
+ } else {
+ ret.add(nameToMap);
}
+ }
- if(rowFilterPolicyItem != null) {
- while (iterRowFilterInfos.hasNext()) {
- XXPolicyItemRowFilterInfo xRowFilterInfo = iterRowFilterInfos.next();
+ }
- if (xRowFilterInfo.getPolicyItemId().equals(xPolicyItem.getId())) {
- rowFilterPolicyItem.setRowFilterInfo(new RangerPolicyItemRowFilterInfo(xRowFilterInfo.getFilterExpr()));
- } else {
- if (iterRowFilterInfos.hasPrevious()) {
- iterRowFilterInfos.previous();
- }
- break;
- }
- }
- }
+ return ret;
+ }
+ List<RangerPolicy> getAllPolicies() {
+ List<RangerPolicy> ret = new ArrayList<>();
- int itemType = xPolicyItem.getItemType() == null ? RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW : xPolicyItem.getItemType();
-
- if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
- policy.getPolicyItems().add(policyItem);
- } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
- policy.getDenyPolicyItems().add(policyItem);
- } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS) {
- policy.getAllowExceptions().add(policyItem);
- } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS) {
- policy.getDenyExceptions().add(policyItem);
- } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK) {
- policy.getDataMaskPolicyItems().add(dataMaskPolicyItem);
- } else if(itemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER) {
- policy.getRowFilterPolicyItems().add(rowFilterPolicyItem);
- } else { // unknown itemType
- LOG.warn("RangerPolicyRetriever.getPolicy(policyId=" + policy.getId() + "): ignoring unknown policyItemType " + itemType);
- }
- } else if(xPolicyItem.getPolicyid().compareTo(policy.getId()) > 0) {
- if(iterPolicyItems.hasPrevious()) {
- iterPolicyItems.previous();
+ if (iterPolicy != null) {
+ while (iterPolicy.hasNext()) {
+ RangerPolicy policy = getNextPolicy();
+
+ if (policy != null) {
+ ret.add(policy);
}
- break;
}
}
+
+ return ret;
}
}
+
}