You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/05/27 03:30:41 UTC
incubator-ranger git commit: Made OptimizedPolicyEvaluator as default;
changed RangerPolicy.isFinal to a bit-map. Tested passing Java map to basic
JavaScript engine.
Repository: incubator-ranger
Updated Branches:
refs/heads/tag-policy d8f7a9605 -> 51fba28de
Made OptimizedPolicyEvaluator as default; changed RangerPolicy.isFinal to a bit-map. Tested passing Java map to basic JavaScript engine.
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/51fba28d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/51fba28d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/51fba28d
Branch: refs/heads/tag-policy
Commit: 51fba28de89992a92e06804711823370a3e674b9
Parents: d8f7a96
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon May 25 18:26:44 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Tue May 26 18:24:08 2015 -0700
----------------------------------------------------------------------
.../RangerTagAttributeEvaluator.java | 130 ++++++++++++++++++-
...gerTagAttributeEvaluatorResultProcessor.java | 30 +++++
.../ScriptingLanguageFinderUtil.java | 35 +++++
.../ranger/plugin/model/RangerPolicy.java | 26 +++-
.../ranger/plugin/model/RangerResource.java | 36 +++++
.../policyengine/RangerPolicyEngineImpl.java | 2 +-
.../policyengine/RangerPolicyRepository.java | 7 +-
.../RangerDefaultPolicyEvaluator.java | 6 +-
.../RangerOptimizedPolicyEvaluator.java | 6 +
.../policyevaluator/RangerPolicyEvaluator.java | 2 +-
.../policyengine/test_policyengine_hdfs.json | 9 +-
11 files changed, 267 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
index 324ae4c..1f12bb8 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
@@ -19,31 +19,155 @@
package org.apache.ranger.plugin.conditionevaluator;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerResource;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+import javax.script.ScriptException;
+import java.util.List;
+import java.util.Map;
public class RangerTagAttributeEvaluator extends RangerAbstractConditionEvaluator {
private static final Log LOG = LogFactory.getLog(RangerTagAttributeEvaluator.class);
+ private ScriptEngine scriptEngine;
+
@Override
public void init() {
+
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerTagAttributeEvaluator.init(" + condition + ")");
}
super.init();
+
+ Map<String, String> evalOptions = conditionDef.getEvaluatorOptions();
+
+ if (evalOptions != null) {
+ String engineType = evalOptions.get("interpreter");
+ if (StringUtils.equals(engineType, "JavaScript")) {
+ ScriptEngineManager manager = new ScriptEngineManager();
+ scriptEngine = manager.getEngineByName("JavaScript");
+ }
+ }
+
+ //scriptEngine.put("conditionDef", conditionDef);
+ //scriptEngine.put("condition", condition);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerTagAttributeEvaluator.init(" + condition + ")");
+ }
}
@Override
public boolean isMatched(RangerAccessRequest request) {
// TODO
// Set up environment: selected parts of request
- // Invoke python interpreter
if (LOG.isDebugEnabled()) {
- LOG.debug("RangerTagAttributeEvaluator.isMatched()");
+ LOG.debug("==>RangerTagAttributeEvaluator.isMatched()");
+ }
+
+ Map<String, Object> requestContext = request.getContext();
+
+ @SuppressWarnings("unchecked")
+ RangerResource.RangerResourceTag tagObject = (RangerResource.RangerResourceTag)requestContext.get(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT);
+
+ if (tagObject == null) {
+ LOG.error("RangerTagAttributeEvalator.isMatched(), No tag object found in the context. Weird!!!!");
+ return false;
+ }
+
+ String tagAsJSON = tagObject.getJSONRepresentation();
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerTagAttributeEvaluator.isMatched(), tagObject as JSON=" + tagAsJSON);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerTagAttributeEvaluator.isMatched(), tagObject=" + tagObject);
+ }
+
+ RangerTagAttributeEvaluatorResultProcessor resultProcessor = new RangerTagAttributeEvaluatorResultProcessor();
+
+ /*
+ Map<String, String> map = new HashMap<String, String>();
+ map.put("bye", "now");
+ */
+ /*
+ // Convert it to a NativeObject (yes, this could have been done directly)
+ NativeObject nobj = new NativeObject();
+ for (Map.Entry<String, String> entry : map.entrySet()) {
+ nobj.defineProperty(entry.getKey(), entry.getValue(), NativeObject.READONLY);
}
+
+ // Place native object into the context
+ scriptEngine.put("map", nobj);
+ */
+
+ /*
+ try {
+ //scriptEngine.eval("println(map.bye)");
+
+ scriptEngine.eval("var map = " + new Gson().toJson(map) + ";\n"
+ + "println(map.bye);");
+ } catch (Exception e) {
+ System.out.println("Failed");
+ }
+ System.out.println("Succeeded");
return true;
- }
+ */
+
+ // Place remaining objects directly into context
+ /*
+ scriptEngine.put("tagName", tagObject.getName());
+ scriptEngine.put("request", request);
+ */
+ scriptEngine.put("result", resultProcessor);
+
+ String preamble = "var tag = " + tagAsJSON +";\n";
+
+ List<String> values = condition.getValues();
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerTagAttributeEvaluator.isMatched(), values=" + values);
+ }
+
+ if (!CollectionUtils.isEmpty(values)) {
+ String script = values.get(0);
+
+ if (!StringUtils.isEmpty(script)) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerTagAttributeEvaluator.isMatched(), evaluating script '" + script +"'");
+ }
+ if (scriptEngine != null) {
+ try {
+ scriptEngine.eval(preamble+script);
+ } catch (ScriptException exception) {
+ LOG.error("RangerTagAttributeEvaluator.isMatched(): failed to evaluate script," +
+ " exception=" + exception);
+ }
+ } else {
+ LOG.error("RangerTagAttributeEvaluator.isMatched(), No engine to evaluate script '" + script + "'");
+ resultProcessor.setFailed();
+ }
+
+ }
+
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==RangerTagAttributeEvaluator.isMatched(), result=" + resultProcessor.getResult());
+ }
+
+ return resultProcessor.getResult();
+
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java
new file mode 100644
index 0000000..0deeefc
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.conditionevaluator;
+
+public class RangerTagAttributeEvaluatorResultProcessor {
+ private boolean result = false;
+
+ RangerTagAttributeEvaluatorResultProcessor() {}
+
+ public void setSucceeded() { this.result = true; }
+ public void setFailed() { this.result = false; }
+ boolean getResult() { return this.result; }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java
new file mode 100644
index 0000000..bd6b435
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java
@@ -0,0 +1,35 @@
+package org.apache.ranger.plugin.conditionevaluator;
+
+import java.util.*;
+import javax.script.*;
+
+public class ScriptingLanguageFinderUtil {
+
+ public static void main( String[] args ) {
+
+ ScriptEngineManager mgr = new ScriptEngineManager();
+ List<ScriptEngineFactory> factories = mgr.getEngineFactories();
+
+ for (ScriptEngineFactory factory : factories) {
+
+ System.out.println("ScriptEngineFactory Info");
+
+ String engName = factory.getEngineName();
+ String engVersion = factory.getEngineVersion();
+ String langName = factory.getLanguageName();
+ String langVersion = factory.getLanguageVersion();
+
+ System.out.printf("\tScript Engine: %s (%s)%n", engName, engVersion);
+
+ List<String> engNames = factory.getNames();
+ for(String name : engNames) {
+ System.out.printf("\tEngine Alias: %s%n", name);
+ }
+
+ System.out.printf("\tLanguage: %s (%s)%n", langName, langVersion);
+
+ }
+
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index d634ea7..6d9c929 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -41,13 +41,18 @@ import org.codehaus.jackson.map.annotate.JsonSerialize;
@XmlRootElement
@XmlAccessorType(XmlAccessType.FIELD)
public class RangerPolicy extends RangerBaseModelObject implements java.io.Serializable {
- public static final int FINAL_ACCESS_DECIDER_POLICY_TYPE = 1;
+ // For future use
private static final long serialVersionUID = 1L;
+ public static final int POLICY_TYPE_DEFAULT = 0x0;
+ public static final int POLICY_TYPE_FINAL = 0x1 << 0;
+ public static final int POLICY_TYPE_DENIER = 0x1 << 1;
+
+
private String service = null;
private String name = null;
- private Integer policyType = null;
+ private Integer policyType = POLICY_TYPE_DEFAULT;
private String description = null;
private String resourceSignature = null;
private Boolean isAuditEnabled = null;
@@ -59,7 +64,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
* @param
*/
public RangerPolicy() {
- this(null, null, null, null, null, null, null);
+ this(null, null, POLICY_TYPE_DEFAULT, null, null, null, null);
}
/**
@@ -212,6 +217,14 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
}
+ final public void setPolicyTypeDefault() {
+ policyType = POLICY_TYPE_DEFAULT;
+ }
+
+ final public void setPolicyTypeFinal() {
+ this.policyType |= POLICY_TYPE_FINAL;
+ }
+
/**
* @return the policyItems
*/
@@ -240,14 +253,17 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
}
- public boolean isFinalDecider() {
+ final public boolean isPolicyTypeFinal() {
boolean isFinalDecidingPolicy = true;
- if (getPolicyType() == null || getPolicyType() != FINAL_ACCESS_DECIDER_POLICY_TYPE) {
+ if (this.policyType == null) {
+ isFinalDecidingPolicy = false;
+ } else if ((this.policyType.intValue() & POLICY_TYPE_FINAL) == 0x0) {
isFinalDecidingPolicy = false;
}
return isFinalDecidingPolicy;
}
+
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java
index 23bb098..2ffedbe 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java
@@ -19,7 +19,11 @@
package org.apache.ranger.plugin.model;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import org.apache.commons.lang.StringUtils;
import org.codehaus.jackson.annotate.JsonAutoDetect;
+import org.codehaus.jackson.annotate.JsonIgnore;
import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.map.annotate.JsonSerialize;
@@ -111,9 +115,20 @@ public class RangerResource extends RangerBaseModelObject {
public static class RangerResourceTag implements java.io.Serializable {
+ private static Gson gsonBuilder;
+
private String name = null;
private Map<String, Object> attributeValues = null; // Will be JSON string with (name, value) pairs of tag attributes in database
+ @JsonIgnore
+ private transient String jSONRepresentation = null;
+
+ static {
+ gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
+ .setPrettyPrinting()
+ .create();
+ }
+
public RangerResourceTag(String name, Map<String, Object> attributeValues) {
super();
setName(name);
@@ -134,10 +149,31 @@ public class RangerResource extends RangerBaseModelObject {
public void setName(String name) {
this.name = name;
+ this.jSONRepresentation = null;
}
public void setAttributeValues(Map<String, Object> attributeValues) {
this.attributeValues = attributeValues;
+ this.jSONRepresentation = null;
+ }
+
+ public String getJSONRepresentation() {
+ if (StringUtils.isEmpty(jSONRepresentation)) {
+ jSONRepresentation = gsonBuilder.toJson(this);
+ }
+ return jSONRepresentation;
+ }
+ public RangerResourceTag deepCopy() {
+
+ RangerResourceTag tag;
+
+ if (StringUtils.isEmpty(getJSONRepresentation())) {
+ tag = new RangerResourceTag();
+ } else {
+ tag = gsonBuilder.fromJson(jSONRepresentation, this.getClass());
+ }
+
+ return tag;
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 0dc7981..7b6eb35 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -393,7 +393,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
evaluator.evaluate(tagEvalRequest, tagEvalResult);
- if (evaluator.isFinalDecider() ||
+ if (evaluator.isFinal() ||
(tagEvalResult.getIsAccessDetermined() && tagEvalResult.getIsAuditedDetermined())) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval for tag-policy-id=" + tagEvalResult.getPolicyId() + " for tag (" + resourceTag.getName() + ") with authorization=" + tagEvalResult.getIsAllowed());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index c1c71f0..cc90abc 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -28,7 +28,6 @@ import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator;
-import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -201,13 +200,11 @@ public class RangerPolicyRepository {
RangerPolicyEvaluator ret;
if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_DEFAULT)) {
- ret = new RangerDefaultPolicyEvaluator();
+ ret = new RangerOptimizedPolicyEvaluator();
} else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED)) {
ret = new RangerOptimizedPolicyEvaluator();
- } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) {
- ret = new RangerCachedPolicyEvaluator();
} else {
- ret = new RangerDefaultPolicyEvaluator();
+ ret = new RangerCachedPolicyEvaluator();
}
ret.init(policy, serviceDef, options);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index fe98c4b..6b577f0 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -226,7 +226,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean matchResult = false;
boolean isHeadMatchAttempted = false;
boolean headMatchResult = false;
- final boolean isPolicyFinalDecider = isFinalDecider();
+ final boolean isPolicyFinalDecider = isFinal();
if (!result.getIsAuditedDetermined()) {
// Need to match request.resource first. If it matches (or head matches), then only more progress can be made
@@ -876,7 +876,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
@Override
- public boolean isFinalDecider() {
- return getPolicy().isFinalDecider();
+ public boolean isFinal() {
+ return getPolicy().isPolicyTypeFinal();
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index 26d5223..24ad15d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -54,6 +54,8 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
private static final int RANGER_POLICY_EVAL_IS_RECURSIVE_PREMIUM = 25;
private static final int RANGER_POLICY_EVAL_PUBLIC_GROUP_ACCESS_PREMIUM = 25;
private static final int RANGER_POLICY_EVAL_ALL_ACCESS_TYPES_PREMIUM = 25;
+ private static final int RANGER_POLICY_EVAL_FINAL_POLICY_PREMIUM = 400;
+
private static final int RANGER_POLICY_EVAL_RESERVED_SLOTS_NUMBER = 10000;
private static final int RANGER_POLICY_EVAL_RESERVED_SLOTS_PER_LEVEL_NUMBER = 1000;
@@ -196,6 +198,10 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
priorityLevel -= Math.round(((float)RANGER_POLICY_EVAL_ALL_ACCESS_TYPES_PREMIUM * accessPerms.size()) / serviceDef.getAccessTypes().size());
+ if (policy.isPolicyTypeFinal()) {
+ priorityLevel -= RANGER_POLICY_EVAL_FINAL_POLICY_PREMIUM;
+ }
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerOptimizedPolicyEvaluator.computeEvalOrder(), policyName:" + policy.getName() + ", priority:" + priorityLevel);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index b018f3a..4bc5809 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -57,5 +57,5 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator>
boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType);
- boolean isFinalDecider();
+ boolean isFinal();
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index 4ef634c..ea2c87a 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -91,9 +91,9 @@
"itemId":1,
"name":"Default_TagAttributeValueEvaluator",
"evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerTagAttributeEvaluator",
- "evaluatorOptions" : {"interpreter":"python"},
- "label":"Python-Script",
- "description": "Python script to execute"
+ "evaluatorOptions" : {"interpreter":"JavaScript"},
+ "label":"JavaScript script",
+ "description": "JavaScript script to execute"
}
]
},
@@ -102,7 +102,8 @@
"resources":{"tag":{"values":["restricte?"],"isRecursive":false}},
"policyItems":[
{"accesses":[{"type":"hdfs:read","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false,
- "conditions" : [{"type":"Default_TagAttributeValueEvaluator", "values":["Test_Script"]}]}
+ "conditions" : [{"type":"Default_TagAttributeValueEvaluator", "values":[
+ "result.setFailed(); var tagName = tag.name; var attrValues = tag.attributeValues; var expiryDate = attrValues[\"expiry_date\"]; println(expiryDate); result.setSucceeded();"]}]}
]
}
,