You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/05/29 05:40:38 UTC
incubator-ranger git commit: RANGER-274: added
RangerScriptConditionEvaluator and related updates (read-only
request/resource/context/tags objects, etc)
Repository: incubator-ranger
Updated Branches:
refs/heads/tag-policy c8c98ea97 -> 525fd59ce
RANGER-274: added RangerScriptConditionEvaluator and related updates (read-only request/resource/context/tags objects, etc)
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/525fd59c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/525fd59c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/525fd59c
Branch: refs/heads/tag-policy
Commit: 525fd59ce576f9a002d817938214ce36aa3ab10b
Parents: c8c98ea
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed May 27 17:34:04 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu May 28 20:31:49 2015 -0700
----------------------------------------------------------------------
.../RangerScriptConditionEvaluator.java | 137 +++++++++++++++
.../RangerTagAttributeEvaluator.java | 173 -------------------
...gerTagAttributeEvaluatorResultProcessor.java | 30 ----
.../ScriptingLanguageFinderUtil.java | 35 ----
.../RangerFileBasedTagProvider.java | 3 +-
.../ranger/plugin/model/RangerPolicy.java | 10 +-
.../ranger/plugin/model/RangerResource.java | 107 ++++--------
.../policyengine/RangerAccessRequest.java | 2 +
.../policyengine/RangerAccessRequestImpl.java | 4 +
.../RangerAccessRequestReadOnly.java | 86 +++++++++
.../policyengine/RangerAccessResource.java | 2 +
.../policyengine/RangerAccessResourceImpl.java | 5 +
.../RangerAccessResourceReadOnly.java | 57 ++++++
.../plugin/policyengine/RangerPolicyEngine.java | 2 +
.../policyengine/RangerPolicyEngineImpl.java | 10 +-
.../RangerDefaultPolicyEvaluator.java | 4 +-
.../ranger/plugin/store/TagPredicateUtil.java | 2 +-
.../ranger/plugin/store/file/TagFileStore.java | 83 ++++-----
.../policyengine/test_policyengine_hdfs.json | 26 ++-
.../java/org/apache/ranger/rest/TagREST.java | 57 +++---
20 files changed, 423 insertions(+), 412 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
new file mode 100644
index 0000000..558e35e
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerResource;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+import javax.script.Bindings;
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+import javax.script.ScriptException;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+public class RangerScriptConditionEvaluator extends RangerAbstractConditionEvaluator {
+ private static final Log LOG = LogFactory.getLog(RangerScriptConditionEvaluator.class);
+
+ private ScriptEngine scriptEngine;
+
+ @Override
+ public void init() {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerScriptConditionEvaluator.init(" + condition + ")");
+ }
+
+ super.init();
+
+ String engineName = "JavaScript";
+
+ Map<String, String> evalOptions = conditionDef. getEvaluatorOptions();
+
+ if (MapUtils.isNotEmpty(evalOptions)) {
+ engineName = evalOptions.get("engineName");
+ }
+
+ if (StringUtils.isBlank(engineName)) {
+ engineName = "JavaScript";
+ }
+
+ ScriptEngineManager manager = new ScriptEngineManager();
+ scriptEngine = manager.getEngineByName(engineName);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerScriptConditionEvaluator.init(" + condition + ")");
+ }
+ }
+
+ @Override
+ public boolean isMatched(RangerAccessRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>RangerScriptConditionEvaluator.isMatched()");
+ }
+
+ Boolean result = false;
+
+ List<String> values = condition.getValues();
+
+ if (!CollectionUtils.isEmpty(values)) {
+
+ // Evaluate the first string
+ String value = values.get(0);
+ if (StringUtils.isNotBlank(value)) {
+
+ RangerAccessRequest readOnlyRequest = request.getReadOnlyCopy();
+
+ @SuppressWarnings("unchecked")
+ List<RangerResource.RangerResourceTag> tagsList = (List <RangerResource.RangerResourceTag>)readOnlyRequest.getContext().get("TAGS");
+
+ Bindings bindings = scriptEngine.createBindings();
+
+ if (CollectionUtils.isNotEmpty(tagsList)) {
+ List<RangerResource.RangerResourceTag> readOnlyTags = Collections.unmodifiableList(tagsList);
+ bindings.put("tags", readOnlyTags);
+ }
+
+ bindings.put("request", readOnlyRequest);
+ bindings.put("ctx", readOnlyRequest.getContext());
+ bindings.put("result", result);
+
+ String script = value.trim();
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerScriptConditionEvaluator.isMatched(): script={" + script + "}");
+ }
+ try {
+
+ Object ret = scriptEngine.eval(script, bindings);
+
+ if (ret == null) {
+ ret = bindings.get("result");
+ }
+ if (ret != null && ret instanceof Boolean) {
+ result = (Boolean) ret;
+ }
+
+ } catch (NullPointerException nullp) {
+ LOG.error("RangerScriptConditionEvaluator.isMatched(): eval called with NULL argument(s)");
+
+ } catch (ScriptException exception) {
+ LOG.error("RangerScriptConditionEvaluator.isMatched(): failed to evaluate script," +
+ " exception=" + exception);
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==RangerScriptConditionEvaluator.isMatched(), result=" + result);
+ }
+
+ return result;
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
deleted file mode 100644
index 1f12bb8..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.conditionevaluator;
-
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.plugin.model.RangerResource;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-
-import javax.script.ScriptEngine;
-import javax.script.ScriptEngineManager;
-import javax.script.ScriptException;
-import java.util.List;
-import java.util.Map;
-
-public class RangerTagAttributeEvaluator extends RangerAbstractConditionEvaluator {
- private static final Log LOG = LogFactory.getLog(RangerTagAttributeEvaluator.class);
-
- private ScriptEngine scriptEngine;
-
- @Override
- public void init() {
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerTagAttributeEvaluator.init(" + condition + ")");
- }
-
- super.init();
-
- Map<String, String> evalOptions = conditionDef.getEvaluatorOptions();
-
- if (evalOptions != null) {
- String engineType = evalOptions.get("interpreter");
- if (StringUtils.equals(engineType, "JavaScript")) {
- ScriptEngineManager manager = new ScriptEngineManager();
- scriptEngine = manager.getEngineByName("JavaScript");
- }
- }
-
- //scriptEngine.put("conditionDef", conditionDef);
- //scriptEngine.put("condition", condition);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerTagAttributeEvaluator.init(" + condition + ")");
- }
- }
-
- @Override
- public boolean isMatched(RangerAccessRequest request) {
- // TODO
- // Set up environment: selected parts of request
- if (LOG.isDebugEnabled()) {
- LOG.debug("==>RangerTagAttributeEvaluator.isMatched()");
- }
-
- Map<String, Object> requestContext = request.getContext();
-
- @SuppressWarnings("unchecked")
- RangerResource.RangerResourceTag tagObject = (RangerResource.RangerResourceTag)requestContext.get(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT);
-
- if (tagObject == null) {
- LOG.error("RangerTagAttributeEvalator.isMatched(), No tag object found in the context. Weird!!!!");
- return false;
- }
-
- String tagAsJSON = tagObject.getJSONRepresentation();
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("RangerTagAttributeEvaluator.isMatched(), tagObject as JSON=" + tagAsJSON);
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("RangerTagAttributeEvaluator.isMatched(), tagObject=" + tagObject);
- }
-
- RangerTagAttributeEvaluatorResultProcessor resultProcessor = new RangerTagAttributeEvaluatorResultProcessor();
-
- /*
- Map<String, String> map = new HashMap<String, String>();
- map.put("bye", "now");
- */
- /*
- // Convert it to a NativeObject (yes, this could have been done directly)
- NativeObject nobj = new NativeObject();
- for (Map.Entry<String, String> entry : map.entrySet()) {
- nobj.defineProperty(entry.getKey(), entry.getValue(), NativeObject.READONLY);
- }
-
- // Place native object into the context
- scriptEngine.put("map", nobj);
- */
-
- /*
- try {
- //scriptEngine.eval("println(map.bye)");
-
- scriptEngine.eval("var map = " + new Gson().toJson(map) + ";\n"
- + "println(map.bye);");
- } catch (Exception e) {
- System.out.println("Failed");
- }
- System.out.println("Succeeded");
- return true;
- */
-
- // Place remaining objects directly into context
- /*
- scriptEngine.put("tagName", tagObject.getName());
- scriptEngine.put("request", request);
- */
- scriptEngine.put("result", resultProcessor);
-
- String preamble = "var tag = " + tagAsJSON +";\n";
-
- List<String> values = condition.getValues();
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("RangerTagAttributeEvaluator.isMatched(), values=" + values);
- }
-
- if (!CollectionUtils.isEmpty(values)) {
-
- String script = values.get(0);
-
- if (!StringUtils.isEmpty(script)) {
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("RangerTagAttributeEvaluator.isMatched(), evaluating script '" + script +"'");
- }
- if (scriptEngine != null) {
- try {
- scriptEngine.eval(preamble+script);
- } catch (ScriptException exception) {
- LOG.error("RangerTagAttributeEvaluator.isMatched(): failed to evaluate script," +
- " exception=" + exception);
- }
- } else {
- LOG.error("RangerTagAttributeEvaluator.isMatched(), No engine to evaluate script '" + script + "'");
- resultProcessor.setFailed();
- }
-
- }
-
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<==RangerTagAttributeEvaluator.isMatched(), result=" + resultProcessor.getResult());
- }
-
- return resultProcessor.getResult();
-
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java
deleted file mode 100644
index 0deeefc..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.conditionevaluator;
-
-public class RangerTagAttributeEvaluatorResultProcessor {
- private boolean result = false;
-
- RangerTagAttributeEvaluatorResultProcessor() {}
-
- public void setSucceeded() { this.result = true; }
- public void setFailed() { this.result = false; }
- boolean getResult() { return this.result; }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java
deleted file mode 100644
index bd6b435..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java
+++ /dev/null
@@ -1,35 +0,0 @@
-package org.apache.ranger.plugin.conditionevaluator;
-
-import java.util.*;
-import javax.script.*;
-
-public class ScriptingLanguageFinderUtil {
-
- public static void main( String[] args ) {
-
- ScriptEngineManager mgr = new ScriptEngineManager();
- List<ScriptEngineFactory> factories = mgr.getEngineFactories();
-
- for (ScriptEngineFactory factory : factories) {
-
- System.out.println("ScriptEngineFactory Info");
-
- String engName = factory.getEngineName();
- String engVersion = factory.getEngineVersion();
- String langName = factory.getLanguageName();
- String langVersion = factory.getLanguageVersion();
-
- System.out.printf("\tScript Engine: %s (%s)%n", engName, engVersion);
-
- List<String> engNames = factory.getNames();
- for(String name : engNames) {
- System.out.printf("\tEngine Alias: %s%n", name);
- }
-
- System.out.printf("\tLanguage: %s (%s)%n", langName, langVersion);
-
- }
-
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java
index 3b5520e..5cade5b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagProvider.java
@@ -20,7 +20,6 @@
package org.apache.ranger.plugin.contextenricher;
import java.lang.reflect.Type;
-import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
@@ -95,7 +94,7 @@ public class RangerFileBasedTagProvider extends RangerAbstractContextEnricher {
context.put(RangerPolicyEngine.KEY_CONTEXT_TAGS, tagList);
} catch (Exception e) {
- LOG.error("RangerFileBasedTagProvider.enrich(): error parsing file " + this.dataFile + "exception=" + e);
+ LOG.error("RangerFileBasedTagProvider.enrich(): error parsing file " + this.dataFile + ", exception=" + e);
}
} else {
if(LOG.isDebugEnabled()) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index 338174c..e9f9ef9 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -46,8 +46,8 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
private static final long serialVersionUID = 1L;
public static final int POLICY_TYPE_DEFAULT = 0x0;
- public static final int POLICY_TYPE_FINAL = 0x1 << 0;
- public static final int POLICY_TYPE_DENIER = 0x1 << 1;
+ public static final int POLICY_TYPE_MASK_FINAL = 0x1 << 0;
+ public static final int POLICY_TYPE_MASK_DENIER = 0x1 << 1;
private String service = null;
@@ -224,9 +224,9 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
final public void setPolicyTypeFinal(boolean set) {
if (set) {
- this.policyType |= POLICY_TYPE_FINAL;
+ this.policyType |= POLICY_TYPE_MASK_FINAL;
} else {
- this.policyType &= (~POLICY_TYPE_FINAL);
+ this.policyType &= (~POLICY_TYPE_MASK_FINAL);
}
}
@@ -263,7 +263,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
if (this.policyType == null) {
isFinalDecidingPolicy = false;
- } else if ((this.policyType.intValue() & POLICY_TYPE_FINAL) == 0x0) {
+ } else if ((this.policyType & POLICY_TYPE_MASK_FINAL) == 0x0) {
isFinalDecidingPolicy = false;
}
return isFinalDecidingPolicy;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java
index 2ffedbe..49d4739 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java
@@ -19,21 +19,14 @@
package org.apache.ranger.plugin.model;
-import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
-import org.apache.commons.lang.StringUtils;
import org.codehaus.jackson.annotate.JsonAutoDetect;
-import org.codehaus.jackson.annotate.JsonIgnore;
import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.map.annotate.JsonSerialize;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
/**
* This class represents a RangerResource including the service-type (such as hdfs, hive, etc.) in which it is supported.
@@ -53,54 +46,54 @@ import java.util.Map;
public class RangerResource extends RangerBaseModelObject {
private static final long serialVersionUID = 1L;
- private String serviceType = null; // one of any supported by any component
- private Map<String, RangerPolicy.RangerPolicyResource> resourceSpec = null; //
- private String tagServiceName = null;
- private List<RangerResourceTag> tagsAndValues = null;
+ private String componentType = null; // one of any supported by any component
+ private String tagServiceName = null;
+ private Map<String, RangerPolicy.RangerPolicyResource> resourceSpec = null;
+ private List<RangerResourceTag> tags = null;
- public RangerResource(String serviceType, Map<String, RangerPolicy.RangerPolicyResource> resourceSpecs, String tagServiceName, List<RangerResourceTag> tagsAndValues) {
+ public RangerResource(String componentType, String tagServiceName, Map<String, RangerPolicy.RangerPolicyResource> resourceSpec, List<RangerResourceTag> tags) {
super();
- setServiceType(serviceType);
- setResourceSpecs(resourceSpecs);
+ setComponentType(componentType);
setTagServiceName(tagServiceName);
- setTagsAndValues(tagsAndValues);
+ setResourceSpec(resourceSpec);
+ setTags(tags);
}
public RangerResource() {
this(null, null, null, null);
}
- public String getServiceType() {
- return serviceType;
- }
-
- public Map<String, RangerPolicy.RangerPolicyResource> getResourceSpecs() {
- return resourceSpec;
+ public String getComponentType() {
+ return componentType;
}
public String getTagServiceName() {
return tagServiceName;
}
- public List<RangerResourceTag> getTagsAndValues() {
- return tagsAndValues;
+ public Map<String, RangerPolicy.RangerPolicyResource> getResourceSpec() {
+ return resourceSpec;
}
- // And corresponding set methods
- public void setServiceType(String serviceType) {
- this.serviceType = serviceType == null ? new String() : serviceType;
+ public List<RangerResourceTag> getTags() {
+ return tags;
}
- public void setResourceSpecs(Map<String, RangerPolicy.RangerPolicyResource> fullName) {
- this.resourceSpec = resourceSpec == null ? new HashMap<String, RangerPolicy.RangerPolicyResource>() : resourceSpec;
+ // And corresponding set methods
+ public void setComponentType(String componentType) {
+ this.componentType = componentType;
}
public void setTagServiceName(String tagServiceName) {
- this.tagServiceName = tagServiceName == null ? new String() : tagServiceName;
+ this.tagServiceName = tagServiceName;
+ }
+
+ public void setResourceSpec(Map<String, RangerPolicy.RangerPolicyResource> resourceSpec) {
+ this.resourceSpec = resourceSpec == null ? new HashMap<String, RangerPolicy.RangerPolicyResource>() : resourceSpec;
}
- public void setTagsAndValues(List<RangerResourceTag> tagsAndValues) {
- this.tagsAndValues = tagsAndValues == null ? new ArrayList<RangerResourceTag>() : tagsAndValues;
+ public void setTags(List<RangerResourceTag> tags) {
+ this.tags = tags == null ? new ArrayList<RangerResourceTag>() : tags;
}
/**
@@ -115,21 +108,10 @@ public class RangerResource extends RangerBaseModelObject {
public static class RangerResourceTag implements java.io.Serializable {
- private static Gson gsonBuilder;
-
- private String name = null;
- private Map<String, Object> attributeValues = null; // Will be JSON string with (name, value) pairs of tag attributes in database
-
- @JsonIgnore
- private transient String jSONRepresentation = null;
+ private String name = null;
+ private Map<String, String> attributeValues = null;
- static {
- gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
- .setPrettyPrinting()
- .create();
- }
-
- public RangerResourceTag(String name, Map<String, Object> attributeValues) {
+ public RangerResourceTag(String name, Map<String, String> attributeValues) {
super();
setName(name);
setAttributeValues(attributeValues);
@@ -142,38 +124,11 @@ public class RangerResource extends RangerBaseModelObject {
public String getName() {
return name;
}
+ public void setName(String name) { this.name = name; }
- public Map<String, Object> getAttributeValues() {
+ public Map<String, String> getAttributeValues() {
return attributeValues;
}
-
- public void setName(String name) {
- this.name = name;
- this.jSONRepresentation = null;
- }
-
- public void setAttributeValues(Map<String, Object> attributeValues) {
- this.attributeValues = attributeValues;
- this.jSONRepresentation = null;
- }
-
- public String getJSONRepresentation() {
- if (StringUtils.isEmpty(jSONRepresentation)) {
- jSONRepresentation = gsonBuilder.toJson(this);
- }
- return jSONRepresentation;
- }
- public RangerResourceTag deepCopy() {
-
- RangerResourceTag tag;
-
- if (StringUtils.isEmpty(getJSONRepresentation())) {
- tag = new RangerResourceTag();
- } else {
- tag = gsonBuilder.fromJson(jSONRepresentation, this.getClass());
- }
-
- return tag;
- }
+ public void setAttributeValues(Map<String, String> attributeValues) { this.attributeValues = attributeValues; }
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index 82a18fc..4308086 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -49,4 +49,6 @@ public interface RangerAccessRequest {
String getSessionId();
Map<String, Object> getContext();
+
+ RangerAccessRequest getReadOnlyCopy();
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index e1326ea..aa2c918 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -224,4 +224,8 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
return sb;
}
+ @Override
+ public RangerAccessRequest getReadOnlyCopy() {
+ return new RangerAccessRequestReadOnly(this);
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
new file mode 100644
index 0000000..3ca72f2
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import org.apache.commons.lang.StringUtils;
+
+import java.util.Collections;
+import java.util.Date;
+import java.util.Map;
+import java.util.Set;
+
+public class RangerAccessRequestReadOnly implements RangerAccessRequest {
+ private final RangerAccessRequest source;
+
+ // Cached here for reducing access overhead
+ private final RangerAccessResource resource;
+ private final Set<String> userGroups;
+ private final Map<String, Object> context;
+
+ RangerAccessRequestReadOnly(final RangerAccessRequest source) {
+ this.source = source;
+ this.resource = source.getResource().getReadOnlyCopy();
+ this.userGroups = Collections.unmodifiableSet(source.getUserGroups());
+ this.context = Collections.unmodifiableMap(source.getContext());
+ }
+
+ @Override
+ public RangerAccessResource getResource() { return resource; }
+
+ @Override
+ public String getAccessType() { return source.getAccessType(); }
+
+ @Override
+ public boolean isAccessTypeAny() { return source.isAccessTypeAny(); }
+
+ @Override
+ public boolean isAccessTypeDelegatedAdmin() { return source.isAccessTypeDelegatedAdmin(); }
+
+ @Override
+ public String getUser() { return source.getUser(); }
+
+ @Override
+ public Set<String> getUserGroups() { return userGroups; }
+
+ @Override
+ public Date getAccessTime() { return source.getAccessTime(); }
+
+ @Override
+ public String getClientIPAddress() { return source.getClientIPAddress(); }
+
+ @Override
+ public String getClientType() { return source.getClientType(); }
+
+ @Override
+ public String getAction() { return source.getAction(); }
+
+ @Override
+ public String getRequestData() { return source.getRequestData(); }
+
+ @Override
+ public String getSessionId() { return source.getSessionId(); }
+
+ @Override
+ public Map<String, Object> getContext() { return context; }
+
+ @Override
+ public RangerAccessRequest getReadOnlyCopy() { return this; }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
index 82c0248..c2f4665 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
@@ -41,4 +41,6 @@ public interface RangerAccessResource {
public String getAsString(RangerServiceDef serviceDef);
public Map<String, String> getAsMap();
+
+ public RangerAccessResource getReadOnlyCopy();
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
index 7c26f90..f818f80 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
@@ -168,6 +168,11 @@ public class RangerAccessResourceImpl implements RangerMutableResource {
}
@Override
+ public RangerAccessResource getReadOnlyCopy() {
+ return new RangerAccessResourceReadOnly(this);
+ }
+
+ @Override
public boolean equals(Object obj) {
if(obj == null || !(obj instanceof RangerAccessResourceImpl)) {
return false;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
new file mode 100644
index 0000000..70e30d3
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import org.apache.ranger.plugin.model.RangerServiceDef;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+
+public class RangerAccessResourceReadOnly implements RangerAccessResource {
+
+ private final RangerAccessResource source;
+ private final Set<String> keys;
+ private final Map<String, String> map;
+
+ public RangerAccessResourceReadOnly(final RangerAccessResource source) {
+ this.source = source;
+
+ // Cached here for reducing access overhead
+ this.keys = Collections.unmodifiableSet(source.getKeys());
+ this.map = Collections.unmodifiableMap(source.getAsMap());
+ }
+
+ public String getOwnerUser() { return source.getOwnerUser(); }
+
+ public boolean exists(String name) { return source.exists(name); }
+
+ public String getValue(String name) { return source.getValue(name); }
+
+ public Set<String> getKeys() { return keys; }
+
+ public String getLeafName(RangerServiceDef serviceDef) { return source.getLeafName(serviceDef); }
+
+ public String getAsString(RangerServiceDef serviceDef) { return source.getAsString(serviceDef); }
+
+ public Map<String, String> getAsMap() { return map; }
+
+ public RangerAccessResource getReadOnlyCopy() { return this; }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index bc4b9a7..8bf1388 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -36,6 +36,8 @@ public interface RangerPolicyEngine {
String KEY_CONTEXT_TAGS = "TAGS";
String KEY_CONTEXT_TAG_OBJECT = "TAG_OBJECT";
+ String KEY_CONTEXT_RESOURCE = "RESOURCE";
+
String getServiceName();
RangerServiceDef getServiceDef();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 7b6eb35..69757da 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -480,8 +480,8 @@ class RangerTagResource extends RangerAccessResourceImpl {
private static final String KEY_TAG = "tag";
- public RangerTagResource(String tag) {
- super.setValue(KEY_TAG, tag);
+ public RangerTagResource(String tagName) {
+ super.setValue(KEY_TAG, tagName);
}
}
@@ -496,10 +496,10 @@ class RangerTagAccessRequest extends RangerAccessRequestImpl {
super.setRequestData(request.getRequestData());
Map<String, Object> requestContext = request.getContext();
- if (requestContext == null) {
- requestContext = new HashMap<String, Object>();
- }
+
requestContext.put(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT, resourceTag);
+ requestContext.put(RangerPolicyEngine.KEY_CONTEXT_RESOURCE, request.getResource());
+
super.setContext(requestContext);
super.setClientType(request.getClientType());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index cb9a1ea..8a13839 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -211,7 +211,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean matchResult = false;
boolean isHeadMatchAttempted = false;
boolean headMatchResult = false;
- final boolean isPolicyFinalDecider = isFinal();
+ final boolean isFinalPolicy = isFinal();
if (!result.getIsAuditedDetermined()) {
// Need to match request.resource first. If it matches (or head matches), then only more progress can be made
@@ -256,7 +256,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
evaluatePolicyItemsForAccess(policy, request, result);
}
}
- if ((matchResult || headMatchResult) && !result.getIsAccessDetermined() && isPolicyFinalDecider) {
+ if ((matchResult || headMatchResult) && !result.getIsAccessDetermined() && isFinalPolicy) {
result.setIsAllowed(false);
result.setPolicyId(getPolicy().getId());
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java
index b880179..fd48d63 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagPredicateUtil.java
@@ -165,7 +165,7 @@ public class TagPredicateUtil extends AbstractPredicateUtil {
if (object instanceof RangerResource) {
RangerResource rangerResource = (RangerResource) object;
- ret = StringUtils.equals(type, rangerResource.getServiceType());
+ ret = StringUtils.equals(type, rangerResource.getComponentType());
}
return ret;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java
index 073488f..48059ce 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/TagFileStore.java
@@ -79,20 +79,6 @@ public class TagFileStore extends AbstractTagStore {
}
}
- public TagFileStore(String dataDir) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> TagFileStore.TagFileStore()");
- }
-
- this.tagDataDir = dataDir;
- fileStoreUtil = new FileStoreUtil();
-
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== TagFileStore.TagFileStore()");
- }
- }
-
@Override
public void init() throws Exception {
if (LOG.isDebugEnabled()) {
@@ -130,7 +116,7 @@ public class TagFileStore extends AbstractTagStore {
throw new Exception(tagDef.getName() + ": tag-def already exists (id=" + existing.getId() + ")");
}
- RangerTagDef ret = null;
+ RangerTagDef ret;
try {
preCreate(tagDef);
@@ -165,7 +151,7 @@ public class TagFileStore extends AbstractTagStore {
throw new Exception(tagDef.getName() + ": tag-def does not exist (id=" + tagDef.getId() + ")");
}
- RangerTagDef ret = null;
+ RangerTagDef ret;
try {
preUpdate(existing);
@@ -225,14 +211,16 @@ public class TagFileStore extends AbstractTagStore {
LOG.debug("==> TagFileStore.getTagDef(" + name + ")");
}
- RangerTagDef ret = null;
+ RangerTagDef ret;
- if (name != null) {
+ if (StringUtils.isNotBlank(name)) {
SearchFilter filter = new SearchFilter(SearchFilter.TAG_DEF_NAME, name);
List<RangerTagDef> tagDefs = getTagDefs(filter);
ret = CollectionUtils.isEmpty(tagDefs) ? null : tagDefs.get(0);
+ } else {
+ ret = null;
}
if (LOG.isDebugEnabled()) {
@@ -248,7 +236,7 @@ public class TagFileStore extends AbstractTagStore {
LOG.debug("==> TagFileStore.getTagDefById(" + id + ")");
}
- RangerTagDef ret = null;
+ RangerTagDef ret;
if (id != null) {
SearchFilter filter = new SearchFilter(SearchFilter.TAG_DEF_ID, id.toString());
@@ -256,6 +244,8 @@ public class TagFileStore extends AbstractTagStore {
List<RangerTagDef> tagDefs = getTagDefs(filter);
ret = CollectionUtils.isEmpty(tagDefs) ? null : tagDefs.get(0);
+ } else {
+ ret = null;
}
if (LOG.isDebugEnabled()) {
@@ -274,7 +264,7 @@ public class TagFileStore extends AbstractTagStore {
List<RangerTagDef> ret = getAllTagDefs();
- if (ret != null && filter != null && !filter.isEmpty()) {
+ if (CollectionUtils.isNotEmpty(ret) && filter != null && !filter.isEmpty()) {
CollectionUtils.filter(ret, predicateUtil.getPredicate(filter));
//Comparator<RangerBaseModelObject> comparator = getSorter(filter);
@@ -306,7 +296,7 @@ public class TagFileStore extends AbstractTagStore {
throw new Exception(resource.getId() + ": resource already exists (id=" + existing.getId() + ")");
}
- RangerResource ret = null;
+ RangerResource ret;
try {
preCreate(resource);
@@ -340,15 +330,15 @@ public class TagFileStore extends AbstractTagStore {
throw new Exception(resource.getId() + ": resource does not exist (id=" + resource.getId() + ")");
}
- RangerResource ret = null;
+ RangerResource ret;
try {
preUpdate(existing);
- existing.setServiceType(resource.getServiceType());
- existing.setResourceSpecs(resource.getResourceSpecs());
+ existing.setComponentType(resource.getComponentType());
+ existing.setResourceSpec(resource.getResourceSpec());
existing.setTagServiceName(resource.getTagServiceName());
- existing.setTagsAndValues(resource.getTagsAndValues());
+ existing.setTags(resource.getTags());
ret = fileStoreUtil.saveToFile(existing, new Path(fileStoreUtil.getDataFile(FILE_PREFIX_TAG_RESOURCE, existing.getId())), true);
@@ -363,7 +353,7 @@ public class TagFileStore extends AbstractTagStore {
if (LOG.isDebugEnabled()) {
LOG.debug("<== TagFileStore.updateResource(" + resource + ")");
}
- return null;
+ return ret;
}
@Override
@@ -400,7 +390,7 @@ public class TagFileStore extends AbstractTagStore {
if (LOG.isDebugEnabled()) {
LOG.debug("==> TagFileStore.getResource(" + id + ")");
}
- RangerResource ret = null;
+ RangerResource ret;
if (id != null) {
SearchFilter filter = new SearchFilter(SearchFilter.TAG_RESOURCE_ID, id.toString());
@@ -408,6 +398,8 @@ public class TagFileStore extends AbstractTagStore {
List<RangerResource> resources = getResources(filter);
ret = CollectionUtils.isEmpty(resources) ? null : resources.get(0);
+ } else {
+ ret = null;
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== TagFileStore.getResource(" + id + ")");
@@ -420,19 +412,15 @@ public class TagFileStore extends AbstractTagStore {
if (LOG.isDebugEnabled()) {
LOG.debug("==> TagFileStore.getResources(" + tagServiceName + ", " + serviceType + ")");
}
- List<RangerResource> ret = null;
+ List<RangerResource> ret;
SearchFilter filter = new SearchFilter();
- if (tagServiceName == null || tagServiceName.isEmpty()) {
- // Get all tagged resources
- } else {
+ if (StringUtils.isNotBlank(tagServiceName)) {
filter.setParam(SearchFilter.TAG_RESOURCE_SERVICE_NAME, tagServiceName);
}
- if (serviceType == null || serviceType.isEmpty()) {
- // Get all tagged resources
- } else {
+ if (StringUtils.isNotBlank(serviceType)) {
filter.setParam(SearchFilter.TAG_RESOURCE_SERVICE_TYPE, serviceType);
}
@@ -453,7 +441,7 @@ public class TagFileStore extends AbstractTagStore {
List<RangerResource> ret = getAllTaggedResources();
- if (ret != null && filter != null && !filter.isEmpty()) {
+ if (CollectionUtils.isNotEmpty(ret) && filter != null && !filter.isEmpty()) {
CollectionUtils.filter(ret, predicateUtil.getPredicate(filter));
//Comparator<RangerBaseModelObject> comparator = getSorter(filter);
@@ -481,7 +469,7 @@ public class TagFileStore extends AbstractTagStore {
// load Tag definitions from file system
List<RangerTagDef> sds = fileStoreUtil.loadFromDir(new Path(fileStoreUtil.getDataDir()), FILE_PREFIX_TAG_DEF, RangerTagDef.class);
- if (sds != null) {
+ if (CollectionUtils.isNotEmpty(sds)) {
for (RangerTagDef sd : sds) {
if (sd != null) {
// if the TagDef is already found, remove the earlier definition
@@ -504,16 +492,14 @@ public class TagFileStore extends AbstractTagStore {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== TagFileStore.getAllTagDefs(): count=" + (ret == null ? 0 : ret.size()));
+ LOG.debug("<== TagFileStore.getAllTagDefs(): count=" + ret.size());
}
- if (ret != null) {
- //Collections.sort(ret, idComparator);
+ //Collections.sort(ret, idComparator);
- //for (RangerTagDef sd : ret) {
+ //for (RangerTagDef sd : ret) {
//Collections.sort(sd.getResources(), resourceLevelComparator);
- //}
- }
+ //}
return ret;
}
@@ -529,7 +515,7 @@ public class TagFileStore extends AbstractTagStore {
// load resource definitions from file system
List<RangerResource> resources = fileStoreUtil.loadFromDir(new Path(fileStoreUtil.getDataDir()), FILE_PREFIX_TAG_RESOURCE, RangerResource.class);
- if (resources != null) {
+ if (CollectionUtils.isNotEmpty(resources)) {
for (RangerResource resource : resources) {
if (resource != null) {
// if the RangerResource is already found, remove the earlier definition
@@ -551,16 +537,15 @@ public class TagFileStore extends AbstractTagStore {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== TagFileStore.getAllTaggedResources(): count=" + (ret == null ? 0 : ret.size()));
+ LOG.debug("<== TagFileStore.getAllTaggedResources(): count=" + ret.size());
}
- if (ret != null) {
- //Collections.sort(ret, idComparator);
- //for (RangerTagDef sd : ret) {
+ //Collections.sort(ret, idComparator);
+
+ //for (RangerTagDef sd : ret) {
//Collections.sort(sd.getResources(), resourceLevelComparator);
- //}
- }
+ //}
return ret;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index ea2c87a..46f95a4 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -89,11 +89,11 @@
"policyConditions": [
{
"itemId":1,
- "name":"Default_TagAttributeValueEvaluator",
- "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerTagAttributeEvaluator",
- "evaluatorOptions" : {"interpreter":"JavaScript"},
- "label":"JavaScript script",
- "description": "JavaScript script to execute"
+ "name":"ScriptConditionEvaluator",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript"},
+ "label":"Script",
+ "description": "Script to execute"
}
]
},
@@ -102,9 +102,21 @@
"resources":{"tag":{"values":["restricte?"],"isRecursive":false}},
"policyItems":[
{"accesses":[{"type":"hdfs:read","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false,
- "conditions" : [{"type":"Default_TagAttributeValueEvaluator", "values":[
- "result.setFailed(); var tagName = tag.name; var attrValues = tag.attributeValues; var expiryDate = attrValues[\"expiry_date\"]; println(expiryDate); result.setSucceeded();"]}]}
+ "conditions" : [{"type":"ScriptConditionEvaluator", "values": [
+ "var accessTime = request.getAccessTime(); println('accessTime=' + accessTime); result = true;"
+ ,
+ "var accessTime = request.accessTime; println('accessTime=' + accessTime); result = true;"
+ ,
+ "var ownerUser = request.resource.getOwnerUser(); println('ownerUser=' + ownerUser); result = true;"
+ ,
+ "var ownerUser = request.resource.ownerUser; println('ownerUser=' + ownerUser); result = true;"
+ ,
+ "var resource = ctx.get('RESOURCE').getAsMap(); println('resource path=' + resource.get('path')); result = true;"
+
]
+ }]
+ }
+ ]
}
,
{"id":4,"name":"allow partial-match tag","isEnabled":true,"isAuditEnabled":true,
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/525fd59c/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
index 2383cc4..d093a35 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
@@ -19,18 +19,16 @@
package org.apache.ranger.rest;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.plugin.model.RangerResource;
-import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerTagDef;
import org.apache.ranger.plugin.store.file.TagFileStore;
import org.apache.ranger.plugin.util.SearchFilter;
-import org.owasp.html.TagBalancingHtmlStreamEventReceiver;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
-import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
@@ -57,7 +55,7 @@ public class TagREST {
TagFileStore tagStore;
*/
- private TagFileStore tagStore = null;
+ private TagFileStore tagStore;
public TagREST() {
tagStore = TagFileStore.getInstance();
}
@@ -71,7 +69,7 @@ public class TagREST {
LOG.debug("==> TagREST.createTagDef(" + tagDef + ")");
}
- RangerTagDef ret = null;
+ RangerTagDef ret;
try {
//RangerTagDefValidator validator = validatorFactory.getTagDefValidator(tagStore);
@@ -106,7 +104,7 @@ public class TagREST {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "tag name mismatch", true);
}
- RangerTagDef ret = null;
+ RangerTagDef ret;
try {
ret = tagStore.updateTagDef(tagDef);
@@ -153,7 +151,7 @@ public class TagREST {
LOG.debug("==> TagREST.getTagDefByName(" + name + ")");
}
- RangerTagDef ret = null;
+ RangerTagDef ret;
try {
ret = tagStore.getTagDef(name);
@@ -182,7 +180,7 @@ public class TagREST {
LOG.debug("==> TagREST.getTagDefs()");
}
- List<RangerTagDef> ret = null;
+ List<RangerTagDef> ret;
try {
ret = tagStore.getTagDefs(new SearchFilter());
@@ -212,7 +210,7 @@ public class TagREST {
LOG.debug("==> TagREST.createResource(" + resource + ")");
}
- RangerResource ret = null;
+ RangerResource ret;
try {
//RangerResourceValidator validator = validatorFactory.getResourceValidator(tagStore);
@@ -246,14 +244,14 @@ public class TagREST {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "resource id mismatch", true);
}
- RangerResource ret = null;
+ RangerResource ret;
try {
//RangerResourceValidator validator = validatorFactory.getResourceValidator(tagStore);
//validator.validate(resource, Action.UPDATE);
ret = tagStore.updateResource(resource);
} catch(Exception excp) {
- LOG.error("updateResource(" + ret + ") failed", excp);
+ LOG.error("updateResource(" + id + ") failed", excp);
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
}
@@ -272,12 +270,12 @@ public class TagREST {
public RangerResource updateResource(@PathParam("id") final Long id, @DefaultValue(TagRESTConstants.ACTION_ADD) @QueryParam(TagRESTConstants.ACTION_OP) String op, List<RangerResource.RangerResourceTag> resourceTagList) {
- RangerResource ret = null;
+ RangerResource ret;
if (op.equals(TagRESTConstants.ACTION_ADD) ||
op.equals(TagRESTConstants.ACTION_REPLACE) ||
op.equals(TagRESTConstants.ACTION_DELETE)) {
- RangerResource oldResource = null;
+ RangerResource oldResource;
try {
oldResource = tagStore.getResource(id);
} catch (Exception excp) {
@@ -285,24 +283,29 @@ public class TagREST {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
}
- List<RangerResource.RangerResourceTag> oldTagsAndValues = oldResource.getTagsAndValues();
-
- if (op.equals(TagRESTConstants.ACTION_ADD)) {
- oldTagsAndValues.addAll(resourceTagList);
- oldResource.setTagsAndValues(oldTagsAndValues);
- } else if (op.equals(TagRESTConstants.ACTION_REPLACE)) {
- oldResource.setTagsAndValues(resourceTagList);
- } else if (op.equals(TagRESTConstants.ACTION_DELETE)) {
- oldTagsAndValues.removeAll(resourceTagList);
- oldResource.setTagsAndValues(oldTagsAndValues);
+ List<RangerResource.RangerResourceTag> oldTagsAndValues = oldResource.getTags();
+
+ switch (op) {
+ case TagRESTConstants.ACTION_ADD:
+ oldTagsAndValues.addAll(resourceTagList);
+ break;
+ case TagRESTConstants.ACTION_REPLACE:
+ oldResource.setTags(resourceTagList);
+ break;
+ case TagRESTConstants.ACTION_DELETE:
+ oldTagsAndValues.removeAll(resourceTagList);
+ break;
+ default:
+ break;
}
+ oldResource.setTags(oldTagsAndValues);
try {
//RangerResourceValidator validator = validatorFactory.getResourceValidator(tagStore);
//validator.validate(resource, Action.UPDATE);
ret = tagStore.updateResource(oldResource);
} catch (Exception excp) {
- LOG.error("updateResource(" + ret + ") failed", excp);
+ LOG.error("updateResource(" + id + ") failed", excp);
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
}
@@ -347,7 +350,7 @@ public class TagREST {
LOG.debug("==> TagREST.getResource(" + id + ")");
}
- RangerResource ret = null;
+ RangerResource ret;
try {
ret = tagStore.getResource(id);
@@ -377,7 +380,7 @@ public class TagREST {
LOG.debug("==> TagREST.getResources(" + tagServiceName + ", " + serviceType + ")");
}
- List<RangerResource> ret = null;
+ List<RangerResource> ret;
try {
ret = tagStore.getResources(tagServiceName, serviceType);
@@ -394,7 +397,7 @@ public class TagREST {
List<RangerResource> toBeFilteredOut = new ArrayList<RangerResource>();
for (RangerResource rangerResource : ret) {
- if (rangerResource.getTagsAndValues().isEmpty()) {
+ if (CollectionUtils.isEmpty(rangerResource.getTags())) {
toBeFilteredOut.add(rangerResource);
}
}