You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/12 01:04:30 UTC
[2/2] incubator-ranger git commit: RANGER-390: Merge RangerPolicyDb
implementation with RangerPolicyEngine
RANGER-390: Merge RangerPolicyDb implementation with RangerPolicyEngine
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a93ac46d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a93ac46d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a93ac46d
Branch: refs/heads/master
Commit: a93ac46d69b5b5a1eed6a73d1616bac2c1c3a3d6
Parents: 9693fb8
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Fri Apr 10 15:09:45 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Sat Apr 11 16:03:40 2015 -0700
----------------------------------------------------------------------
.../plugin/policyengine/RangerPolicyDb.java | 122 -----------
.../policyengine/RangerPolicyDbCache.java | 73 -------
.../plugin/policyengine/RangerPolicyEngine.java | 25 ++-
.../policyengine/RangerPolicyEngineCache.java | 88 ++++++++
.../policyengine/RangerPolicyEngineImpl.java | 175 +++++++++++----
.../policyengine/RangerPolicyEngineOptions.java | 30 +++
.../RangerPolicyEvaluatorFacade.java | 149 -------------
.../policyengine/RangerPolicyRepository.java | 119 +++++++----
.../RangerAbstractPolicyEvaluator.java | 41 +++-
.../RangerCachedPolicyEvaluator.java | 5 +-
.../RangerDefaultPolicyEvaluator.java | 120 ++++++-----
.../RangerOptimizedPolicyEvaluator.java | 48 ++++-
.../policyevaluator/RangerPolicyEvaluator.java | 16 +-
.../ranger/plugin/service/RangerBasePlugin.java | 55 ++---
.../ranger/plugin/util/PolicyRefresher.java | 42 ++--
.../plugin/policyengine/TestPolicyDb.java | 14 +-
.../plugin/policyengine/TestPolicyEngine.java | 7 +-
.../authorization/hbase/HbaseFactory.java | 7 -
.../org/apache/ranger/rest/ServiceREST.java | 213 ++++++-------------
19 files changed, 645 insertions(+), 704 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDb.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDb.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDb.java
deleted file mode 100644
index d07afe3..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDb.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.policyengine;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
-import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
-import org.apache.ranger.plugin.util.ServicePolicies;
-
-
-public class RangerPolicyDb {
- private static final Log LOG = LogFactory.getLog(RangerPolicyDb.class);
-
- private final ServicePolicies servicePolicies;
- private final List<RangerPolicyEvaluator> policyEvaluators;
-
- public RangerPolicyDb(ServicePolicies servicePolicies) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyDb(" + servicePolicies + ")");
- }
-
- this.servicePolicies = servicePolicies;
- this.policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
-
- RangerServiceDef serviceDef = servicePolicies.getServiceDef();
- List<RangerPolicy> policies = servicePolicies.getPolicies();
-
- if(serviceDef != null && policies != null) {
- for (RangerPolicy policy : policies) {
- if (!policy.getIsEnabled()) {
- continue;
- }
-
- RangerPolicyEvaluator evaluator = new RangerOptimizedPolicyEvaluator();
-
- if (evaluator != null) {
- evaluator.init(policy, serviceDef);
-
- policyEvaluators.add(evaluator);
- }
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyDb(" + servicePolicies + ")");
- }
- }
-
- public String getServiceName() {
- return servicePolicies.getServiceName();
- }
-
- public long getPolicyVersion() {
- Long policyVersion = servicePolicies.getPolicyVersion();
-
- return policyVersion != null ? policyVersion.longValue() : -1;
- }
-
- public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyDb.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
- }
-
- boolean ret = false;
-
- for(RangerPolicyEvaluator evaluator : policyEvaluators) {
- ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType);
-
- if(ret) {
- break;
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyDb.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
- }
-
- return ret;
- }
-
- public List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType) {
- List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
-
- for(RangerPolicyEvaluator evaluator : policyEvaluators) {
- RangerPolicy policy = evaluator.getPolicy();
-
- boolean isAccessAllowed = isAccessAllowed(policy.getResources(), user, userGroups, accessType);
-
- if(isAccessAllowed) {
- ret.add(policy);
- }
- }
-
- return ret;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDbCache.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDbCache.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDbCache.java
deleted file mode 100644
index bfa71b8..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyDbCache.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.policyengine;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.plugin.store.ServiceStore;
-import org.apache.ranger.plugin.util.ServicePolicies;
-
-public class RangerPolicyDbCache {
- private static final Log LOG = LogFactory.getLog(RangerPolicyDbCache.class);
-
- private static final RangerPolicyDbCache sInstance = new RangerPolicyDbCache();
-
- private final Map<String, RangerPolicyDb> policyDbCache = Collections.synchronizedMap(new HashMap<String, RangerPolicyDb>());
-
- public static RangerPolicyDbCache getInstance() {
- return sInstance;
- }
-
- public RangerPolicyDb getPolicyDb(String serviceName, ServiceStore svcStore) {
- RangerPolicyDb ret = null;
-
- if(serviceName != null) {
- ret = policyDbCache.get(serviceName);
-
- long policyVersion = ret != null ? ret.getPolicyVersion() : -1;
-
- if(svcStore != null) {
- try {
- ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion);
-
- if(policies != null) {
- if(ret == null) {
- ret = new RangerPolicyDb(policies);
-
- policyDbCache.put(serviceName, ret);
- } else if(policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) {
- ret = new RangerPolicyDb(policies);
-
- policyDbCache.put(serviceName, ret);
- }
- }
- } catch(Exception excp) {
- LOG.error("getPolicyDbForService(" + serviceName + "): failed to get latest policies from service-store", excp);
- }
- }
- }
-
- return ret;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index da83838..3634768 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -21,11 +21,15 @@ package org.apache.ranger.plugin.policyengine;
import java.util.Collection;
import java.util.List;
+import java.util.Map;
+import java.util.Set;
import org.apache.ranger.plugin.audit.RangerAuditHandler;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.util.ServicePolicies;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
public interface RangerPolicyEngine {
public static final String GROUP_PUBLIC = "public";
@@ -37,11 +41,14 @@ public interface RangerPolicyEngine {
RangerServiceDef getServiceDef();
- List<RangerContextEnricher> getContextEnrichers();
+ List<RangerPolicy> getPolicies();
+
+ long getPolicyVersion();
- void setPolicies(ServicePolicies policies);
+ List<RangerPolicyEvaluator> getPolicyEvaluators();
+
+ List<RangerContextEnricher> getContextEnrichers();
- ServicePolicies getPolicies();
void setDefaultAuditHandler(RangerAuditHandler auditHandler);
@@ -49,6 +56,7 @@ public interface RangerPolicyEngine {
RangerAccessResult createAccessResult(RangerAccessRequest request);
+
RangerAccessResult isAccessAllowed(RangerAccessRequest request);
Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests);
@@ -56,4 +64,13 @@ public interface RangerPolicyEngine {
RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAuditHandler auditHandler);
Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAuditHandler auditHandler);
+
+
+ boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType);
+
+ boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType);
+
+ RangerPolicy getExactMatchPolicy(RangerAccessResource resource);
+
+ List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
new file mode 100644
index 0000000..09b9f3f
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.store.ServiceStore;
+import org.apache.ranger.plugin.util.ServicePolicies;
+
+public class RangerPolicyEngineCache {
+ private static final Log LOG = LogFactory.getLog(RangerPolicyEngineCache.class);
+
+ private static final RangerPolicyEngineCache sInstance = new RangerPolicyEngineCache();
+
+ private final Map<String, RangerPolicyEngine> policyEngineCache = Collections.synchronizedMap(new HashMap<String, RangerPolicyEngine>());
+
+ private RangerPolicyEngineOptions options = null;
+
+ public static RangerPolicyEngineCache getInstance() {
+ return sInstance;
+ }
+
+ public RangerPolicyEngine getPolicyEngine(String serviceName, ServiceStore svcStore) {
+ RangerPolicyEngine ret = null;
+
+ if(serviceName != null) {
+ ret = policyEngineCache.get(serviceName);
+
+ long policyVersion = ret != null ? ret.getPolicyVersion() : -1;
+
+ if(svcStore != null) {
+ try {
+ ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion);
+
+ if(policies != null) {
+ if(ret == null) {
+ ret = addPolicyEngine(policies);
+ } else if(policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) {
+ ret = addPolicyEngine(policies);
+ }
+ }
+ } catch(Exception excp) {
+ LOG.error("getPolicyEngine(" + serviceName + "): failed to get latest policies from service-store", excp);
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ public RangerPolicyEngineOptions getPolicyEngineOptions() {
+ return options;
+ }
+
+ public void setPolicyEngineOptions(RangerPolicyEngineOptions options) {
+ this.options = options;
+ }
+
+ private RangerPolicyEngine addPolicyEngine(ServicePolicies policies) {
+ RangerPolicyEngine ret = new RangerPolicyEngineImpl(policies, options);
+
+ policyEngineCache.put(policies.getServiceName(), ret);
+
+ return ret;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index f09ad70..5956759 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -25,26 +25,39 @@ import org.apache.ranger.plugin.audit.RangerAuditHandler;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.ServicePolicies;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+import java.util.Map;
+import java.util.Set;
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
- private ServicePolicies servicePolicies = null;
- private RangerPolicyRepository policyRepository = null;
- private RangerAuditHandler defaultAuditHandler = null;
+ private final RangerPolicyRepository policyRepository;
- public RangerPolicyEngineImpl() {
+ private RangerAuditHandler defaultAuditHandler = null;
+
+ public RangerPolicyEngineImpl(ServicePolicies servicePolicies) {
+ this(servicePolicies, null);
+ }
+
+ public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl()");
+ LOG.debug("==> RangerPolicyEngineImpl(" + servicePolicies + ", " + options + ")");
}
+ if(options == null) {
+ options = new RangerPolicyEngineOptions();
+ }
+
+ policyRepository = new RangerPolicyRepository(servicePolicies, options);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl()");
}
@@ -52,53 +65,32 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public String getServiceName() {
- RangerPolicyRepository policyRepository = this.policyRepository;
-
- return policyRepository == null ? null : policyRepository.getServiceName();
+ return policyRepository.getServiceName();
}
@Override
public RangerServiceDef getServiceDef() {
- RangerPolicyRepository policyRepository = this.policyRepository;
-
- return policyRepository == null ? null : policyRepository.getServiceDef();
+ return policyRepository.getServiceDef();
}
@Override
- public List<RangerContextEnricher> getContextEnrichers() {
- RangerPolicyRepository policyRepository = this.policyRepository;
-
- return policyRepository == null ? null : policyRepository.getContextEnrichers();
+ public List<RangerPolicy> getPolicies() {
+ return policyRepository.getPolicies();
}
@Override
- public void setPolicies(ServicePolicies servicePolicies) {
- String serviceName = servicePolicies != null ? servicePolicies.getServiceName() : null;
- RangerServiceDef serviceDef = servicePolicies != null ? servicePolicies.getServiceDef() : null;
- List<RangerPolicy> policies = servicePolicies != null ? servicePolicies.getPolicies() : null;
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.setPolicies(" + serviceName + ", " + serviceDef + ", policies.count=" + (policies == null ? 0 : policies.size()) + ")");
- }
-
- if (serviceName != null && serviceDef != null && policies != null) {
- RangerPolicyRepository policyRepository = new RangerPolicyRepository(serviceName);
- policyRepository.init(serviceDef, policies);
-
- this.servicePolicies = servicePolicies;
- this.policyRepository = policyRepository;
- } else {
- LOG.error("RangerPolicyEngineImpl.setPolicies ->Invalid arguments: serviceName, serviceDef, or policies is null");
- }
+ public long getPolicyVersion() {
+ return policyRepository.getPolicyVersion();
+ }
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.setPolicies(" + serviceName + ", " + serviceDef + ", policies.count=" + (policies == null ? 0 : policies.size()) + ")");
- }
+ @Override
+ public List<RangerPolicyEvaluator> getPolicyEvaluators() {
+ return policyRepository.getPolicyEvaluators();
}
@Override
- public ServicePolicies getPolicies() {
- return servicePolicies;
+ public List<RangerContextEnricher> getContextEnrichers() {
+ return policyRepository.getContextEnrichers();
}
@Override
@@ -113,9 +105,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
@Override
public RangerAccessResult createAccessResult(RangerAccessRequest request) {
- RangerPolicyRepository policyRepository = this.policyRepository;
-
- return new RangerAccessResult(this.getServiceName(), policyRepository == null ? null : policyRepository.getServiceDef(), request);
+ return new RangerAccessResult(this.getServiceName(), policyRepository.getServiceDef(), request);
}
@Override
@@ -174,17 +164,110 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return ret;
}
+ @Override
+ public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")");
+ }
+
+ boolean ret = false;
+
+ for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType);
+
+ if(ret) {
+ break;
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
+ }
+
+ return ret;
+ }
+
+
+ @Override
+ public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
+ }
+
+ boolean ret = false;
+
+ for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType);
+
+ if(ret) {
+ break;
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ public RangerPolicy getExactMatchPolicy(RangerAccessResource resource) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + ")");
+ }
+
+ RangerPolicy ret = null;
+
+ for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ if(evaluator.isSingleAndExactMatch(resource)) {
+ ret = evaluator.getPolicy();
+
+ break;
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ public List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + ")");
+ }
+
+ List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
+
+ for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ RangerPolicy policy = evaluator.getPolicy();
+
+ boolean isAccessAllowed = isAccessAllowed(policy.getResources(), user, userGroups, accessType);
+
+ if(isAccessAllowed) {
+ ret.add(policy);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + "): policyCount=" + ret.size());
+ }
+
+ return ret;
+ }
+
protected RangerAccessResult isAccessAllowedNoAudit(RangerAccessRequest request) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")");
}
- RangerPolicyRepository policyRepository = this.policyRepository;
-
RangerAccessResult ret = createAccessResult(request);
- if(policyRepository != null && ret != null && request != null) {
- List<RangerPolicyEvaluatorFacade> evaluators = policyRepository.getPolicyEvaluators();
+ if(ret != null && request != null) {
+ List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators();
if(evaluators != null) {
boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret);
@@ -222,8 +305,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
public StringBuilder toString(StringBuilder sb) {
- RangerPolicyRepository policyRepository = this.policyRepository;
-
sb.append("RangerPolicyEngineImpl={");
sb.append("serviceName={").append(this.getServiceName()).append("} ");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
new file mode 100644
index 0000000..a5c1dfb
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+
+
+public class RangerPolicyEngineOptions {
+ public String evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED;
+ public boolean cacheAuditResults = true;
+ public boolean disableContextEnrichers = false;
+ public boolean disableCustomConditions = false;
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java
deleted file mode 100644
index 862cd1a..0000000
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEvaluatorFacade.java
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.ranger.plugin.policyengine;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
-import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
-import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
-import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator;
-import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
-import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
-
-import java.util.Map;
-import java.util.Set;
-
-public class RangerPolicyEvaluatorFacade implements RangerPolicyEvaluator, Comparable<RangerPolicyEvaluatorFacade> {
- private static final Log LOG = LogFactory.getLog(RangerPolicyEvaluatorFacade.class);
-
- RangerDefaultPolicyEvaluator delegate = null;
- int computedPolicyEvalOrder = 0;
-
- RangerPolicyEvaluatorFacade() {
- super();
-
- String evaluatorType = RangerConfiguration.getInstance().get("ranger.policyengine.evaluator.type", "cached");
-
- if(StringUtils.isEmpty(evaluatorType) || StringUtils.equalsIgnoreCase(evaluatorType, "cached")) {
- delegate = new RangerCachedPolicyEvaluator();
- } else {
- delegate = new RangerOptimizedPolicyEvaluator();
- }
- }
-
- RangerPolicyEvaluator getPolicyEvaluator() {
- return delegate;
- }
-
- @Override
- public void init(RangerPolicy policy, RangerServiceDef serviceDef) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEvaluatorFacade.init()");
- }
-
- delegate.init(policy, serviceDef);
-
- computedPolicyEvalOrder = computePolicyEvalOrder();
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEvaluatorFacade.init()");
- }
- }
-
- @Override
- public RangerPolicy getPolicy() {
- return delegate.getPolicy();
- }
-
- @Override
- public RangerServiceDef getServiceDef() {
- return delegate.getServiceDef();
- }
-
- @Override
- public void evaluate(RangerAccessRequest request, RangerAccessResult result) {
- delegate.evaluate(request, result);
- }
-
- @Override
- public boolean isMatch(RangerAccessResource resource) {
- return delegate.isMatch(resource);
- }
-
- @Override
- public boolean isSingleAndExactMatch(RangerAccessResource resource) {
- return delegate.isSingleAndExactMatch(resource);
- }
-
- @Override
- public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
- return delegate.isAccessAllowed(resources, user, userGroups, accessType);
- }
-
- @Override
- public int compareTo(RangerPolicyEvaluatorFacade other) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEvaluatorFacade.compareTo()");
- }
-
- int result;
-
- if (this.getComputedPolicyEvalOrder() == other.getComputedPolicyEvalOrder()) {
- Map<String, RangerConditionEvaluator> myConditionEvaluators = this.delegate.getConditionEvaluators();
- Map<String, RangerConditionEvaluator> otherConditionEvaluators = other.delegate.getConditionEvaluators();
-
- int myConditionEvaluatorCount = myConditionEvaluators == null ? 0 : myConditionEvaluators.size();
- int otherConditionEvaluatorCount = otherConditionEvaluators == null ? 0 : otherConditionEvaluators.size();
-
- result = Integer.compare(myConditionEvaluatorCount, otherConditionEvaluatorCount);
- } else {
- result = Integer.compare(computedPolicyEvalOrder, other.computedPolicyEvalOrder);
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEvaluatorFacade.compareTo(), result:" + result);
- }
-
- return result;
- }
-
- private int getComputedPolicyEvalOrder() {
- return computedPolicyEvalOrder;
- }
-
- private int computePolicyEvalOrder() {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEvaluatorFacade.computePolicyEvalOrder()");
- }
-
- int result = delegate.computePolicyEvalOrder();
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<==RangerPolicyEvaluatorFacade.computePolicyEvalOrder(), result:" + result);
- }
-
- return result;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index b1d37ca..8e3d17c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -27,7 +27,11 @@ import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator;
+import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
+import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.util.ServicePolicies;
import java.util.ArrayList;
import java.util.Collections;
@@ -37,42 +41,26 @@ import java.util.Map;
public class RangerPolicyRepository {
private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class);
- private String serviceName = null;
- private List<RangerPolicyEvaluatorFacade> policyEvaluators = null;
- private List<RangerContextEnricher> contextEnrichers = null;
- private RangerServiceDef serviceDef = null;
- // Not used at this time
- private Map<String, Boolean> accessAuditCache = null;
+ private final String serviceName;
+ private final RangerServiceDef serviceDef;
+ private final List<RangerPolicy> policies;
+ private final long policyVersion;
+ private final List<RangerContextEnricher> contextEnrichers;
+ private final List<RangerPolicyEvaluator> policyEvaluators;
+ private final Map<String, Boolean> accessAuditCache;
private static int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024;
- RangerPolicyRepository(String serviceName) {
+ RangerPolicyRepository(ServicePolicies servicePolicies, RangerPolicyEngineOptions options) {
super();
- this.serviceName = serviceName;
- }
- String getServiceName() {
- return serviceName;
- }
- List<RangerPolicyEvaluatorFacade> getPolicyEvaluators() {
- return policyEvaluators;
- }
- List<RangerContextEnricher> getContextEnrichers() {
- return contextEnrichers;
- }
- RangerServiceDef getServiceDef() {
- return serviceDef;
- }
- void init(RangerServiceDef serviceDef, List<RangerPolicy> policies) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyRepository.init(" + serviceDef + ", policies.count=" + policies.size() + ")");
- }
-
- this.serviceDef = serviceDef;
+ serviceName = servicePolicies.getServiceName();
+ serviceDef = servicePolicies.getServiceDef();
+ policies = Collections.unmodifiableList(servicePolicies.getPolicies());
+ policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion().longValue() : -1;
- contextEnrichers = new ArrayList<RangerContextEnricher>();
-
- if (!CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) {
+ List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
+ if (!options.disableContextEnrichers && !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) {
for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) {
if (enricherDef == null) {
continue;
@@ -80,36 +68,63 @@ public class RangerPolicyRepository {
RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef);
- contextEnrichers.add(contextEnricher);
+ if(contextEnricher != null) {
+ contextEnrichers.add(contextEnricher);
+ }
}
}
+ this.contextEnrichers = Collections.unmodifiableList(contextEnrichers);
- policyEvaluators = new ArrayList<RangerPolicyEvaluatorFacade>();
-
- for (RangerPolicy policy : policies) {
+ List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
+ for (RangerPolicy policy : servicePolicies.getPolicies()) {
if (!policy.getIsEnabled()) {
continue;
}
- RangerPolicyEvaluatorFacade evaluator = buildPolicyEvaluator(policy, serviceDef);
+ RangerPolicyEvaluator evaluator = buildPolicyEvaluator(policy, serviceDef, options);
if (evaluator != null) {
policyEvaluators.add(evaluator);
}
}
Collections.sort(policyEvaluators);
+ this.policyEvaluators = Collections.unmodifiableList(policyEvaluators);
String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize";
- int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE);
-
- accessAuditCache = new CacheMap<String, Boolean>(auditResultCacheSize);
+ if(options.cacheAuditResults) {
+ int auditResultCacheSize = RangerConfiguration.getInstance().getInt(propertyName, RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE);
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyRepository.init(" + serviceDef + ", policies.count=" + policies.size() + ")");
+ accessAuditCache = Collections.synchronizedMap(new CacheMap<String, Boolean>(auditResultCacheSize));
+ } else {
+ accessAuditCache = null;
}
}
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ public RangerServiceDef getServiceDef() {
+ return serviceDef;
+ }
+
+ public List<RangerPolicy> getPolicies() {
+ return policies;
+ }
+
+ public long getPolicyVersion() {
+ return policyVersion;
+ }
+
+ public List<RangerContextEnricher> getContextEnrichers() {
+ return contextEnrichers;
+ }
+
+ public List<RangerPolicyEvaluator> getPolicyEvaluators() {
+ return policyEvaluators;
+ }
+
private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.buildContextEnricher(" + enricherDef + ")");
@@ -141,19 +156,29 @@ public class RangerPolicyRepository {
return ret;
}
- private RangerPolicyEvaluatorFacade buildPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef) {
+ private RangerPolicyEvaluator buildPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + ")");
+ LOG.debug("==> RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + ", " + options + ")");
}
- RangerPolicyEvaluatorFacade ret = null;
+ RangerPolicyEvaluator ret = null;
+
+ if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_DEFAULT)) {
+ ret = new RangerDefaultPolicyEvaluator();
+ } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED)) {
+ ret = new RangerOptimizedPolicyEvaluator();
+ } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) {
+ ret = new RangerCachedPolicyEvaluator();
+ } else {
+ ret = new RangerDefaultPolicyEvaluator();
+ }
- ret = new RangerPolicyEvaluatorFacade();
- ret.init(policy, serviceDef);
+ ret.init(policy, serviceDef, options);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + "): " + ret);
}
+
return ret;
}
@@ -164,7 +189,7 @@ public class RangerPolicyRepository {
Boolean value = null;
- synchronized (accessAuditCache) {
+ if (accessAuditCache != null) {
value = accessAuditCache.get(request.getResource().getAsString(getServiceDef()));
}
@@ -189,7 +214,7 @@ public class RangerPolicyRepository {
Boolean value = ret.getIsAudited() ? Boolean.TRUE : Boolean.FALSE;
- synchronized(accessAuditCache) {
+ if (accessAuditCache != null) {
accessAuditCache.put(strResource, value);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 36273eb..85e69f1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -20,10 +20,14 @@
package org.apache.ranger.plugin.policyevaluator;
+import java.util.Map;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator {
@@ -31,10 +35,11 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
private RangerPolicy policy = null;
private RangerServiceDef serviceDef = null;
+ private int evalOrder = 0;
@Override
- public void init(RangerPolicy policy, RangerServiceDef serviceDef) {
+ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")");
}
@@ -58,6 +63,40 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
}
@Override
+ public int getEvalOrder() {
+ return evalOrder;
+ }
+
+ @Override
+ public int compareTo(RangerPolicyEvaluator other) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAbstractPolicyEvaluator.compareTo()");
+ }
+
+ int result = Integer.compare(this.getEvalOrder(), other.getEvalOrder());
+
+ if (result == 0) {
+ Map<String, RangerConditionEvaluator> myConditionEvaluators = this.getConditionEvaluators();
+ Map<String, RangerConditionEvaluator> otherConditionEvaluators = other.getConditionEvaluators();
+
+ int myConditionEvaluatorCount = myConditionEvaluators == null ? 0 : myConditionEvaluators.size();
+ int otherConditionEvaluatorCount = otherConditionEvaluators == null ? 0 : otherConditionEvaluators.size();
+
+ result = Integer.compare(myConditionEvaluatorCount, otherConditionEvaluatorCount);
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAbstractPolicyEvaluator.compareTo(), result:" + result);
+ }
+
+ return result;
+ }
+
+ public void setEvalOrder(int evalOrder) {
+ this.evalOrder = evalOrder;
+ }
+
+ @Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
index f4db52b..d67777c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
@@ -24,6 +24,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerCachedPolicyEvaluator.class);
@@ -31,12 +32,12 @@ public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator
private RangerResourceAccessCache cache = null;
@Override
- public void init(RangerPolicy policy, RangerServiceDef serviceDef) {
+ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerCachedPolicyEvaluator.init()");
}
- super.init(policy, serviceDef);
+ super.init(policy, serviceDef, options);
cache = RangerResourceAccessCacheImpl.getInstance(serviceDef, policy);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 052bb88..b6c98f7 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -45,6 +45,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
@@ -55,18 +56,18 @@ import com.google.common.collect.Sets;
public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class);
- private Map<String, RangerResourceMatcher> matchers = null;
- private Map<String, RangerConditionEvaluator> conditionEvaluators = null;
+ private Map<String, RangerResourceMatcher> matchers;
+ private Map<String, RangerConditionEvaluator> conditionEvaluators;
@Override
- public void init(RangerPolicy policy, RangerServiceDef serviceDef) {
+ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
}
preprocessPolicy(policy, serviceDef);
- super.init(policy, serviceDef);
+ super.init(policy, serviceDef, options);
this.matchers = new HashMap<String, RangerResourceMatcher>();
@@ -86,18 +87,22 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
}
-
- conditionEvaluators = initializeConditionEvaluators(policy, serviceDef);
+
+ if(options.disableCustomConditions) {
+ conditionEvaluators = Collections.<String, RangerConditionEvaluator>emptyMap();
+ } else {
+ conditionEvaluators = initializeConditionEvaluators(policy, serviceDef);
+ }
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
}
}
- public Map<String, RangerConditionEvaluator> getConditionEvaluators() {
- return conditionEvaluators;
+ @Override
+ public Map<String, RangerConditionEvaluator> getConditionEvaluators() {
+ return conditionEvaluators;
}
- public int computePolicyEvalOrder() { return 0;}
/**
* Non-private only for testability.
@@ -260,7 +265,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
// Go further to evaluate access only if match or head match was found at this point
if (matchResult || headMatchResult) {
- evaluatePolicyItemsForAccess(request, result);
+ evaluatePolicyItemsForAccess(policy, request, result);
}
}
}
@@ -270,12 +275,12 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
- protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) {
+ protected void evaluatePolicyItemsForAccess(RangerPolicy policy, RangerAccessRequest request, RangerAccessResult result) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItemsForAccess(" + request + ", " + result + ")");
}
- for (RangerPolicy.RangerPolicyItem policyItem : getPolicy().getPolicyItems()) {
+ for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
boolean isUserGroupMatch = matchUserGroup(policyItem, request.getUser(), request.getUserGroups());
@@ -288,7 +293,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (request.isAccessTypeDelegatedAdmin()) {
if (policyItem.getDelegateAdmin()) {
result.setIsAllowed(true);
- result.setPolicyId(getPolicy().getId());
+ result.setPolicyId(policy.getId());
break;
}
continue;
@@ -430,12 +435,27 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
@Override
+ public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")");
+ }
+
+ boolean ret = isAccessAllowed(user, userGroups, accessType) && isMatch(resource);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ @Override
public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
- boolean ret = isAccessAllowedNoCustomConditionEval(user, userGroups, accessType) && isMatch(resources);
+ boolean ret = isAccessAllowed(user, userGroups, accessType) && isMatch(resources);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
@@ -694,59 +714,63 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
- protected boolean isAccessAllowedNoCustomConditionEval(String user, Set<String> userGroups, String accessType) {
+ protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowedNoCustomConditionEval(" + user + ", " + userGroups + ", " + accessType + ")");
+ LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = false;
- if (StringUtils.isEmpty(accessType)) {
- accessType = RangerPolicyEngine.ANY_ACCESS;
- }
+ RangerPolicy policy = getPolicy();
+
+ if(policy != null) {
+ if (StringUtils.isEmpty(accessType)) {
+ accessType = RangerPolicyEngine.ANY_ACCESS;
+ }
- boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS);
- boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
+ boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS);
+ boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
- for (RangerPolicy.RangerPolicyItem policyItem : getPolicy().getPolicyItems()) {
- if (isAdminAccess) {
- if(! policyItem.getDelegateAdmin()) {
+ for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
+ if (isAdminAccess) {
+ if(! policyItem.getDelegateAdmin()) {
+ continue;
+ }
+ } else if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
continue;
- }
- } else if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
- continue;
- } else if (isAnyAccess) {
- boolean accessAllowed = false;
+ } else if (isAnyAccess) {
+ boolean accessAllowed = false;
- for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) {
- if (access.getIsAllowed()) {
- accessAllowed = true;
- break;
+ for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) {
+ if (access.getIsAllowed()) {
+ accessAllowed = true;
+ break;
+ }
}
- }
- if(! accessAllowed) {
- continue;
+ if(! accessAllowed) {
+ continue;
+ }
+ } else {
+ RangerPolicy.RangerPolicyItemAccess access = getAccess(policyItem, accessType);
+ if (access == null || !access.getIsAllowed()) {
+ continue;
+ }
}
- } else {
- RangerPolicy.RangerPolicyItemAccess access = getAccess(policyItem, accessType);
- if (access == null || !access.getIsAllowed()) {
+
+ boolean isUserGroupMatch = matchUserGroup(policyItem, user, userGroups);
+
+ if (!isUserGroupMatch) {
continue;
}
- }
-
- boolean isUserGroupMatch = matchUserGroup(policyItem, user, userGroups);
- if (!isUserGroupMatch) {
- continue;
+ ret = true;
+ break;
}
-
- ret = true;
- break;
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowedNoCustomConditionEval(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
return ret;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index 7ddd155..26d5223 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.policyevaluator;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
@@ -27,6 +28,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import java.util.*;
import java.lang.Math;
@@ -56,12 +58,12 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
private static final int RANGER_POLICY_EVAL_RESERVED_SLOTS_PER_LEVEL_NUMBER = 1000;
@Override
- public void init(RangerPolicy policy, RangerServiceDef serviceDef) {
+ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerOptimizedPolicyEvaluator.init()");
}
- super.init(policy, serviceDef);
+ super.init(policy, serviceDef, options);
accessPerms = new HashSet<String>();
groups = new HashSet<String>();
@@ -90,15 +92,17 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
hasPublicGroup = true;
}
}
+
+ setEvalOrder(computeEvalOrder());
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerOptimizedPolicyEvaluator.init()");
}
}
- @Override
- public int computePolicyEvalOrder() {
+ public int computeEvalOrder() {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerOptimizedPolicyEvaluator.computePolicyEvalOrder()");
+ LOG.debug("==> RangerOptimizedPolicyEvaluator.computeEvalOrder()");
}
RangerServiceDef serviceDef = getServiceDef();
RangerPolicy policy = getPolicy();
@@ -193,13 +197,41 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
priorityLevel -= Math.round(((float)RANGER_POLICY_EVAL_ALL_ACCESS_TYPES_PREMIUM * accessPerms.size()) / serviceDef.getAccessTypes().size());
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerOptimizedPolicyEvaluator.computePolicyEvalOrder(), policyName:" + policy.getName() + ", priority:" + priorityLevel);
+ LOG.debug("<== RangerOptimizedPolicyEvaluator.computeEvalOrder(), policyName:" + policy.getName() + ", priority:" + priorityLevel);
}
return priorityLevel;
}
@Override
- protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) {
+ protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")");
+ }
+
+ boolean ret = false;
+
+ if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) {
+ if (StringUtils.isEmpty(accessType)) {
+ accessType = RangerPolicyEngine.ANY_ACCESS;
+ }
+
+ boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS);
+ boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
+
+ if (isAnyAccess || (isAdminAccess && delegateAdmin) || hasAllPerms || accessPerms.contains(accessType)) {
+ ret = super.isAccessAllowed(user, userGroups, accessType);
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ protected void evaluatePolicyItemsForAccess(RangerPolicy policy, RangerAccessRequest request, RangerAccessResult result) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerOptimizedPolicyEvaluator.evaluatePolicyItemsForAccess()");
}
@@ -209,7 +241,7 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
if (request.isAccessTypeAny() || (request.isAccessTypeDelegatedAdmin() && delegateAdmin) || hasAllPerms || accessPerms.contains(request.getAccessType())) {
// No need to reject based on aggregated access permissions
- super.evaluatePolicyItemsForAccess(request, result);
+ super.evaluatePolicyItemsForAccess(policy, request, result);
}
}
if(LOG.isDebugEnabled()) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 18ec248..9fe523a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -23,25 +23,37 @@ package org.apache.ranger.plugin.policyevaluator;
import java.util.Map;
import java.util.Set;
+import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
-public interface RangerPolicyEvaluator {
- void init(RangerPolicy policy, RangerServiceDef serviceDef);
+public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> {
+ public static final String EVALUATOR_TYPE_DEFAULT = "default";
+ public static final String EVALUATOR_TYPE_OPTIMIZED = "optimized";
+ public static final String EVALUATOR_TYPE_CACHED = "cached";
+
+ void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options);
RangerPolicy getPolicy();
RangerServiceDef getServiceDef();
+ Map<String, RangerConditionEvaluator> getConditionEvaluators();
+
+ int getEvalOrder();
+
void evaluate(RangerAccessRequest request, RangerAccessResult result);
boolean isMatch(RangerAccessResource resource);
boolean isSingleAndExactMatch(RangerAccessResource resource);
+ boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType);
+
boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 5c37c7b..203cf5e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -38,18 +38,22 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.PolicyRefresher;
+import org.apache.ranger.plugin.util.ServicePolicies;
public class RangerBasePlugin {
private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class);
- private String serviceType = null;
- private String appId = null;
- private String serviceName = null;
- private PolicyRefresher refresher = null;
- private RangerPolicyEngine policyEngine = null;
+ private String serviceType = null;
+ private String appId = null;
+ private String serviceName = null;
+ private PolicyRefresher refresher = null;
+ private RangerPolicyEngine policyEngine = null;
+ private RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
public RangerBasePlugin(String serviceType, String appId) {
@@ -82,12 +86,6 @@ public class RangerBasePlugin {
}
public void init() {
- RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl();
-
- init(policyEngine);
- }
-
- public void init(RangerPolicyEngine policyEngine) {
cleanup();
RangerConfiguration.getInstance().addResourcesForServiceType(serviceType);
@@ -99,10 +97,21 @@ public class RangerBasePlugin {
serviceName = RangerConfiguration.getInstance().get(propertyPrefix + ".service.name");
+ policyEngineOptions.evaluatorType = RangerConfiguration.getInstance().get(propertyPrefix + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED);
+ policyEngineOptions.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true);
+ policyEngineOptions.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false);
+ policyEngineOptions.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false);
+
+
RangerAdminClient admin = createAdminClient(propertyPrefix);
- refresher = new PolicyRefresher(policyEngine, serviceType, appId, serviceName, admin, pollingIntervalMs, cacheDir);
+ refresher = new PolicyRefresher(this, serviceType, appId, serviceName, admin, pollingIntervalMs, cacheDir);
refresher.startRefresher();
+ }
+
+ public void setPolicies(ServicePolicies policies) {
+ RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(policies, policyEngineOptions);
+
this.policyEngine = policyEngine;
}
@@ -140,7 +149,7 @@ public class RangerBasePlugin {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
- enrichRequest(request);
+ enrichRequest(request, policyEngine);
return policyEngine.isAccessAllowed(request);
}
@@ -153,7 +162,7 @@ public class RangerBasePlugin {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
- enrichRequests(requests);
+ enrichRequests(requests, policyEngine);
return policyEngine.isAccessAllowed(requests);
}
@@ -166,7 +175,7 @@ public class RangerBasePlugin {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
- enrichRequest(request);
+ enrichRequest(request, policyEngine);
return policyEngine.isAccessAllowed(request, auditHandler);
}
@@ -179,7 +188,7 @@ public class RangerBasePlugin {
RangerPolicyEngine policyEngine = this.policyEngine;
if(policyEngine != null) {
- enrichRequests(requests);
+ enrichRequests(requests, policyEngine);
return policyEngine.isAccessAllowed(requests, auditHandler);
}
@@ -290,13 +299,12 @@ public class RangerBasePlugin {
return ret;
}
- private void enrichRequest(RangerAccessRequest request) {
- if(request == null) {
+ private void enrichRequest(RangerAccessRequest request, RangerPolicyEngine policyEngine) {
+ if(request == null || policyEngine == null) {
return;
}
- RangerPolicyEngine policyEngine = this.policyEngine;
- List<RangerContextEnricher> enrichers = policyEngine != null ? policyEngine.getContextEnrichers() : null;
+ List<RangerContextEnricher> enrichers = policyEngine.getContextEnrichers();
if(! CollectionUtils.isEmpty(enrichers)) {
for(RangerContextEnricher enricher : enrichers) {
@@ -305,13 +313,12 @@ public class RangerBasePlugin {
}
}
- private void enrichRequests(Collection<RangerAccessRequest> requests) {
- if(CollectionUtils.isEmpty(requests)) {
+ private void enrichRequests(Collection<RangerAccessRequest> requests, RangerPolicyEngine policyEngine) {
+ if(CollectionUtils.isEmpty(requests) || policyEngine == null) {
return;
}
- RangerPolicyEngine policyEngine = this.policyEngine;
- List<RangerContextEnricher> enrichers = policyEngine != null ? policyEngine.getContextEnrichers() : null;
+ List<RangerContextEnricher> enrichers = policyEngine.getContextEnrichers();
if(! CollectionUtils.isEmpty(enrichers)) {
for(RangerContextEnricher enricher : enrichers) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
index 04bc798..36548e4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
@@ -29,7 +29,7 @@ import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
@@ -38,24 +38,24 @@ import com.google.gson.GsonBuilder;
public class PolicyRefresher extends Thread {
private static final Log LOG = LogFactory.getLog(PolicyRefresher.class);
- private RangerPolicyEngine policyEngine = null;
- private String serviceType = null;
- private String serviceName = null;
- private RangerAdminClient rangerAdmin = null;
- private long pollingIntervalMs = 30 * 1000;
- private String cacheFile = null;
+ private final RangerBasePlugin plugIn;
+ private final String serviceType;
+ private final String serviceName;
+ private final RangerAdminClient rangerAdmin;
+ private final String cacheFile;
+ private final Gson gson;
- private long lastKnownVersion = -1;
- private Gson gson = null;
+ private long pollingIntervalMs = 30 * 1000;
+ private long lastKnownVersion = -1;
- public PolicyRefresher(RangerPolicyEngine policyEngine, String serviceType, String appId, String serviceName, RangerAdminClient rangerAdmin, long pollingIntervalMs, String cacheDir) {
+ public PolicyRefresher(RangerBasePlugin plugIn, String serviceType, String appId, String serviceName, RangerAdminClient rangerAdmin, long pollingIntervalMs, String cacheDir) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").PolicyRefresher()");
}
- this.policyEngine = policyEngine;
+ this.plugIn = plugIn;
this.serviceType = serviceType;
this.serviceName = serviceName;
this.rangerAdmin = rangerAdmin;
@@ -71,11 +71,13 @@ public class PolicyRefresher extends Thread {
this.cacheFile = cacheDir == null ? null : (cacheDir + File.separator + cacheFilename);
- try {
- this.gson = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").setPrettyPrinting().create();
+ Gson gson = null;
+ try {
+ gson = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").setPrettyPrinting().create();
} catch(Throwable excp) {
LOG.fatal("PolicyRefresher(): failed to create GsonBuilder object", excp);
}
+ this.gson = gson;
if(LOG.isDebugEnabled()) {
LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").PolicyRefresher()");
@@ -83,10 +85,10 @@ public class PolicyRefresher extends Thread {
}
/**
- * @return the policyEngine
+ * @return the plugIn
*/
- public RangerPolicyEngine getPolicyEngine() {
- return policyEngine;
+ public RangerBasePlugin getPlugin() {
+ return plugIn;
}
/**
@@ -167,7 +169,7 @@ public class PolicyRefresher extends Thread {
lastKnownVersion = newVersion;
- policyEngine.setPolicies(svcPolicies);
+ plugIn.setPolicies(svcPolicies);
} else {
if(LOG.isDebugEnabled()) {
LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): no update found. lastKnownVersion=" + lastKnownVersion);
@@ -196,9 +198,9 @@ public class PolicyRefresher extends Thread {
LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").loadFromCache()");
}
- RangerPolicyEngine policyEngine = this.policyEngine;
+ RangerBasePlugin plugIn = this.plugIn;
- if(policyEngine != null) {
+ if(plugIn != null) {
File cacheFile = StringUtils.isEmpty(this.cacheFile) ? null : new File(this.cacheFile);
if(cacheFile != null && cacheFile.isFile() && cacheFile.canRead()) {
@@ -218,7 +220,7 @@ public class PolicyRefresher extends Thread {
lastKnownVersion = policies.getPolicyVersion() == null ? -1 : policies.getPolicyVersion().longValue();
- policyEngine.setPolicies(policies);
+ plugIn.setPolicies(policies);
}
} catch (Exception excp) {
LOG.error("failed to load policies from cache file " + cacheFile.getAbsolutePath(), excp);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
index 37b8e9c..1e34132 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
@@ -32,6 +32,7 @@ import java.util.Set;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.policyengine.TestPolicyDb.PolicyDbTestCase.TestData;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.junit.AfterClass;
import org.junit.BeforeClass;
@@ -77,13 +78,20 @@ public class TestPolicyDb {
assertTrue("invalid input: " + testName, testCase != null && testCase.servicePolicies != null && testCase.tests != null && testCase.servicePolicies.getPolicies() != null);
- RangerPolicyDb policyDb = new RangerPolicyDb(testCase.servicePolicies);
+ RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
+
+ policyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+ policyEngineOptions.cacheAuditResults = false;
+ policyEngineOptions.disableContextEnrichers = true;
+ policyEngineOptions.disableCustomConditions = true;
+
+ RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testCase.servicePolicies, policyEngineOptions);
for(TestData test : testCase.tests) {
boolean expected = test.result;
if(test.allowedPolicies != null) {
- List<RangerPolicy> allowedPolicies = policyDb.getAllowedPolicies(test.user, test.userGroups, test.accessType);
+ List<RangerPolicy> allowedPolicies = policyEngine.getAllowedPolicies(test.user, test.userGroups, test.accessType);
assertEquals("allowed-policy count mismatch!", test.allowedPolicies.size(), allowedPolicies.size());
@@ -93,7 +101,7 @@ public class TestPolicyDb {
}
assertEquals("allowed-policy list mismatch!", test.allowedPolicies, allowedPolicyIds);
} else {
- boolean result = policyDb.isAccessAllowed(test.resources, test.user, test.userGroups, test.accessType);
+ boolean result = policyEngine.isAccessAllowed(test.resources, test.user, test.userGroups, test.accessType);
assertEquals("isAccessAllowed mismatched! - " + test.name, expected, result);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 7ebd34e..ed67e8e 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -43,13 +43,12 @@ import com.google.gson.JsonParseException;
public class TestPolicyEngine {
- static RangerPolicyEngineImpl policyEngine = null;
- static Gson gsonBuilder = null;
+ static RangerPolicyEngine policyEngine = null;
+ static Gson gsonBuilder = null;
@BeforeClass
public static void setUpBeforeClass() throws Exception {
- policyEngine = new RangerPolicyEngineImpl();
gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
.setPrettyPrinting()
.registerTypeAdapter(RangerAccessRequest.class, new RangerAccessRequestDeserializer())
@@ -101,7 +100,7 @@ public class TestPolicyEngine {
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
- policyEngine.setPolicies(servicePolicies);
+ policyEngine = new RangerPolicyEngineImpl(servicePolicies);
for(TestData test : testCase.tests) {
RangerAccessResult expected = test.result;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a93ac46d/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java
index 97e70ec..5b5690f 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseFactory.java
@@ -18,8 +18,6 @@
*/
package org.apache.ranger.authorization.hbase;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
// TODO remove this in favor of Guice DI
@@ -27,7 +25,6 @@ public class HbaseFactory {
static final HbaseUserUtils _UserUtils = new HbaseUserUtilsImpl();
static final HbaseAuthUtils _AuthUtils = new HbaseAuthUtilsImpl();
- static final RangerPolicyEngine _PolicyEngine = new RangerPolicyEngineImpl();
static final HbaseFactory _Factory = new HbaseFactory();
/**
* This is a singleton
@@ -48,10 +45,6 @@ public class HbaseFactory {
return _UserUtils;
}
- RangerPolicyEngine getPolicyEngine() {
- return _PolicyEngine;
- }
-
HbaseAuditHandler getAuditHandler() {
return new HbaseAuditHandlerImpl();
}