Repository: ranger Updated Branches: refs/heads/ranger-0.7 607e48845 -> 2c9e6a60a
RANGER-1493: Policy engine updates to support tag-based datamasking and rowfiltering policies Signed-off-by: Madhan Neethiraj <mad...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/2c9e6a60 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/2c9e6a60 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/2c9e6a60 Branch: refs/heads/ranger-0.7 Commit: 2c9e6a60abec28acc40a1db5bf578e63d91e5698 Parents: 607e488 Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Thu Mar 30 23:07:49 2017 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Thu Jun 8 10:50:38 2017 -0700 ---------------------------------------------------------------------- .../policyengine/PolicyEvaluatorForTag.java | 46 +++ .../plugin/policyengine/RangerAccessResult.java | 1 - .../plugin/policyengine/RangerPolicyEngine.java | 4 + .../policyengine/RangerPolicyEngineImpl.java | 280 ++++++++++++++++--- .../policyengine/RangerPolicyRepository.java | 64 ++++- 5 files changed, 355 insertions(+), 40 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/2c9e6a60/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java new file mode 100644 index 0000000..46f8cb0 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import org.apache.ranger.plugin.contextenricher.RangerTagForEval; +import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; + +public class PolicyEvaluatorForTag implements Comparable<PolicyEvaluatorForTag> { + private final RangerPolicyEvaluator evaluator; + private final RangerTagForEval tag; + + PolicyEvaluatorForTag(RangerPolicyEvaluator evaluator, RangerTagForEval tag) { + this.evaluator = evaluator; + this.tag = tag; + } + + RangerPolicyEvaluator getEvaluator() { + return evaluator; + } + + RangerTagForEval getTag() { + return tag; + } + + @Override + public int compareTo(PolicyEvaluatorForTag other) { + return evaluator.getPolicy().getName().compareTo(other.evaluator.getPolicy().getName()); + } +} http://git-wip-us.apache.org/repos/asf/ranger/blob/2c9e6a60/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 501a7d1..4dc80aa 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -62,7 +62,6 @@ public class RangerAccessResult { this.isAuditedDetermined = other.getIsAuditedDetermined(); this.isAudited = other.getIsAudited(); this.auditPolicyId = other.getAuditPolicyId(); - this.evaluatedPoliciesCount += other.getEvaluatedPoliciesCount(); } /** http://git-wip-us.apache.org/repos/asf/ranger/blob/2c9e6a60/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 06c7d16..b758d69 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -49,6 +49,10 @@ public interface RangerPolicyEngine { RangerAccessResult createAccessResult(RangerAccessRequest request); + RangerDataMaskResult createDataMaskResult(RangerAccessRequest request); + + RangerRowFilterResult createRowFilterResult(RangerAccessRequest request); + void preProcess(RangerAccessRequest request); void preProcess(Collection<RangerAccessRequest> requests); http://git-wip-us.apache.org/repos/asf/ranger/blob/2c9e6a60/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 255baec..a359d01 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -202,6 +202,38 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } @Override + public RangerDataMaskResult createDataMaskResult(RangerAccessRequest request) { + RangerDataMaskResult ret = new RangerDataMaskResult(this.getServiceName(), policyRepository.getServiceDef(), request); + switch (policyRepository.getAuditModeEnum()) { + case AUDIT_ALL: + ret.setIsAudited(true); + break; + case AUDIT_NONE: + ret.setIsAudited(false); + break; + default: + break; + } + return ret; + } + + @Override + public RangerRowFilterResult createRowFilterResult(RangerAccessRequest request) { + RangerRowFilterResult ret = new RangerRowFilterResult(this.getServiceName(), policyRepository.getServiceDef(), request); + switch (policyRepository.getAuditModeEnum()) { + case AUDIT_ALL: + ret.setIsAudited(true); + break; + case AUDIT_NONE: + ret.setIsAudited(false); + break; + default: + break; + } + return ret; + } + + @Override public void preProcess(RangerAccessRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + request + ")"); @@ -326,23 +358,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.evalDataMaskPolicies(" + request + ")"); } - RangerDataMaskResult ret = new RangerDataMaskResult(getServiceName(), getServiceDef(), request); - - if(request != null) { - List<RangerPolicyEvaluator> evaluators = policyRepository.getDataMaskPolicyEvaluators(request.getResource()); - for (RangerPolicyEvaluator evaluator : evaluators) { - evaluator.evaluate(request, ret); - - if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { - if(!StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) { - break; - } else { - ret.setMaskType(null); - ret.setIsAccessDetermined(false); - } - } - } - } + RangerDataMaskResult ret = evalDataMaskPoliciesNoAudit(request); // no need to audit if mask is not enabled if(! ret.isMaskEnabled()) { @@ -368,22 +384,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.evalRowFilterPolicies(" + request + ")"); } - RangerRowFilterResult ret = new RangerRowFilterResult(getServiceName(), getServiceDef(), request); - - if(request != null) { - List<RangerPolicyEvaluator> evaluators = policyRepository.getRowFilterPolicyEvaluators(request.getResource()); - for (RangerPolicyEvaluator evaluator : evaluators) { - evaluator.evaluate(request, ret); - - if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { - if(StringUtils.isNotEmpty(ret.getFilterExpr())) { - break; - } else { - ret.setIsAccessDetermined(false); - } - } - } - } + RangerRowFilterResult ret = evalRowFilterPoliciesNoAudit(request); // no need to audit if filter is not enabled if(! ret.isRowFilterEnabled()) { @@ -675,7 +676,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(tagEvalRequest.getResource()); for (RangerPolicyEvaluator evaluator : evaluators) { - tagEvalResult.incrementEvaluatedPoliciesCount(); + result.incrementEvaluatedPoliciesCount(); evaluator.evaluate(tagEvalRequest, tagEvalResult); @@ -697,8 +698,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } if (tagEvalResult.getIsAudited()) { - result.setIsAudited(true); - result.setAuditPolicyId(tagEvalResult.getAuditPolicyId()); + result.setAuditResultFrom(tagEvalResult); } if (!result.getIsAccessDetermined() && tagEvalResult.getIsAccessDetermined()) { @@ -728,6 +728,214 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } + RangerDataMaskResult evalDataMaskPoliciesNoAudit(RangerAccessRequest request) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.evalDataMaskPoliciesNoAudit(" + request + ")"); + } + + RangerDataMaskResult ret = createDataMaskResult(request); + + if (ret != null && request != null) { + if (hasTagPolicies()) { + evalDataMaskPoliciesForTagPolicies(request, ret); + + if (LOG.isDebugEnabled()) { + if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { + LOG.debug("RangerPolicyEngineImpl.evalDataMaskPoliciesNoAudit() - access and audit determined by tag policy. No resource policies will be evaluated, request=" + request + ", result=" + ret); + } + } + } + boolean isEvaluatedByTags = ret.getIsAccessDetermined() && ret.getIsAllowed(); + boolean evaluateResourcePolicies = hasResourcePolicies() && (!isEvaluatedByTags || !ret.getIsAuditedDetermined()); + + if (evaluateResourcePolicies) { + boolean findAuditByResource = !ret.getIsAuditedDetermined(); + boolean foundInCache = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret); + List<RangerPolicyEvaluator> evaluators = policyRepository.getDataMaskPolicyEvaluators(request.getResource()); + + for (RangerPolicyEvaluator evaluator : evaluators) { + ret.incrementEvaluatedPoliciesCount(); + evaluator.evaluate(request, ret); + + if(ret.getIsAccessDetermined()) { + if (StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) { + ret.setMaskType(null); + } + + if (ret.getIsAuditedDetermined()) { + break; + } + } + } + + if (findAuditByResource && !foundInCache) { + policyRepository.storeAuditEnabledInCache(request, ret); + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.evalDataMaskPoliciesNoAudit(" + request + "): " + ret); + } + return ret; + } + + protected void evalDataMaskPoliciesForTagPolicies(final RangerAccessRequest request, RangerDataMaskResult result) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.evalDataMaskPoliciesForTagPolicies(" + request + ", " + result + ")"); + } + + List<RangerPolicyEvaluator> tagEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getDataMaskPolicyEvaluators(); + + if (CollectionUtils.isNotEmpty(tagEvaluators)) { + Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); + List<PolicyEvaluatorForTag> dataMaskEvaluators = tagPolicyRepository.getDataMaskPolicyEvaluators(tags); + + if (CollectionUtils.isNotEmpty(dataMaskEvaluators)) { + for (PolicyEvaluatorForTag dataMaskEvaluator : dataMaskEvaluators) { + RangerPolicyEvaluator evaluator = dataMaskEvaluator.getEvaluator(); + RangerTagForEval tag = dataMaskEvaluator.getTag(); + RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); + RangerDataMaskResult tagEvalResult = createDataMaskResult(tagEvalRequest); + + tagEvalResult.setAuditResultFrom(result); + tagEvalResult.setAccessResultFrom(result); + + tagEvalResult.setMaskType(result.getMaskType()); + tagEvalResult.setMaskCondition(result.getMaskCondition()); + tagEvalResult.setMaskedValue(result.getMaskedValue()); + + result.incrementEvaluatedPoliciesCount(); + + evaluator.evaluate(tagEvalRequest, tagEvalResult); + + if (tagEvalResult.getIsAudited()) { + result.setAuditResultFrom(tagEvalResult); + } + + if (tagEvalResult.getIsAccessDetermined()) { + result.setAccessResultFrom(tagEvalResult); + result.setMaskType(tagEvalResult.getMaskType()); + result.setMaskCondition(tagEvalResult.getMaskCondition()); + result.setMaskedValue(tagEvalResult.getMaskedValue()); + + if (StringUtils.equalsIgnoreCase(result.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) { + result.setMaskType(null); + } + } + + if (result.getIsAuditedDetermined() && result.getIsAccessDetermined()) { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.evalDataMaskPoliciesForTagPolicies: concluding eval of dataMask policies for tags: tag=" + tag.getType() + " with authorization=" + tagEvalResult.getIsAllowed()); + } + break; // Break out of datamask policy-evaluation loop + } + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.evalDataMaskPoliciesForTagPolicies(" + request + ", " + result + ")"); + } + } + + RangerRowFilterResult evalRowFilterPoliciesNoAudit(RangerAccessRequest request) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.evalRowFilterPoliciesNoAudit(" + request + ")"); + } + + RangerRowFilterResult ret = createRowFilterResult(request); + + if (ret != null && request != null) { + if (hasTagPolicies()) { + evalRowFilterPoliciesForTagPolicies(request, ret); + + if (LOG.isDebugEnabled()) { + if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { + LOG.debug("RangerPolicyEngineImpl.evalRowFilterPoliciesNoAudit() - access and audit determined by tag policy. No resource policies will be evaluated, request=" + request + ", result=" + ret); + } + } + } + boolean isEvaluatedByTags = ret.getIsAccessDetermined() && ret.getIsAllowed(); + boolean evaluateResourcePolicies = hasResourcePolicies() && (!isEvaluatedByTags || !ret.getIsAuditedDetermined()); + + if (evaluateResourcePolicies) { + boolean findAuditByResource = !ret.getIsAuditedDetermined(); + boolean foundInCache = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret); + List<RangerPolicyEvaluator> evaluators = policyRepository.getRowFilterPolicyEvaluators(request.getResource()); + + for (RangerPolicyEvaluator evaluator : evaluators) { + ret.incrementEvaluatedPoliciesCount(); + evaluator.evaluate(request, ret); + + if(ret.getIsAuditedDetermined() && ret.getIsAccessDetermined()) { + break; + } + } + + if (findAuditByResource && !foundInCache) { + policyRepository.storeAuditEnabledInCache(request, ret); + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.evalRowFilterPoliciesNoAudit(" + request + "): " + ret); + } + return ret; + } + + protected void evalRowFilterPoliciesForTagPolicies(final RangerAccessRequest request, RangerRowFilterResult result) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.evalRowFilterPoliciesForTagPolicies(" + request + ", " + result + ")"); + } + + List<RangerPolicyEvaluator> tagEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getRowFilterPolicyEvaluators(); + + if (CollectionUtils.isNotEmpty(tagEvaluators)) { + Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); + List<PolicyEvaluatorForTag> rowFilterEvaluators = tagPolicyRepository.getRowFilterPolicyEvaluators(tags); + + if (CollectionUtils.isNotEmpty(rowFilterEvaluators)) { + for (PolicyEvaluatorForTag rowFilterEvaluator : rowFilterEvaluators) { + RangerPolicyEvaluator evaluator = rowFilterEvaluator.getEvaluator(); + RangerTagForEval tag = rowFilterEvaluator.getTag(); + RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); + RangerRowFilterResult tagEvalResult = createRowFilterResult(tagEvalRequest); + + tagEvalResult.setAuditResultFrom(result); + tagEvalResult.setAccessResultFrom(result); + + tagEvalResult.setFilterExpr(result.getFilterExpr()); + + result.incrementEvaluatedPoliciesCount(); + + evaluator.evaluate(tagEvalRequest, tagEvalResult); + + if (tagEvalResult.getIsAudited()) { + result.setAuditResultFrom(tagEvalResult); + } + + if (tagEvalResult.getIsAccessDetermined()) { + result.setAccessResultFrom(tagEvalResult); + result.setFilterExpr(tagEvalResult.getFilterExpr()); + } + + if (result.getIsAuditedDetermined() && result.getIsAccessDetermined()) { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.evalRowFilterPoliciesForTagPolicies: concluding eval of rowFilter policies for tags: tag=" + tag.getType() + " with authorization=" + tagEvalResult.getIsAllowed()); + } + break; // Break out of rowFilter policy-evaluation loop + } + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.evalRowFilterPoliciesForTagPolicies(" + request + ", " + result + ")"); + } + } + @Override public void reorderPolicyEvaluators() { if (LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/ranger/blob/2c9e6a60/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 45bb278..28c152b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -25,7 +25,9 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; +import org.apache.ranger.plugin.contextenricher.RangerTagForEval; import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator; @@ -230,6 +232,10 @@ class RangerPolicyRepository { return dataMaskResourceTrie == null || StringUtils.isEmpty(resourceStr) ? getDataMaskPolicyEvaluators() : getPolicyEvaluators(dataMaskResourceTrie, resource); } + List<PolicyEvaluatorForTag> getDataMaskPolicyEvaluators(Set<RangerTagForEval> tags) { + return getSortedPolicyEvaluatorsForTags(tags, RangerPolicy.POLICY_TYPE_DATAMASK); + } + List<RangerPolicyEvaluator> getRowFilterPolicyEvaluators() { return rowFilterPolicyEvaluators; } @@ -239,6 +245,11 @@ class RangerPolicyRepository { return rowFilterResourceTrie == null || StringUtils.isEmpty(resourceStr) ? getRowFilterPolicyEvaluators() : getPolicyEvaluators(rowFilterResourceTrie, resource); } + + List<PolicyEvaluatorForTag> getRowFilterPolicyEvaluators(Set<RangerTagForEval> tags) { + return getSortedPolicyEvaluatorsForTags(tags, RangerPolicy.POLICY_TYPE_ROWFILTER); + } + AuditModeEnum getAuditModeEnum() { return auditModeEnum; } private List<RangerPolicyEvaluator> getPolicyEvaluators(Map<String, RangerResourceTrie> resourceTrie, RangerAccessResource resource) { @@ -300,6 +311,36 @@ class RangerPolicyRepository { return ret; } + private List<PolicyEvaluatorForTag> getSortedPolicyEvaluatorsForTags(Set<RangerTagForEval> tags, int policyType) { + List<PolicyEvaluatorForTag> ret = null; + + if (CollectionUtils.isNotEmpty(tags) && getServiceDef() != null + && (policyType == RangerPolicy.POLICY_TYPE_ACCESS || policyType == RangerPolicy.POLICY_TYPE_DATAMASK || policyType == RangerPolicy.POLICY_TYPE_ROWFILTER)) { + ret = new ArrayList<PolicyEvaluatorForTag>(); + + for (RangerTagForEval tag : tags) { + RangerAccessResource resource = new RangerTagResource(tag.getType(), getServiceDef()); + List<RangerPolicyEvaluator> evaluators = null; + if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) { + evaluators = getDataMaskPolicyEvaluators(resource); + } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) { + evaluators = getRowFilterPolicyEvaluators(resource); + } else { + evaluators = getPolicyEvaluators(resource); + } + if (CollectionUtils.isNotEmpty(evaluators)) { + for (RangerPolicyEvaluator evaluator : evaluators) { + ret.add(new PolicyEvaluatorForTag(evaluator, tag)); + } + } + } + } + if (CollectionUtils.isNotEmpty(ret)) { + Collections.sort(ret); + } + return ret; + } + private RangerServiceDef normalizeAccessTypeDefs(RangerServiceDef serviceDef, final String componentType) { if (serviceDef != null && StringUtils.isNotBlank(componentType)) { @@ -391,7 +432,7 @@ class RangerPolicyRepository { } if(policiesToPrune != null) { - rangerPolicies.removeAll(policiesToPrune); + rangerPolicies.removeAll(policiesToPrune); } } @@ -426,7 +467,7 @@ class RangerPolicyRepository { } if(accessesToPrune != null) { - policyItemAccesses.removeAll(accessesToPrune); + policyItemAccesses.removeAll(accessesToPrune); } if (policyItemAccesses.isEmpty() && !policyItem.getDelegateAdmin()) { @@ -435,12 +476,29 @@ class RangerPolicyRepository { } itemsToPrune.add(policyItem); + + continue; + } + } + + if (policyItem instanceof RangerPolicy.RangerDataMaskPolicyItem) { + RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerPolicy.RangerDataMaskPolicyItem) policyItem).getDataMaskInfo(); + String maskType = dataMaskInfo.getDataMaskType(); + + if (StringUtils.startsWith(maskType, prefix)) { + dataMaskInfo.setDataMaskType(StringUtils.removeStart(maskType, prefix)); + } else if (maskType.contains(AbstractServiceStore.COMPONENT_ACCESSTYPE_SEPARATOR)) { + if (itemsToPrune == null) { + itemsToPrune = new ArrayList<>(); + } + + itemsToPrune.add(policyItem); } } } if(itemsToPrune != null) { - policyItems.removeAll(itemsToPrune); + policyItems.removeAll(itemsToPrune); } }