Repository: ranger Updated Branches: refs/heads/master c57afe812 -> 796883617
http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index cbad651..8051ec3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -36,8 +36,6 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; @@ -45,10 +43,8 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; -import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; import org.apache.ranger.plugin.policyengine.RangerTagAccessRequest; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; @@ -193,7 +189,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } if (!result.getIsAccessDetermined()) { if (hasMatchablePolicyItem(request)) { - evaluatePolicyItems(request, result, matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT); + evaluatePolicyItems(request, matchType, result); } } } @@ -208,104 +204,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } @Override - public void evaluate(RangerAccessRequest request, RangerDataMaskResult result) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); - } - - RangerPerfTracer perf = null; - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + "," + perfTag + ")"); - } - - if (request != null && result != null && CollectionUtils.isNotEmpty(dataMaskEvaluators)) { - - if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) { - RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; - - final boolean isMatched; - if (request.isAccessTypeAny()) { - isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; - } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT; - } else { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; - } - - if (isMatched) { - if (!result.getIsAuditedDetermined()) { - if (isAuditEnabled()) { - result.setIsAudited(true); - result.setAuditPolicyId(getPolicy().getId()); - } - } - if (!result.getIsAccessDetermined()) { - if (hasMatchablePolicyItem(request)) { - evaluatePolicyItems(request, result); - } - } - } - } - - } - - RangerPerfTracer.log(perf); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); - } - } - - @Override - public void evaluate(RangerAccessRequest request, RangerRowFilterResult result) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); - } - - RangerPerfTracer perf = null; - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + "," + perfTag + ")"); - } - - if (request != null && result != null && CollectionUtils.isNotEmpty(rowFilterEvaluators)) { - if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) { - RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; - - final boolean isMatched; - if (request.isAccessTypeAny()) { - isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; - } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT; - } else { - isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; - } - - if (isMatched) { - if (!result.getIsAuditedDetermined()) { - if (isAuditEnabled()) { - result.setIsAudited(true); - result.setAuditPolicyId(getPolicy().getId()); - } - } - if (!result.getIsAccessDetermined()) { - if (hasMatchablePolicyItem(request)) { - evaluatePolicyItems(request, result); - } - } - } - } - } - - RangerPerfTracer.log(perf); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); - } - } - - @Override public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + resource + ", " + evalContext + ")"); @@ -463,86 +361,19 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } - - protected void evaluatePolicyItems(RangerAccessRequest request, RangerAccessResult result, boolean isResourceMatch) { + protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")"); + LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")"); } - RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators); - - if(matchedPolicyItem == null && !result.getIsAllowed()) { // if not denied, evaluate allowItems only if not already allowed - matchedPolicyItem = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators); - } + RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result); if(matchedPolicyItem != null) { - RangerPolicy policy = getPolicy(); - - if(matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) { - if(isResourceMatch) { - result.setIsAllowed(false); - result.setPolicyId(policy.getId()); - result.setReason(matchedPolicyItem.getComments()); - } - } else { - if(! result.getIsAllowed()) { // if access is not yet allowed by another policy - result.setIsAllowed(true); - result.setPolicyId(policy.getId()); - result.setReason(matchedPolicyItem.getComments()); - } - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")"); - } - } - - protected void evaluatePolicyItems(RangerAccessRequest request, RangerDataMaskResult result) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ")"); - } - - RangerDataMaskPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, dataMaskEvaluators); - RangerPolicyItemDataMaskInfo dataMaskInfo = matchedPolicyItem != null ? matchedPolicyItem.getDataMaskInfo() : null; - - if(dataMaskInfo != null) { - RangerPolicy policy = getPolicy(); - - result.setIsAllowed(true); - result.setIsAccessDetermined(true); - - result.setMaskType(dataMaskInfo.getDataMaskType()); - result.setMaskCondition(dataMaskInfo.getConditionExpr()); - result.setMaskedValue(dataMaskInfo.getValueExpr()); - result.setPolicyId(policy.getId()); + matchedPolicyItem.updateAccessResult(result, matchType, getPolicy().getId()); } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + ")"); - } - } - - protected void evaluatePolicyItems(RangerAccessRequest request, RangerRowFilterResult result) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ")"); - } - - RangerRowFilterPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, rowFilterEvaluators); - RangerPolicyItemRowFilterInfo rowFilterInfo = matchedPolicyItem != null ? matchedPolicyItem.getRowFilterInfo() : null; - - if(rowFilterInfo != null) { - RangerPolicy policy = getPolicy(); - - result.setIsAllowed(true); - result.setIsAccessDetermined(true); - - result.setFilterExpr(rowFilterInfo.getFilterExpr()); - result.setPolicyId(policy.getId()); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + ")"); + LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")"); } } @@ -851,6 +682,38 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } + protected RangerPolicyItemEvaluator getMatchingPolicyItem(RangerAccessRequest request, RangerAccessResult result) { + RangerPolicyItemEvaluator ret = null; + + Integer policyType = getPolicy().getPolicyType(); + if (policyType == null) { + policyType = RangerPolicy.POLICY_TYPE_ACCESS; + } + + switch (policyType) { + case RangerPolicy.POLICY_TYPE_ACCESS: { + ret = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators); + + if(ret == null && !result.getIsAllowed()) { // if not denied, evaluate allowItems only if not already allowed + ret = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators); + } + break; + } + case RangerPolicy.POLICY_TYPE_DATAMASK: { + ret = getMatchingPolicyItem(request, dataMaskEvaluators); + break; + } + case RangerPolicy.POLICY_TYPE_ROWFILTER: { + ret = getMatchingPolicyItem(request, rowFilterEvaluators); + break; + } + default: + break; + } + + return ret; + } + protected <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(RangerAccessRequest request, List<T> evaluators) { T ret = getMatchingPolicyItem(request, evaluators, null); http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java index c763cb5..9564565 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java @@ -38,8 +38,10 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; import org.apache.ranger.plugin.util.RangerPerfTracer; @@ -347,6 +349,22 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv return ret; } + @Override + public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId) { + if(getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) { + if(matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT) { + result.setIsAllowed(false); + result.setPolicyId(policyId); + result.setReason(getComments()); + } + } else { + if(! result.getIsAllowed()) { // if access is not yet allowed by another policy + result.setIsAllowed(true); + result.setPolicyId(policyId); + result.setReason(getComments()); + } + } + } RangerPolicyConditionDef getConditionDef(String conditionName) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyItemEvaluator.getConditionDef(" + conditionName + ")"); http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java index 365661b..cacae5a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java @@ -23,7 +23,9 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo; import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPolicyItemEvaluator implements RangerRowFilterPolicyItemEvaluator { @@ -39,4 +41,17 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli public RangerPolicyItemRowFilterInfo getRowFilterInfo() { return rowFilterPolicyItem == null ? null : rowFilterPolicyItem.getRowFilterInfo(); } + + @Override + public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId) { + RangerPolicyItemRowFilterInfo rowFilterInfo = getRowFilterInfo(); + + if (rowFilterInfo != null) { + result.setIsAllowed(true); + result.setIsAccessDetermined(true); + + result.setFilterExpr(rowFilterInfo.getFilterExpr()); + result.setPolicyId(policyId); + } + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 7165594..7a890b8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -31,10 +31,8 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResource; -import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; -import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator; @@ -71,10 +69,6 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator { void evaluate(RangerAccessRequest request, RangerAccessResult result); - void evaluate(RangerAccessRequest request, RangerDataMaskResult result); - - void evaluate(RangerAccessRequest request, RangerRowFilterResult result); - boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext); boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext); http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java index edbde29..e486403 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java @@ -26,6 +26,8 @@ import java.util.Set; import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; public interface RangerPolicyItemEvaluator { int POLICY_ITEM_TYPE_ALLOW = 0; @@ -63,4 +65,6 @@ public interface RangerPolicyItemEvaluator { return Integer.compare(me.getEvalOrder(), other.getEvalOrder()); } } + void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId); + } http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 4d3731b..aad7834 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -39,12 +39,10 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; -import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; -import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.PolicyRefresher; @@ -253,7 +251,7 @@ public class RangerBasePlugin { if(policyEngine != null) { policyEngine.preProcess(request); - return policyEngine.isAccessAllowed(request, resultProcessor); + return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor); } return null; @@ -265,31 +263,31 @@ public class RangerBasePlugin { if(policyEngine != null) { policyEngine.preProcess(requests); - return policyEngine.isAccessAllowed(requests, resultProcessor); + return policyEngine.evaluatePolicies(requests, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor); } return null; } - public RangerDataMaskResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { + public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { policyEngine.preProcess(request); - return policyEngine.evalDataMaskPolicies(request, resultProcessor); + return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor); } return null; } - public RangerRowFilterResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { + public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { RangerPolicyEngine policyEngine = this.policyEngine; if(policyEngine != null) { policyEngine.preProcess(request); - return policyEngine.evalRowFilterPolicies(request, resultProcessor); + return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor); } return null; http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 9b4e3b9..b476ed7 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -427,7 +427,7 @@ public class TestPolicyEngine { if(test.result != null) { RangerAccessResult expected = test.result; - RangerAccessResult result = policyEngine.isAccessAllowed(request, auditHandler); + RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler); assertNotNull("result was null! - " + test.name, result); assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed()); @@ -436,8 +436,8 @@ public class TestPolicyEngine { } if(test.dataMaskResult != null) { - RangerDataMaskResult expected = test.dataMaskResult; - RangerDataMaskResult result = policyEngine.evalDataMaskPolicies(request, auditHandler); + RangerAccessResult expected = test.dataMaskResult; + RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler); assertNotNull("result was null! - " + test.name, result); assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType()); @@ -447,8 +447,8 @@ public class TestPolicyEngine { } if(test.rowFilterResult != null) { - RangerRowFilterResult expected = test.rowFilterResult; - RangerRowFilterResult result = policyEngine.evalRowFilterPolicies(request, auditHandler); + RangerAccessResult expected = test.rowFilterResult; + RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler); assertNotNull("result was null! - " + test.name, result); assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr()); @@ -480,8 +480,8 @@ public class TestPolicyEngine { public String name; public RangerAccessRequest request; public RangerAccessResult result; - public RangerDataMaskResult dataMaskResult; - public RangerRowFilterResult rowFilterResult; + public RangerAccessResult dataMaskResult; + public RangerAccessResult rowFilterResult; public RangerResourceAccessInfo resourceAccessInfo; } http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json index d3e0c25..e6dbb4d 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json @@ -131,112 +131,112 @@ "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1" }, - "dataMaskResult":{"maskType":"MASK","maskCondition":null,"maskValue":null,"policyId":101} + "dataMaskResult":{"additionalInfo": {"maskType":"MASK","maskCondition":null,"maskValue":null},"policyId":101} }, {"name":"'select ssn from employee.personal;' for user2 - maskType=SHUFFLE", "request":{ "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, "accessType":"select","user":"user2","userGroups":[],"requestData":"select ssn from employee.personal;' for user2" }, - "dataMaskResult":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null,"policyId":101} + "dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":101} }, {"name":"'select ssn from employee.personal;' for user3 - no-mask", "request":{ "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, "accessType":"select","user":"user3","userGroups":[],"requestData":"select ssn from employee.personal;' for user3" }, - "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} + "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1} }, {"name":"'select name from employee.personal;' for user1 - no-mask", "request":{ "resource":{"elements":{"database":"employee", "table":"personal", "column":"name"}}, "accessType":"select","user":"user1","userGroups":[],"requestData":"select name from employee.personal;' for user1" }, - "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} + "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1} }, {"name":"'select date_of_birth from hr.employee;' for user1 - maskType=MASK", "request":{ "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}}, "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user1" }, - "dataMaskResult":{"maskType":"MASK","maskCondition":null,"maskValue":null,"policyId":102} + "dataMaskResult":{"additionalInfo":{"maskType":"MASK","maskCondition":null,"maskValue":null},"policyId":102} }, {"name":"'select date_of_birth from hr.employee;' for user2 - maskType=SHUFFLE", "request":{ "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}}, "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr.employee2;' for user2" }, - "dataMaskResult":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null,"policyId":102} + "dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":102} }, {"name":"'select date_of_birth1 from hr.employee;' for user1 - no-mask", "request":{ "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth1"}}, "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth1 from hr.employee;' for user1" }, - "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} + "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1} }, {"name":"'select date_of_birth from hr2.employee2;' for user2 - no-mask", "request":{ "resource":{"elements":{"database":"hr2", "table":"employee2", "column":"date_of_birth"}}, "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr2.employee2;' for user2" }, - "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1} + "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1} }, {"name":"'select ssn from employee.personal;' for user1 - filterExpr=location='US'", "request":{ "resource":{"elements":{"database":"employee", "table":"personal"}}, "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1" }, - "rowFilterResult":{"filterExpr":"location='US'","policyId":201} + "rowFilterResult":{"additionalInfo":{"filterExpr":"location='US'"},"policyId":201} }, {"name":"'select ssn from employee.personal;' for user2 - filterExpr=location='CA'", "request":{ "resource":{"elements":{"database":"employee", "table":"personal"}}, "accessType":"select","user":"user2","userGroups":[],"requestData":"select ssn from employee.personal;' for user2" }, - "rowFilterResult":{"filterExpr":"location='CA'","policyId":201} + "rowFilterResult":{"additionalInfo":{"filterExpr":"location='CA'"},"policyId":201} }, {"name":"'select ssn from employee.personal;' for user3 - no-filter", "request":{ "resource":{"elements":{"database":"employee", "table":"personal"}}, "accessType":"select","user":"user3","userGroups":[],"requestData":"select ssn from employee.personal;' for user3" }, - "rowFilterResult":{"filterExpr":null,"policyId":-1} + "rowFilterResult":{"additionalInfo":{"filterExpr":null},"policyId":-1} }, {"name":"'select name from employee.personal;' for group3 - no-filter", "request":{ "resource":{"elements":{"database":"employee", "table":"personal"}}, "accessType":"select","user":"user5","userGroups":["group3"],"requestData":"select name from employee.personal;' for user5/group3" }, - "rowFilterResult":{"filterExpr":null,"policyId":-1} + "rowFilterResult":{"additionalInfo":{"filterExpr":null},"policyId":-1} }, {"name":"'select date_of_birth from hr.employee;' for user1 - filterExpr=dept='production'", "request":{ "resource":{"elements":{"database":"hr", "table":"employee"}}, "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user1" }, - "rowFilterResult":{"filterExpr":"dept='production'","policyId":202} + "rowFilterResult":{"additionalInfo":{"filterExpr":"dept='production'"},"policyId":202} }, {"name":"'select date_of_birth from hr.employee;' for user2 - filterExpr=dept='purchase'", "request":{ "resource":{"elements":{"database":"hr", "table":"employee"}}, "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr.employee2;' for user2" }, - "rowFilterResult":{"filterExpr":"dept='purchase'","policyId":202} + "rowFilterResult":{"additionalInfo":{"filterExpr":"dept='purchase'"},"policyId":202} }, {"name":"'select date_of_birth from hr.employee;' for user3 - no-filter", "request":{ "resource":{"elements":{"database":"hr", "table":"employee"}}, "accessType":"select","user":"user3","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user3" }, - "rowFilterResult":{"filterExpr":null,"policyId":-1} + "rowFilterResult":{"additionalInfo":{"filterExpr":null},"policyId":-1} }, {"name":"'select date_of_birth from hr2.employee2;' for user2 - no-mask", "request":{ "resource":{"elements":{"database":"hr2", "table":"employee2"}}, "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr2.employee2;' for user2" }, - "rowFilterResult":{"filterExpr":null,"policyId":-1} + "rowFilterResult":{"additionalInfo":{"filterExpr":null},"policyId":-1} } ] } http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json index 6b2863a..73fe540 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json @@ -283,7 +283,7 @@ }, "result":{"isAudited":true,"isAllowed":true,"policyId":2} }, - {"name":"ALLOW 'desc default.table1;' for hive using PII, PII-FINAL tags", + {"name":"DENY 'desc default.table1;' for hive using PII, PII-FINAL tags", "request":{ "resource":{"elements":{"database":"default", "table":"table1"}}, "accessType":"","user":"hive","userGroups":[],"requestData":"desc default.table1;' for hive" http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index 89bc0d8..ac35d77 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -28,8 +28,6 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; -import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; import com.google.common.collect.Lists; @@ -68,25 +66,21 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { } AuthzAuditEvent createAuditEvent(RangerAccessResult result) { + + AuthzAuditEvent ret = null; + RangerAccessRequest request = result.getAccessRequest(); RangerAccessResource resource = request.getResource(); String resourcePath = resource != null ? resource.getAsString() : null; + int policyType = result.getPolicyType(); - String accessType = null; - - if(result instanceof RangerDataMaskResult) { - accessType = ((RangerDataMaskResult)result).getMaskType(); - - if(StringUtils.equals(accessType, RangerPolicy.MASK_TYPE_NONE)) { - return null; - } - - return createAuditEvent(result, accessType, resourcePath); - } else if(result instanceof RangerRowFilterResult) { - accessType = ACCESS_TYPE_ROWFILTER; - - return createAuditEvent(result, accessType, resourcePath); + if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK && result.isMaskEnabled()) { + ret = createAuditEvent(result, result.getMaskType(), resourcePath); + } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) { + ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath); } else { + String accessType = null; + if (request instanceof RangerHiveAccessRequest) { RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request; @@ -97,8 +91,10 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { accessType = request.getAccessType(); } - return createAuditEvent(result, accessType, resourcePath); + ret = createAuditEvent(result, accessType, resourcePath); } + + return ret; } List<AuthzAuditEvent> createAuditEvents(Collection<RangerAccessResult> results) { http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index c131f02..fa84b13 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -66,8 +66,6 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; -import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; import org.apache.ranger.plugin.service.RangerBasePlugin; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.RangerAccessRequestUtil; @@ -393,11 +391,11 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { request.setHiveAccessType(HiveAccessType.SELECT); // filtering/masking policies are defined only for SELECT request.setResource(tblResource); - RangerRowFilterResult rowFilterResult = getRowFilterResult(request); + RangerAccessResult rowFilterResult = getRowFilterResult(request); if (isRowFilterEnabled(rowFilterResult)) { if(result == null) { - result = new RangerAccessResult(rowFilterResult.getServiceName(), rowFilterResult.getServiceDef(), request); + result = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, rowFilterResult.getServiceName(), rowFilterResult.getServiceDef(), request); } result.setIsAllowed(false); @@ -407,16 +405,16 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { // check if masking is enabled for any column in the table/view request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS); - RangerDataMaskResult dataMaskResult = getDataMaskResult(request); + RangerAccessResult dataMaskResult = getDataMaskResult(request); if (isDataMaskEnabled(dataMaskResult)) { if(result == null) { - result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request); + result = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request); } result.setIsAllowed(false); result.setPolicyId(dataMaskResult.getPolicyId()); - result.setReason("User does not have acces to unmasked column values"); + result.setReason("User does not have access to unmasked column values"); } } @@ -622,12 +620,12 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return true; // TODO: derive from the policies } - private RangerDataMaskResult getDataMaskResult(RangerHiveAccessRequest request) { + private RangerAccessResult getDataMaskResult(RangerHiveAccessRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> getDataMaskResult(request=" + request + ")"); } - RangerDataMaskResult ret = hivePlugin.evalDataMaskPolicies(request, null); + RangerAccessResult ret = hivePlugin.evalDataMaskPolicies(request, null); if(LOG.isDebugEnabled()) { LOG.debug("<== getDataMaskResult(request=" + request + "): ret=" + ret); @@ -636,12 +634,12 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return ret; } - private RangerRowFilterResult getRowFilterResult(RangerHiveAccessRequest request) { + private RangerAccessResult getRowFilterResult(RangerHiveAccessRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> getRowFilterResult(request=" + request + ")"); } - RangerRowFilterResult ret = hivePlugin.evalRowFilterPolicies(request, null); + RangerAccessResult ret = hivePlugin.evalRowFilterPolicies(request, null); if(LOG.isDebugEnabled()) { LOG.debug("<== getRowFilterResult(request=" + request + "): ret=" + ret); @@ -650,11 +648,11 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return ret; } - private boolean isDataMaskEnabled(RangerDataMaskResult result) { - return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), RangerPolicy.MASK_TYPE_NONE); + private boolean isDataMaskEnabled(RangerAccessResult result) { + return result != null && result.isMaskEnabled(); } - private boolean isRowFilterEnabled(RangerRowFilterResult result) { + private boolean isRowFilterEnabled(RangerAccessResult result) { return result != null && result.isRowFilterEnabled() && StringUtils.isNotEmpty(result.getFilterExpr()); } @@ -682,7 +680,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName); RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName); - RangerRowFilterResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler); + RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler); if(isRowFilterEnabled(result)) { ret = result.getFilterExpr(); @@ -723,7 +721,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName); RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName); - RangerDataMaskResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler); + RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler); ret = isDataMaskEnabled(result); http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java ---------------------------------------------------------------------- diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java index 8d89794..590c1e7 100644 --- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java +++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java @@ -23,6 +23,7 @@ import com.google.gson.Gson; import com.google.gson.GsonBuilder; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.policyengine.*; import org.apache.ranger.plugin.util.ServicePolicies; @@ -115,7 +116,7 @@ public class PerfTestEngine { policyEvaluationEngine.preProcess(request); - ret = policyEvaluationEngine.isAccessAllowed(request, null); + ret = policyEvaluationEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null); if (LOG.isDebugEnabled()) { LOG.debug("Executed request = {" + request + "}, result={" + ret + "}"); http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java ---------------------------------------------------------------------- diff --git a/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java b/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java index 6b3fa06..11af0a8 100644 --- a/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java +++ b/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java @@ -32,7 +32,9 @@ import java.util.Set; import java.util.concurrent.CountDownLatch; import org.apache.commons.lang.text.StrSubstitutor; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; import org.apache.ranger.plugin.util.PerfDataRecorder; import org.apache.ranger.plugin.util.PerfDataRecorder.PerfStatistic; @@ -149,7 +151,7 @@ public class RangerPolicyEnginePerformanceTest { for (int iterations = 0; iterations < WARM_UP__ITERATIONS; iterations++) { // using return value of 'isAccessAllowed' with a cheap operation: System#identityHashCode so JIT wont remove it as dead code - System.identityHashCode(rangerPolicyEngine.isAccessAllowed(requests.get(iterations % concurrency), null)); + System.identityHashCode(rangerPolicyEngine.evaluatePolicies(requests.get(iterations % concurrency), RangerPolicy.POLICY_TYPE_ACCESS, null)); PerfDataRecorder.clearStatistics(); } @@ -159,7 +161,7 @@ public class RangerPolicyEnginePerformanceTest { new Thread(new Runnable() { @Override public void run() { - System.identityHashCode(rangerPolicyEngine.isAccessAllowed(rangerAccessRequest, null)); + System.identityHashCode(rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, RangerPolicy.POLICY_TYPE_ACCESS, null)); latch.countDown(); } }, String.format("Client #%s", i)).start(); http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 9d8f5d2..7aee433 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -2353,14 +2353,11 @@ public class ServiceDBStore extends AbstractServiceStore { String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE); - List<Integer> policyTypes = new ArrayList<>(); + int[] policyTypes = RangerPolicy.POLICY_TYPES; if (StringUtils.isNotBlank(policyTypeStr)) { - policyTypes.add(Integer.parseInt(policyTypeStr)); - } else { - policyTypes.add(RangerPolicy.POLICY_TYPE_ACCESS); - policyTypes.add(RangerPolicy.POLICY_TYPE_DATAMASK); - policyTypes.add(RangerPolicy.POLICY_TYPE_ROWFILTER); + policyTypes = new int[1]; + policyTypes[0] = Integer.parseInt(policyTypeStr); } for (Integer policyType : policyTypes) {
