Repository: ranger Updated Branches: refs/heads/master aca4c3b54 -> 69f4d32da
RANGER-2009: Improve delegate-admin processing for Ranger policies Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/69f4d32d Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/69f4d32d Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/69f4d32d Branch: refs/heads/master Commit: 69f4d32da7c1dc2754147cb673aae0eb044e7779 Parents: aca4c3b Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Thu Mar 8 11:11:24 2018 -0800 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Thu Mar 8 11:11:24 2018 -0800 ---------------------------------------------------------------------- .../plugin/policyengine/RangerPolicyEngine.java | 2 + .../policyengine/RangerPolicyEngineImpl.java | 48 +++++++++++++++++--- .../RangerDefaultPolicyEvaluator.java | 38 +++++++++++++++- .../policyevaluator/RangerPolicyEvaluator.java | 2 + .../org/apache/ranger/rest/ServiceREST.java | 29 ++++++------ 5 files changed, 96 insertions(+), 23 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/69f4d32d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 189dc2c..313a8a9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -67,6 +67,8 @@ public interface RangerPolicyEngine { boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); + boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, String accessType); + List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource, Map<String, Object> evalContext); List<RangerPolicy> getExactMatchPolicies(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext); http://git-wip-us.apache.org/repos/asf/ranger/blob/69f4d32d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 29ecfa8..5510f6e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -450,13 +450,13 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } /* - * This API is used by ranger-admin - */ + * This API is used by ranger-admin + */ @Override - public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) { + public boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, String accessType) { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); + LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + ")"); } boolean ret = false; @@ -468,7 +468,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { - ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType); + ret = evaluator.isAccessAllowed(policy, user, userGroups, accessType); if (ret) { break; @@ -478,12 +478,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerPerfTracer.log(perf); if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); } return ret; } - /* * This API is used by ranger-admin */ @@ -646,6 +645,41 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } /* + * This API is used by test-code + */ + + @Override + public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); + } + + boolean ret = false; + + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")"); + } + + for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType); + + if (ret) { + break; + } + } + + RangerPerfTracer.log(perf); + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); + } + + return ret; + } + + /* * This API is used only by test-code */ http://git-wip-us.apache.org/repos/asf/ranger/blob/69f4d32d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index ffeea26..55938b1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -315,6 +315,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } + /* + * This is used only by test code + */ + @Override public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) { if(LOG.isDebugEnabled()) { @@ -325,7 +329,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user); boolean ret = isAccessAllowed(user, userGroups, accessType) && isMatch(resources, evalContext); - + if(LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); } @@ -334,6 +338,24 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } @Override + public boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, String accessType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + ")"); + } + + Map<String, Object> evalContext = new HashMap<>(); + RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user); + + boolean ret = isAccessAllowed(user, userGroups, accessType) && isMatch(policy, evalContext); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); + } + + return ret; + } + + @Override public void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo result) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + result + ")"); @@ -460,6 +482,20 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } + protected boolean isMatch(RangerPolicy policy, Map<String, Object> evalContext) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + policy.getId() + ", " + evalContext + ")"); + } + + boolean ret = policy.getId() == getId() || isMatch(policy.getResources(), evalContext); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + policy.getId() + ", " + evalContext + "): " + ret); + } + + return ret; + } + protected boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + resources + ", " + evalContext + ")"); http://git-wip-us.apache.org/repos/asf/ranger/blob/69f4d32d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 60b350e..613a001 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -85,6 +85,8 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator { boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); + boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, String accessType); + void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo result); class PolicyEvalOrderComparator implements Comparator<RangerPolicyEvaluator>, Serializable { http://git-wip-us.apache.org/repos/asf/ranger/blob/69f4d32d/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index cb7ca52..229863e 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -1476,7 +1476,7 @@ public class ServiceREST { RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); validator.validate(policy, Action.CREATE, bizUtil.isAdmin()); - ensureAdminAccess(policy.getService(), policy.getResources()); + ensureAdminAccess(policy); ret = svcStore.createPolicy(policy); } @@ -1564,7 +1564,7 @@ public class ServiceREST { RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); validator.validate(policy, Action.UPDATE, bizUtil.isAdmin()); - ensureAdminAccess(policy.getService(), policy.getResources()); + ensureAdminAccess(policy); ret = svcStore.updatePolicy(policy); } catch(WebApplicationException excp) { @@ -1603,7 +1603,7 @@ public class ServiceREST { RangerPolicy policy = svcStore.getPolicy(id); - ensureAdminAccess(policy.getService(), policy.getResources()); + ensureAdminAccess(policy); svcStore.deletePolicy(id); } catch(WebApplicationException excp) { @@ -1639,7 +1639,7 @@ public class ServiceREST { ret = svcStore.getPolicy(id); if(ret != null) { - ensureAdminAccess(ret.getService(), ret.getResources()); + ensureAdminAccess(ret); } } catch(WebApplicationException excp) { throw excp; @@ -2299,7 +2299,7 @@ public class ServiceREST { if (rangerPolicy != null) { try { validator.validate(rangerPolicy.getId(), Action.DELETE); - ensureAdminAccess(rangerPolicy.getService(), rangerPolicy.getResources()); + ensureAdminAccess(rangerPolicy); svcStore.deletePolicy(rangerPolicy); totalDeletedPilicies = totalDeletedPilicies + 1; if (LOG.isDebugEnabled()) { @@ -2848,7 +2848,7 @@ public class ServiceREST { try { policy = svcStore.getPolicyFromEventTime(eventTimeStr, policyId); if(policy != null) { - ensureAdminAccess(policy.getService(), policy.getResources()); + ensureAdminAccess(policy); } } catch(WebApplicationException excp) { throw excp; @@ -3035,7 +3035,7 @@ public class ServiceREST { } for (RangerPolicy policy : listToFilter) { - if (policyEngine.isAccessAllowed(policy.getResources(), userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) { + if (policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) { ret.add(policy); } } @@ -3050,7 +3050,7 @@ public class ServiceREST { return ret; } - void ensureAdminAccess(String serviceName, Map<String, RangerPolicyResource> resources) { + void ensureAdminAccess(RangerPolicy policy) { boolean isAdmin = bizUtil.isAdmin(); boolean isKeyAdmin = bizUtil.isKeyAdmin(); String userName = bizUtil.getCurrentUserLoginId(); @@ -3058,12 +3058,12 @@ public class ServiceREST { if(!isAdmin && !isKeyAdmin) { boolean isAllowed = false; - RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName); + RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService()); if (policyEngine != null) { Set<String> userGroups = userMgr.getGroupsForUser(userName); - isAllowed = hasAdminAccess(serviceName, userName, userGroups, resources); + isAllowed = hasAdminAccess(policy, userName, userGroups); } if (!isAllowed) { @@ -3072,7 +3072,7 @@ public class ServiceREST { } } else { - XXService xService = daoManager.getXXService().findByName(serviceName); + XXService xService = daoManager.getXXService().findByName(policy.getService()); XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); if (isAdmin) { @@ -3119,18 +3119,17 @@ public class ServiceREST { return opts; } - private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, Map<String, RangerPolicyResource> resources) { + private boolean hasAdminAccess(RangerPolicy policy, String userName, Set<String> userGroups) { boolean isAllowed = false; - RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName); + RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService()); if(policyEngine != null) { - isAllowed = policyEngine.isAccessAllowed(resources, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS); + isAllowed = policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS); } return isAllowed; } - private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, RangerAccessResource resource) { boolean isAllowed = false;