This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 3fca183 RANGER-2652: refactor policy-engine - #2 (renames and whitespace updates) 3fca183 is described below commit 3fca183e7bd2212489513ced5fa550fe7259e140 Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Fri Nov 22 09:03:23 2019 -0800 RANGER-2652: refactor policy-engine - #2 (renames and whitespace updates) --- .../ranger/plugin/policyengine/PolicyEngine.java | 244 ++++++++++++--------- .../policyengine/RangerAccessRequestProcessor.java | 2 - .../policyengine/RangerPolicyEngineImpl.java | 123 ++++++----- .../policyengine/RangerPolicyRepository.java | 198 +++++++++-------- .../RangerAbstractPolicyEvaluator.java | 24 +- .../ranger/plugin/service/RangerAuthContext.java | 19 +- .../ranger/plugin/service/RangerBasePlugin.java | 42 ++-- .../apache/ranger/plugin/util/RangerRolesUtil.java | 36 +-- .../ranger/plugin/policyengine/TestPolicyACLs.java | 4 +- ...ngineCache.java => RangerPolicyAdminCache.java} | 94 ++++---- ...=> RangerPolicyAdminCacheForEngineOptions.java} | 33 +-- .../apache/ranger/biz/RangerPolicyAdminImpl.java | 2 +- .../java/org/apache/ranger/rest/ServiceREST.java | 66 +++--- .../java/org/apache/ranger/biz/TestPolicyDb.java | 7 +- .../org/apache/ranger/rest/TestServiceREST.java | 4 +- 15 files changed, 489 insertions(+), 409 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index b24d37c..f7ca5e8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -50,39 +50,46 @@ import org.apache.ranger.plugin.util.RangerRoles; import org.apache.ranger.plugin.util.ServicePolicies; public class PolicyEngine { - private static final Log LOG = LogFactory.getLog(PolicyEngine.class); private static final Log PERF_POLICYENGINE_INIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.init"); private static final Log PERF_POLICYENGINE_REBALANCE_LOG = RangerPerfTracer.getPerfLogger("policyengine.rebalance"); - private boolean useForwardedIPAddress; - private String[] trustedProxyAddresses; - - private final RangerPolicyRepository policyRepository; - private final RangerPolicyRepository tagPolicyRepository; - + private final RangerPolicyRepository policyRepository; + private final RangerPolicyRepository tagPolicyRepository; + private final List<RangerContextEnricher> allContextEnrichers; + private final RangerPluginContext pluginContext; private final Map<String, RangerPolicyRepository> zonePolicyRepositories = new HashMap<>(); + private final Map<String, RangerResourceTrie> resourceZoneTrie = new HashMap<>(); + private final Map<String, String> zoneTagServiceMap = new HashMap<>(); + private boolean useForwardedIPAddress; + private String[] trustedProxyAddresses; + private boolean isPreCleaned = false; - private final List<RangerContextEnricher> allContextEnrichers; - - private final Map<String, RangerResourceTrie> resourceZoneTrie = new HashMap<>(); - private final Map<String, String> zoneTagServiceMap = new HashMap<>(); - private final RangerPluginContext pluginContext; - - private boolean isPreCleaned = false; public boolean getUseForwardedIPAddress() { return useForwardedIPAddress; } + public void setUseForwardedIPAddress(boolean useForwardedIPAddress) { + this.useForwardedIPAddress = useForwardedIPAddress; + } + public String[] getTrustedProxyAddresses() { return trustedProxyAddresses; } - public long getRoleVersion() { return this.pluginContext.getAuthContext().getRoleVersion(); } + public void setTrustedProxyAddresses(String[] trustedProxyAddresses) { + this.trustedProxyAddresses = trustedProxyAddresses; + } - public void setRangerRoles(RangerRoles rangerRoles) { this.pluginContext.getAuthContext().setRangerRoles(rangerRoles); } + public long getRoleVersion() { return this.pluginContext.getAuthContext().getRoleVersion(); } + + public void setRangerRoles(RangerRoles rangerRoles) { this.pluginContext.getAuthContext().setRangerRoles(rangerRoles); } + + public String getServiceName() { + return policyRepository.getServiceName(); + } public RangerServiceDef getServiceDef() { return policyRepository.getServiceDef(); @@ -100,34 +107,52 @@ public class PolicyEngine { return tagPolicyRepository; } + public Map<String, RangerPolicyRepository> getZonePolicyRepositories() { return zonePolicyRepositories; } + public List<RangerContextEnricher> getAllContextEnrichers() { return allContextEnrichers; } public RangerPluginContext getPluginContext() { return pluginContext; } @Override - public String toString( ) { - StringBuilder sb = new StringBuilder(); - - sb.append("PolicyEngine={"); - - sb.append("serviceName={").append(this.getServiceName()).append("} "); - sb.append(policyRepository); - - sb.append("}"); - - return sb.toString(); + public String toString() { + return toString(new StringBuilder()).toString(); } @Override protected void finalize() throws Throwable { try { cleanup(); - } - finally { + } finally { super.finalize(); } } + public StringBuilder toString(StringBuilder sb) { + if (sb == null) { + sb = new StringBuilder(); + } + + sb.append("PolicyEngine={"); + + sb.append("serviceName={").append(this.getServiceName()).append("} "); + + sb.append("policyRepository={"); + if (policyRepository != null) { + policyRepository.toString(sb); + } + sb.append("} "); + + sb.append("tagPolicyRepository={"); + if (tagPolicyRepository != null) { + tagPolicyRepository.toString(sb); + } + sb.append("} "); + + sb.append("}"); + + return sb; + } + public boolean compare(PolicyEngine other) { boolean ret; @@ -147,9 +172,11 @@ public class PolicyEngine { if (ret) { ret = Objects.equals(resourceZoneTrie.keySet(), other.resourceZoneTrie.keySet()); + if (ret) { for (Map.Entry<String, RangerResourceTrie> entry : resourceZoneTrie.entrySet()) { ret = entry.getValue().compareSubtree(other.resourceZoneTrie.get(entry.getKey())); + if (!ret) { break; } @@ -163,6 +190,7 @@ public class PolicyEngine { if (ret) { for (Map.Entry<String, RangerPolicyRepository> entry : zonePolicyRepositories.entrySet()) { ret = entry.getValue().compare(other.zonePolicyRepositories.get(entry.getKey())); + if (!ret) { break; } @@ -173,49 +201,47 @@ public class PolicyEngine { return ret; } - public void setUseForwardedIPAddress(boolean useForwardedIPAddress) { - this.useForwardedIPAddress = useForwardedIPAddress; - } - - public void setTrustedProxyAddresses(String[] trustedProxyAddresses) { - this.trustedProxyAddresses = trustedProxyAddresses; - } - public List<RangerPolicy> getResourcePolicies(String zoneName) { RangerPolicyRepository zoneResourceRepository = zonePolicyRepositories.get(zoneName); + return zoneResourceRepository == null ? ListUtils.EMPTY_LIST : zoneResourceRepository.getPolicies(); } public RangerAccessResult createAccessResult(RangerAccessRequest request, int policyType) { RangerAccessResult ret = new RangerAccessResult(policyType, getServiceName(), getPolicyRepository().getServiceDef(), request); + switch (getPolicyRepository().getAuditModeEnum()) { case AUDIT_ALL: ret.setIsAudited(true); break; + case AUDIT_NONE: ret.setIsAudited(false); break; + default: if (CollectionUtils.isEmpty(getPolicyRepository().getPolicies()) && getTagPolicyRepository() == null) { ret.setIsAudited(true); } + break; } return ret; } - public PolicyEngine(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext rangerPluginContext, RangerRoles rangerRoles) { - + public PolicyEngine(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext pluginContext, RangerRoles roles) { if (LOG.isDebugEnabled()) { - LOG.debug("==> PolicyEngine(" + appId + ", " + servicePolicies + ", " + options + ", " + rangerPluginContext + ")"); + LOG.debug("==> PolicyEngine(" + appId + ", " + servicePolicies + ", " + options + ", " + pluginContext + ")"); } RangerPerfTracer perf = null; if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.init(appId=" + appId + ",hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")"); - long freeMemory = Runtime.getRuntime().freeMemory(); + + long freeMemory = Runtime.getRuntime().freeMemory(); long totalMemory = Runtime.getRuntime().totalMemory(); + PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory); } @@ -223,11 +249,9 @@ public class PolicyEngine { options = new RangerPolicyEngineOptions(); } - this.pluginContext = rangerPluginContext; + this.pluginContext = pluginContext; - RangerAuthContext authContext = new RangerAuthContext(null); - authContext.setRangerRoles(rangerRoles); - this.pluginContext.setAuthContext(authContext); + this.pluginContext.setAuthContext(new RangerAuthContext(null, roles)); if(StringUtils.isBlank(options.evaluatorType) || StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) { options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED; @@ -242,21 +266,21 @@ public class PolicyEngine { && !StringUtils.isEmpty(tagPolicies.getServiceName()) && tagPolicies.getServiceDef() != null && !CollectionUtils.isEmpty(tagPolicies.getPolicies())) { - if (LOG.isDebugEnabled()) { LOG.debug("PolicyEngine : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName()); } + tagPolicyRepository = new RangerPolicyRepository(appId, tagPolicies, options, this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName()); } else { if (LOG.isDebugEnabled()) { LOG.debug("PolicyEngine : No tag-policy-repository for service " + servicePolicies.getServiceName()); } + tagPolicyRepository = null; } List<RangerContextEnricher> tmpList; - - List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers(); + List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers(); List<RangerContextEnricher> resourceContextEnrichers = policyRepository.getContextEnrichers(); if (CollectionUtils.isEmpty(tagContextEnrichers)) { @@ -265,6 +289,7 @@ public class PolicyEngine { tmpList = tagContextEnrichers; } else { tmpList = new ArrayList<>(tagContextEnrichers); + tmpList.addAll(resourceContextEnrichers); } @@ -272,8 +297,10 @@ public class PolicyEngine { if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) { buildZoneTrie(servicePolicies); + for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone : servicePolicies.getSecurityZones().entrySet()) { RangerPolicyRepository policyRepository = new RangerPolicyRepository(appId, servicePolicies, options, this.pluginContext, zone.getKey()); + zonePolicyRepositories.put(zone.getKey(), policyRepository); } } @@ -281,8 +308,9 @@ public class PolicyEngine { RangerPerfTracer.log(perf); if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) { - long freeMemory = Runtime.getRuntime().freeMemory(); + long freeMemory = Runtime.getRuntime().freeMemory(); long totalMemory = Runtime.getRuntime().totalMemory(); + PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory); } @@ -295,18 +323,17 @@ public class PolicyEngine { if (LOG.isDebugEnabled()) { LOG.debug("==> cloneWithDelta(" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + ", " + servicePolicies.getPolicyVersion() + ")"); } - final PolicyEngine ret; - RangerPerfTracer perf = null; + final PolicyEngine ret; + RangerPerfTracer perf = null; if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cloneWithDelta()"); } - RangerServiceDef serviceDef = this.getServiceDef(); - String serviceType = (serviceDef != null) ? serviceDef.getName() : ""; - - boolean isValidDeltas = false; + RangerServiceDef serviceDef = this.getServiceDef(); + String serviceType = (serviceDef != null) ? serviceDef.getName() : ""; + boolean isValidDeltas = false; if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) || MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) { isValidDeltas = CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas()) || RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(), serviceType); @@ -318,6 +345,7 @@ public class PolicyEngine { if (LOG.isDebugEnabled()) { LOG.debug("Invalid policy-deltas for security zone:[" + entry.getKey() + "]"); } + isValidDeltas = false; break; } @@ -340,20 +368,13 @@ public class PolicyEngine { return ret; } - public String getServiceName() { - return policyRepository.getServiceName(); - } - - public Map<String, RangerPolicyRepository> getZonePolicyRepositories() { return zonePolicyRepositories; } - public RangerPolicyRepository getRepositoryForMatchedZone(RangerAccessResource resource) { if (LOG.isDebugEnabled()) { LOG.debug("==> PolicyEngine.getRepositoryForMatchedZone(" + resource + ")"); } - String zoneName = getMatchedZoneName(resource); - - final RangerPolicyRepository ret = getRepositoryForZone(zoneName); + String zoneName = getMatchedZoneName(resource); + final RangerPolicyRepository ret = getRepositoryForZone(zoneName); if (LOG.isDebugEnabled()) { LOG.debug("<== PolicyEngine.getRepositoryForMatchedZone(" + resource + ")"); @@ -367,9 +388,8 @@ public class PolicyEngine { LOG.debug("==> PolicyEngine.getRepositoryForMatchedZone(" + policy + ")"); } - String zoneName = policy.getZoneName(); - - final RangerPolicyRepository ret = getRepositoryForZone(zoneName); + String zoneName = policy.getZoneName(); + final RangerPolicyRepository ret = getRepositoryForZone(zoneName); if (LOG.isDebugEnabled()) { LOG.debug("<== PolicyEngine.getRepositoryForMatchedZone(" + policy + ")"); @@ -410,28 +430,30 @@ public class PolicyEngine { public boolean isResourceZoneAssociatedWithTagService(String resourceZoneName) { final boolean ret; + if (StringUtils.isNotEmpty(resourceZoneName) && tagPolicyRepository != null && zoneTagServiceMap.get(resourceZoneName) != null) { if (LOG.isDebugEnabled()) { LOG.debug("Accessed resource is in a zone:[" + resourceZoneName + "] which is associated with the tag-service:[" + tagPolicyRepository.getServiceName() + "]"); } + ret = true; } else { ret = false; } + return ret; } public void preCleanup() { - if (LOG.isDebugEnabled()) { LOG.debug("==> PolicyEngine.preCleanup()"); } if (!isPreCleaned) { - if (policyRepository != null) { policyRepository.preCleanup(); } + if (tagPolicyRepository != null) { tagPolicyRepository.preCleanup(); } @@ -441,6 +463,7 @@ public class PolicyEngine { entry.getValue().preCleanup(); } } + isPreCleaned = true; } else { if (LOG.isDebugEnabled()) { @@ -453,10 +476,6 @@ public class PolicyEngine { } } - List<RangerPolicy> getResourcePolicies() { return policyRepository == null ? ListUtils.EMPTY_LIST : policyRepository.getPolicies(); } - - List<RangerPolicy> getTagPolicies() { return tagPolicyRepository == null ? ListUtils.EMPTY_LIST : tagPolicyRepository.getPolicies(); } - private String getMatchedZoneName(Map<String, ?> resource, RangerAccessResource accessResource) { if (LOG.isDebugEnabled()) { LOG.debug("==> PolicyEngine.getMatchedZoneName(" + resource + ", " + accessResource + ")"); @@ -465,28 +484,28 @@ public class PolicyEngine { String ret = null; if (MapUtils.isNotEmpty(this.resourceZoneTrie)) { - List<List<RangerZoneResourceMatcher>> zoneMatchersList = null; List<RangerZoneResourceMatcher> smallestList = null; for (Map.Entry<String, ?> entry : resource.entrySet()) { - String resourceDefName = entry.getKey(); - Object resourceValues = entry.getValue(); - - RangerResourceTrie<RangerZoneResourceMatcher> trie = resourceZoneTrie.get(resourceDefName); + String resourceDefName = entry.getKey(); + Object resourceValues = entry.getValue(); + RangerResourceTrie<RangerZoneResourceMatcher> trie = resourceZoneTrie.get(resourceDefName); if (trie == null) { continue; } - List<RangerZoneResourceMatcher> matchedZones = trie.getEvaluatorsForResource(resourceValues); + List<RangerZoneResourceMatcher> matchedZones = trie.getEvaluatorsForResource(resourceValues); if (LOG.isDebugEnabled()) { LOG.debug("ResourceDefName:[" + resourceDefName + "], values:[" + resourceValues + "], matched-zones:[" + matchedZones + "]"); } + if (CollectionUtils.isEmpty(matchedZones)) { // no policies for this resource, bail out zoneMatchersList = null; smallestList = null; + break; } @@ -495,8 +514,10 @@ public class PolicyEngine { } else { if (zoneMatchersList == null) { zoneMatchersList = new ArrayList<>(); + zoneMatchersList.add(smallestList); } + zoneMatchersList.add(matchedZones); if (smallestList.size() > matchedZones.size()) { @@ -505,15 +526,16 @@ public class PolicyEngine { } } if (smallestList != null) { - final List<RangerZoneResourceMatcher> intersection; if (zoneMatchersList != null) { intersection = new ArrayList<>(smallestList); + for (List<RangerZoneResourceMatcher> zoneMatchers : zoneMatchersList) { if (zoneMatchers != smallestList) { // remove zones from intersection that are not in zoneMatchers intersection.retainAll(zoneMatchers); + if (CollectionUtils.isEmpty(intersection)) { // if no zoneMatcher exists, bail out and return empty list break; } @@ -534,11 +556,13 @@ public class PolicyEngine { if (LOG.isDebugEnabled()) { LOG.debug("Trying to match resource:[" + accessResource + "] using zoneMatcher:[" + zoneMatcher + "]"); } + // These are potential matches. Try to really match them if (zoneMatcher.getPolicyResourceMatcher().isMatch(accessResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) { if (LOG.isDebugEnabled()) { LOG.debug("Matched resource:[" + accessResource + "] using zoneMatcher:[" + zoneMatcher + "]"); } + // Actual match happened matchedZoneNames.add(zoneMatcher.getSecurityZoneName()); } else { @@ -547,11 +571,16 @@ public class PolicyEngine { } } } - LOG.info("The following zone-names matched resource:[" + accessResource + "]: " + matchedZoneNames); + + if (LOG.isDebugEnabled()) { + LOG.debug("The following zone-names matched resource:[" + accessResource + "]: " + matchedZoneNames); + } if (matchedZoneNames.size() == 1) { String[] zones = new String[1]; + matchedZoneNames.toArray(zones); + ret = zones[0]; } else { LOG.error("Internal error, multiple zone-names are matched. The following zone-names matched resource:[" + resource + "]: " + matchedZoneNames); @@ -559,14 +588,15 @@ public class PolicyEngine { } } } + if (LOG.isDebugEnabled()) { LOG.debug("<== PolicyEngine.getMatchedZoneName(" + resource + ", " + accessResource + ") : " + ret); } + return ret; } private RangerAccessResource convertToAccessResource(Map<String, ?> resource) { - RangerAccessResourceImpl ret = new RangerAccessResourceImpl(); ret.setServiceDef(getServiceDef()); @@ -579,7 +609,6 @@ public class PolicyEngine { } private RangerPolicyRepository getRepositoryForZone(String zoneName) { - final RangerPolicyRepository ret; if (LOG.isDebugEnabled()) { @@ -595,29 +624,25 @@ public class PolicyEngine { if (ret == null) { LOG.error("policyRepository for zoneName:[" + zoneName + "], serviceName:[" + getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!"); } + return ret; } private PolicyEngine(final PolicyEngine other, ServicePolicies servicePolicies) { - - long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L; - this.useForwardedIPAddress = other.useForwardedIPAddress; this.trustedProxyAddresses = other.trustedProxyAddresses; + this.pluginContext = other.pluginContext; - this.pluginContext = other.pluginContext; - - List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>(); + long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L; + List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>(); List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new ArrayList<>(); if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) { - buildZoneTrie(servicePolicies); Map<String, List<RangerPolicyDelta>> zoneDeltasMap = new HashMap<>(); for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone : servicePolicies.getSecurityZones().entrySet()) { - List<RangerPolicyDelta> deltas = zone.getValue().getPolicyDeltas(); for (RangerPolicyDelta delta : deltas) { @@ -625,10 +650,12 @@ public class PolicyEngine { if (StringUtils.isNotEmpty(zoneName)) { List<RangerPolicyDelta> zoneDeltas = zoneDeltasMap.get(zoneName); + if (zoneDeltas == null) { zoneDeltas = new ArrayList<>(); zoneDeltasMap.put(zoneName, zoneDeltas); } + zoneDeltas.add(delta); } else { LOG.warn("policyDelta : [" + delta + "] does not belong to any zone. Should not have come here."); @@ -637,15 +664,15 @@ public class PolicyEngine { } for (Map.Entry<String, List<RangerPolicyDelta>> entry : zoneDeltasMap.entrySet()) { - final String zoneName = entry.getKey(); - List<RangerPolicyDelta> zoneDeltas = entry.getValue(); - - RangerPolicyRepository otherRepository = other.zonePolicyRepositories.get(zoneName); - final RangerPolicyRepository policyRepository; + final String zoneName = entry.getKey(); + final List<RangerPolicyDelta> zoneDeltas = entry.getValue(); + final RangerPolicyRepository otherRepository = other.zonePolicyRepositories.get(zoneName); + final RangerPolicyRepository policyRepository; if (CollectionUtils.isNotEmpty(zoneDeltas)) { if (otherRepository == null) { List<RangerPolicy> policies = new ArrayList<>(); + for (RangerPolicyDelta delta : zoneDeltas) { if (delta.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) { policies.add(delta.getPolicy()); @@ -653,6 +680,7 @@ public class PolicyEngine { LOG.warn("Expected changeType:[" + RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found policy-change-delta:[" + delta +"]"); } } + servicePolicies.getSecurityZones().get(zoneName).setPolicies(policies); policyRepository = new RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies, other.policyRepository.getOptions(), this.pluginContext, zoneName); @@ -687,6 +715,7 @@ public class PolicyEngine { if (other.tagPolicyRepository == null) { // Only creates are expected List<RangerPolicy> tagPolicies = new ArrayList<>(); + for (RangerPolicyDelta delta : defaultZoneDeltasForTagPolicies) { if (delta.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) { tagPolicies.add(delta.getPolicy()); @@ -694,7 +723,9 @@ public class PolicyEngine { LOG.warn("Expected changeType:[" + RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found policy-change-delta:[" + delta + "]"); } } + servicePolicies.getTagPolicies().setPolicies(tagPolicies); + this.tagPolicyRepository = new RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies.getTagPolicies(), other.policyRepository.getOptions(), this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName()); } else { this.tagPolicyRepository = new RangerPolicyRepository(other.tagPolicyRepository, defaultZoneDeltasForTagPolicies, policyVersion); @@ -704,8 +735,7 @@ public class PolicyEngine { } List<RangerContextEnricher> tmpList; - - List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers(); + List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers(); List<RangerContextEnricher> resourceContextEnrichers = policyRepository.getContextEnrichers(); if (CollectionUtils.isEmpty(tagContextEnrichers)) { @@ -714,12 +744,13 @@ public class PolicyEngine { tmpList = tagContextEnrichers; } else { tmpList = new ArrayList<>(tagContextEnrichers); + tmpList.addAll(resourceContextEnrichers); } + this.allContextEnrichers = tmpList; reorderPolicyEvaluators(); - } private void buildZoneTrie(ServicePolicies servicePolicies) { @@ -742,7 +773,6 @@ public class PolicyEngine { } for (Map<String, List<String>> resource : zoneDetails.getResources()) { - if (LOG.isDebugEnabled()) { LOG.debug("Building matcher for resource:[" + resource + "] in zone:[" + zoneName +"]"); } @@ -750,10 +780,9 @@ public class PolicyEngine { Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>(); for (Map.Entry<String, List<String>> entry : resource.entrySet()) { - String resourceDefName = entry.getKey(); - List<String> resourceValues = entry.getValue(); - - RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource(); + String resourceDefName = entry.getKey(); + List<String> resourceValues = entry.getValue(); + RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource(); policyResource.setIsExcludes(false); policyResource.setIsRecursive(StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME)); @@ -784,7 +813,6 @@ public class PolicyEngine { for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers)); } - } if (LOG.isDebugEnabled()) { @@ -796,12 +824,14 @@ public class PolicyEngine { if (other != null) { other.setShared(); } + return other; } private void reorderPolicyEvaluators() { if (LOG.isDebugEnabled()) { LOG.debug("==> reorderEvaluators()"); } + RangerPerfTracer perf = null; if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) { @@ -823,7 +853,6 @@ public class PolicyEngine { } private void cleanup() { - if (LOG.isDebugEnabled()) { LOG.debug("==> PolicyEngine.cleanup()"); } @@ -833,11 +862,13 @@ public class PolicyEngine { if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cleanUp(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")"); } + preCleanup(); if (policyRepository != null) { policyRepository.cleanup(); } + if (tagPolicyRepository != null) { tagPolicyRepository.cleanup(); } @@ -854,6 +885,5 @@ public class PolicyEngine { LOG.debug("<== PolicyEngine.cleanup()"); } } - } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java index a683699..a213b36 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java @@ -20,9 +20,7 @@ package org.apache.ranger.plugin.policyengine; public interface RangerAccessRequestProcessor { - void preProcess(RangerAccessRequest request); default void enrich(RangerAccessRequest request) {} - } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index afe6683..5709fd8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -20,6 +20,7 @@ package org.apache.ranger.plugin.policyengine; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.ListUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -57,22 +58,27 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { private final PolicyEngine policyEngine; private final RangerAccessRequestProcessor requestProcessor; + static public RangerPolicyEngine getPolicyEngine(final RangerPolicyEngineImpl other, final ServicePolicies servicePolicies) { RangerPolicyEngine ret = null; if (other != null && servicePolicies != null) { PolicyEngine policyEngine = other.policyEngine.cloneWithDelta(servicePolicies); + if (policyEngine != null) { ret = new RangerPolicyEngineImpl(policyEngine); } } + return ret; } - public RangerPolicyEngineImpl(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext rangerPluginContext, RangerRoles rangerRoles) { - policyEngine = new PolicyEngine(appId, servicePolicies, options, rangerPluginContext, rangerRoles); - policyEngine.getPluginContext().getAuthContext().setRangerRoles(rangerRoles); - this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine); + public RangerPolicyEngineImpl(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext pluginContext, RangerRoles roles) { + policyEngine = new PolicyEngine(appId, servicePolicies, options, pluginContext, roles); + + policyEngine.getPluginContext().getAuthContext().setRangerRoles(roles); + + requestProcessor = new RangerDefaultRequestProcessor(policyEngine); } @Override @@ -85,22 +91,27 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.evaluatePolicies(" + request + ", policyType=" + policyType + ")"); } + RangerPerfTracer perf = null; if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) { String requestHashCode = Integer.toHexString(System.identityHashCode(request)) + "_" + policyType; + perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.evaluatePolicies(requestHashCode=" + requestHashCode + ")"); + LOG.info("RangerPolicyEngineImpl.evaluatePolicies(" + requestHashCode + ", " + request + ")"); } + requestProcessor.preProcess(request); RangerAccessResult ret = zoneAwareAccessEvaluationWithNoAudit(request, policyType); if (resultProcessor != null) { - RangerPerfTracer perfAuditTracer = null; + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) { String requestHashCode = Integer.toHexString(System.identityHashCode(request)) + "_" + policyType; + perfAuditTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG, "RangerPolicyEngine.processAudit(requestHashCode=" + requestHashCode + ")"); } @@ -154,7 +165,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } RangerResourceACLs ret = new RangerResourceACLs(); - RangerPerfTracer perf = null; if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_GET_ACLS_LOG)) { @@ -180,13 +190,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (matchedRepository == null) { LOG.error("policyRepository for zoneName:[" + zoneName + "], serviceName:[" + policyEngine.getPolicyRepository().getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!"); } else { - - List<RangerPolicyEvaluator> allEvaluators = new ArrayList<>(); - Map<Long, RangerPolicyResourceMatcher.MatchType> tagMatchTypeMap = null; - Set<Long> policyIdForTemporalTags = null; - - Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); - List<PolicyEvaluatorForTag> tagPolicyEvaluators = policyEngine.getTagPolicyRepository() == null ? null : policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tags, RangerPolicy.POLICY_TYPE_ACCESS, null); + List<RangerPolicyEvaluator> allEvaluators = new ArrayList<>(); + Map<Long, RangerPolicyResourceMatcher.MatchType> tagMatchTypeMap = null; + Set<Long> policyIdForTemporalTags = null; + Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); + List<PolicyEvaluatorForTag> tagPolicyEvaluators = policyEngine.getTagPolicyRepository() == null ? null : policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tags, RangerPolicy.POLICY_TYPE_ACCESS, null); if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) { tagMatchTypeMap = new HashMap<>(); @@ -194,13 +202,15 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { final boolean useTagPoliciesFromDefaultZone = !policyEngine.isResourceZoneAssociatedWithTagService(zoneName); for (PolicyEvaluatorForTag tagEvaluator : tagPolicyEvaluators) { - RangerPolicyEvaluator evaluator = tagEvaluator.getEvaluator(); - String policyZoneName = evaluator.getPolicy().getZoneName(); + RangerPolicyEvaluator evaluator = tagEvaluator.getEvaluator(); + String policyZoneName = evaluator.getPolicy().getZoneName(); + if (useTagPoliciesFromDefaultZone) { if (StringUtils.isNotEmpty(policyZoneName)) { if (LOG.isDebugEnabled()) { LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to default zone. Not evaluating this policy:[" + evaluator.getPolicy() + "]"); } + continue; } } else { @@ -208,9 +218,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (LOG.isDebugEnabled()) { LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]"); } + continue; } } + RangerTagForEval tag = tagEvaluator.getTag(); allEvaluators.add(evaluator); @@ -267,10 +279,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary(); if (aclSummary != null) { - boolean isConditional = (policyIdForTemporalTags != null && policyIdForTemporalTags.contains(evaluator.getId())) || evaluator.getValidityScheduleEvaluatorsCount() != 0; - Integer accessResult; + for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> userAccessInfo : aclSummary.getUsersAccessInfo().entrySet()) { final String userName = userAccessInfo.getKey(); @@ -279,11 +290,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { accessResult = ACCESS_CONDITIONAL; } else { accessResult = accessInfo.getValue().getResult(); + if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { accessResult = RangerPolicyEvaluator.ACCESS_DENIED; } } + RangerPolicy policy = evaluator.getPolicy(); + ret.setUserAccessInfo(userName, accessInfo.getKey(), accessResult, policy); } } @@ -296,11 +310,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { accessResult = ACCESS_CONDITIONAL; } else { accessResult = accessInfo.getValue().getResult(); + if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { accessResult = RangerPolicyEvaluator.ACCESS_DENIED; } } + RangerPolicy policy = evaluator.getPolicy(); + ret.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult, policy); } } @@ -313,11 +330,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { accessResult = ACCESS_CONDITIONAL; } else { accessResult = accessInfo.getValue().getResult(); + if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) { accessResult = RangerPolicyEvaluator.ACCESS_DENIED; } } + RangerPolicy policy = evaluator.getPolicy(); + ret.setRoleAccessInfo(roleName, accessInfo.getKey(), accessResult, policy); } } @@ -346,9 +366,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { requestProcessor.preProcess(request); - RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request); - - String zoneName = policyEngine.getMatchedZoneName(request.getResource()); + RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request); + String zoneName = policyEngine.getMatchedZoneName(request.getResource()); if (LOG.isDebugEnabled()) { LOG.debug("zoneName:[" + zoneName + "]"); @@ -365,29 +384,27 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (matchedRepository == null) { LOG.error("policyRepository for zoneName:[" + zoneName + "], serviceName:[" + policyEngine.getPolicyRepository().getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!"); } else { - List<RangerPolicyEvaluator> tagPolicyEvaluators = policyEngine.getTagPolicyRepository() == null ? null : policyEngine.getTagPolicyRepository().getPolicyEvaluators(); if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) { - Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); if (CollectionUtils.isNotEmpty(tags)) { - final boolean useTagPoliciesFromDefaultZone = !policyEngine.isResourceZoneAssociatedWithTagService(zoneName); for (RangerTagForEval tag : tags) { - RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, policyEngine.getTagPolicyRepository().getServiceDef(), request); - - List<RangerPolicyEvaluator> evaluators = policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource(), RangerPolicy.POLICY_TYPE_ACCESS); + RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, policyEngine.getTagPolicyRepository().getServiceDef(), request); + List<RangerPolicyEvaluator> evaluators = policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource(), RangerPolicy.POLICY_TYPE_ACCESS); for (RangerPolicyEvaluator evaluator : evaluators) { String policyZoneName = evaluator.getPolicy().getZoneName(); + if (useTagPoliciesFromDefaultZone) { if (StringUtils.isNotEmpty(policyZoneName)) { if (LOG.isDebugEnabled()) { LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to default zone. Not evaluating this policy:[" + evaluator.getPolicy() + "]"); } + continue; } } else { @@ -395,9 +412,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (LOG.isDebugEnabled()) { LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]"); } + continue; } } + evaluator.getResourceAccessInfo(tagEvalRequest, ret); } } @@ -478,19 +497,25 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public List<RangerPolicy> getResourcePolicies() { - return policyEngine.getResourcePolicies(); + RangerPolicyRepository policyRepository = policyEngine.getPolicyRepository(); + + return policyRepository == null ? ListUtils.EMPTY_LIST : policyRepository.getPolicies(); } @Override public List<RangerPolicy> getTagPolicies() { - return policyEngine.getTagPolicies(); + RangerPolicyRepository tagPolicyRepository = policyEngine.getTagPolicyRepository(); + + return tagPolicyRepository == null ? ListUtils.EMPTY_LIST : tagPolicyRepository.getPolicies(); } public void releaseResources() { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.releaseResources()"); } + PolicyEngine policyEngine = this.policyEngine; + if (policyEngine != null) { policyEngine.preCleanup(); } else { @@ -498,6 +523,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("Cannot preCleanup policy-engine as it is null!"); } } + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.releaseResources()"); } @@ -508,7 +534,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } private RangerPolicyEngineImpl(final PolicyEngine policyEngine) { - this.policyEngine = policyEngine; + this.policyEngine = policyEngine; this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine); } @@ -517,13 +543,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + request + ", policyType =" + policyType + ")"); } - RangerAccessResult ret = null; - - RangerPolicyRepository policyRepository = policyEngine.getPolicyRepository(); + RangerAccessResult ret = null; + RangerPolicyRepository policyRepository = policyEngine.getPolicyRepository(); RangerPolicyRepository tagPolicyRepository = policyEngine.getTagPolicyRepository(); - - // Evaluate zone-name from request - String zoneName = policyEngine.getMatchedZoneName(request.getResource()); + String zoneName = policyEngine.getMatchedZoneName(request.getResource()); // Evaluate zone-name from request if (LOG.isDebugEnabled()) { LOG.debug("zoneName:[" + zoneName + "]"); @@ -536,15 +559,17 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.error("policyRepository for zoneName:[" + zoneName + "], serviceName:[" + policyEngine.getPolicyRepository().getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!"); } } + if (policyRepository != null) { ret = evaluatePoliciesNoAudit(request, policyType, zoneName, policyRepository, tagPolicyRepository); + ret.setZoneName(zoneName); } - if (LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + request + ", policyType =" + policyType + "): " + ret); } + return ret; } @@ -553,9 +578,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ")"); } - Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date(); - RangerAccessResult ret = policyEngine.createAccessResult(request, policyType); - + Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date(); + RangerAccessResult ret = policyEngine.createAccessResult(request, policyType); evaluateTagPolicies(request, policyType, zoneName, tagPolicyRepository, ret); @@ -575,7 +599,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (evaluateResourcePolicies) { boolean findAuditByResource = !ret.getIsAuditedDetermined(); - boolean foundInCache = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret); + boolean foundInCache = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret); ret.setIsAccessDetermined(false); // discard result by tag-policies, to evaluate resource policies for possible override @@ -640,24 +664,23 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")"); } - Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date(); - - Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); - + Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date(); + Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); List<PolicyEvaluatorForTag> policyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getLikelyMatchPolicyEvaluators(tags, policyType, accessTime); if (CollectionUtils.isNotEmpty(policyEvaluators)) { final boolean useTagPoliciesFromDefaultZone = !policyEngine.isResourceZoneAssociatedWithTagService(zoneName); for (PolicyEvaluatorForTag policyEvaluator : policyEvaluators) { - RangerPolicyEvaluator evaluator = policyEvaluator.getEvaluator(); + RangerPolicyEvaluator evaluator = policyEvaluator.getEvaluator(); + String policyZoneName = evaluator.getPolicy().getZoneName(); - String policyZoneName = evaluator.getPolicy().getZoneName(); if (useTagPoliciesFromDefaultZone) { if (StringUtils.isNotEmpty(policyZoneName)) { if (LOG.isDebugEnabled()) { LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to default zone. Not evaluating this policy:[" + evaluator.getPolicy() + "]"); } + continue; } } else { @@ -665,14 +688,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (LOG.isDebugEnabled()) { LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]"); } + continue; } } - RangerTagForEval tag = policyEvaluator.getTag(); - + RangerTagForEval tag = policyEvaluator.getTag(); RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); - RangerAccessResult tagEvalResult = policyEngine.createAccessResult(tagEvalRequest, policyType); + RangerAccessResult tagEvalResult = policyEngine.createAccessResult(tagEvalRequest, policyType); if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl.evaluateTagPolicies: Evaluating policies for tag (" + tag.getType() + ")"); @@ -710,6 +733,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } } + if (result.getIsAllowed()) { result.setIsAccessDetermined(true); } @@ -718,5 +742,4 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")"); } } - } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 28b441a..e583fa1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -56,7 +56,7 @@ public class RangerPolicyRepository { private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class); private static final Log PERF_CONTEXTENRICHER_INIT_LOG = RangerPerfTracer.getPerfLogger("contextenricher.init"); - private static final Log PERF_TRIE_OP_LOG = RangerPerfTracer.getPerfLogger("resourcetrie.retrieval"); + private static final Log PERF_TRIE_OP_LOG = RangerPerfTracer.getPerfLogger("resourcetrie.retrieval"); enum AuditModeEnum { AUDIT_ALL, AUDIT_NONE, AUDIT_DEFAULT @@ -78,50 +78,48 @@ public class RangerPolicyRepository { } } - private final String serviceName; - private final String zoneName; - private final String appId; - private final RangerPolicyEngineOptions options; - private final RangerPluginContext pluginContext; - private final RangerServiceDef serviceDef; - private final List<RangerPolicy> policies; - private final long policyVersion; - private final List<RangerContextEnricher> contextEnrichers; - private List<RangerPolicyEvaluator> policyEvaluators; - private List<RangerPolicyEvaluator> dataMaskPolicyEvaluators; - private List<RangerPolicyEvaluator> rowFilterPolicyEvaluators; - private Map<Long, RangerPolicyEvaluator> policyEvaluatorsMap; - private final AuditModeEnum auditModeEnum; - private final Map<String, AuditInfo> accessAuditCache; - - private final String componentServiceName; - private final RangerServiceDef componentServiceDef; + private final String serviceName; + private final String zoneName; + private final String appId; + private final RangerPolicyEngineOptions options; + private final RangerPluginContext pluginContext; + private final RangerServiceDef serviceDef; + private final List<RangerPolicy> policies; + private final long policyVersion; + private final List<RangerContextEnricher> contextEnrichers; + private final AuditModeEnum auditModeEnum; + private final Map<String, AuditInfo> accessAuditCache; + private final String componentServiceName; + private final RangerServiceDef componentServiceDef; private final Map<String, RangerResourceTrie> policyResourceTrie; private final Map<String, RangerResourceTrie> dataMaskResourceTrie; private final Map<String, RangerResourceTrie> rowFilterResourceTrie; - - private boolean isContextEnrichersShared = false; - private boolean isPreCleaned = false; + private List<RangerPolicyEvaluator> policyEvaluators; + private List<RangerPolicyEvaluator> dataMaskPolicyEvaluators; + private List<RangerPolicyEvaluator> rowFilterPolicyEvaluators; + private Map<Long, RangerPolicyEvaluator> policyEvaluatorsMap; + private boolean isContextEnrichersShared = false; + private boolean isPreCleaned = false; RangerPolicyRepository(final RangerPolicyRepository other, final List<RangerPolicyDelta> deltas, long policyVersion) { - - this.serviceName = other.serviceName; - this.zoneName = other.zoneName; - this.appId = other.appId; - this.options = other.options; - this.pluginContext = other.pluginContext; - this.serviceDef = other.serviceDef; - this.policies = new ArrayList<>(other.policies); - this.policyEvaluators = new ArrayList<>(other.policyEvaluators); - this.dataMaskPolicyEvaluators = new ArrayList<>(other.dataMaskPolicyEvaluators); + this.serviceName = other.serviceName; + this.zoneName = other.zoneName; + this.appId = other.appId; + this.options = other.options; + this.pluginContext = other.pluginContext; + this.serviceDef = other.serviceDef; + this.policies = new ArrayList<>(other.policies); + this.policyEvaluators = new ArrayList<>(other.policyEvaluators); + this.dataMaskPolicyEvaluators = new ArrayList<>(other.dataMaskPolicyEvaluators); this.rowFilterPolicyEvaluators = new ArrayList<>(other.rowFilterPolicyEvaluators); - this.auditModeEnum = other.auditModeEnum; - this.componentServiceName = other.componentServiceName; - this.componentServiceDef = other.componentServiceDef; - this.policyEvaluatorsMap = new HashMap<>(other.policyEvaluatorsMap); + this.auditModeEnum = other.auditModeEnum; + this.componentServiceName = other.componentServiceName; + this.componentServiceDef = other.componentServiceDef; + this.policyEvaluatorsMap = new HashMap<>(other.policyEvaluatorsMap); if (other.policyResourceTrie != null) { this.policyResourceTrie = new HashMap<>(); + for (Map.Entry<String, RangerResourceTrie> entry : other.policyResourceTrie.entrySet()) { policyResourceTrie.put(entry.getKey(), new RangerResourceTrie(entry.getValue())); } @@ -131,6 +129,7 @@ public class RangerPolicyRepository { if (other.dataMaskResourceTrie != null) { this.dataMaskResourceTrie = new HashMap<>(); + for (Map.Entry<String, RangerResourceTrie> entry : other.dataMaskResourceTrie.entrySet()) { dataMaskResourceTrie.put(entry.getKey(), new RangerResourceTrie(entry.getValue())); } @@ -140,6 +139,7 @@ public class RangerPolicyRepository { if (other.rowFilterResourceTrie != null) { this.rowFilterResourceTrie = new HashMap<>(); + for (Map.Entry<String, RangerResourceTrie> entry : other.rowFilterResourceTrie.entrySet()) { rowFilterResourceTrie.put(entry.getKey(), new RangerResourceTrie(entry.getValue())); } @@ -149,6 +149,7 @@ public class RangerPolicyRepository { if (other.accessAuditCache != null) { int auditResultCacheSize = other.accessAuditCache.size(); + this.accessAuditCache = Collections.synchronizedMap(new CacheMap<String, AuditInfo>(auditResultCacheSize)); } else { this.accessAuditCache = null; @@ -157,7 +158,6 @@ public class RangerPolicyRepository { boolean[] flags = new boolean[RangerPolicy.POLICY_TYPES.length]; for (RangerPolicyDelta delta : deltas) { - final Integer changeType = delta.getChangeType(); final String serviceType = delta.getServiceType(); final Long policyId = delta.getPolicyId(); @@ -175,17 +175,21 @@ public class RangerPolicyRepository { if (LOG.isDebugEnabled()) { LOG.debug("Could not find policy for policy-id:[" + policyId + "]"); } + continue; } break; + case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE: evaluator = getPolicyEvaluator(policyId); + if (evaluator == null) { if (LOG.isDebugEnabled()) { LOG.debug("Could not find evaluator for policy-id:[" + policyId + "]"); } } break; + case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE: evaluator = getPolicyEvaluator(policyId); if (evaluator == null) { @@ -194,6 +198,7 @@ public class RangerPolicyRepository { } } break; + default: LOG.error("Unknown changeType:[" + changeType + "], Ignoring"); break; @@ -206,12 +211,15 @@ public class RangerPolicyRepository { case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE: policyEvaluatorsMap.put(policyId, evaluator); break; + case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE: policyEvaluatorsMap.put(policyId, evaluator); break; + case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE: policyEvaluatorsMap.remove(policyId); break; + default: break; } @@ -221,7 +229,6 @@ public class RangerPolicyRepository { } for (int policyType = 0; policyType < flags.length; policyType++) { - if (flags[policyType]) { Map<String, RangerResourceTrie> trie = getTrie(policyType); @@ -392,6 +399,63 @@ public class RangerPolicyRepository { return sb.toString(); } + public StringBuilder toString(StringBuilder sb) { + if (sb == null) { + sb = new StringBuilder(); + } + + sb.append("RangerPolicyRepository={"); + + sb.append("serviceName={").append(serviceName).append("} "); + sb.append("zoneName={").append(zoneName).append("} "); + sb.append("serviceDef={").append(serviceDef).append("} "); + sb.append("appId={").append(appId).append("} "); + + sb.append("policyEvaluators={"); + if (policyEvaluators != null) { + for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) { + if (policyEvaluator != null) { + sb.append(policyEvaluator).append(" "); + } + } + } + sb.append("} "); + + sb.append("dataMaskPolicyEvaluators={"); + if (this.dataMaskPolicyEvaluators != null) { + for (RangerPolicyEvaluator policyEvaluator : dataMaskPolicyEvaluators) { + if (policyEvaluator != null) { + sb.append(policyEvaluator).append(" "); + } + } + } + sb.append("} "); + + sb.append("rowFilterPolicyEvaluators={"); + if (this.rowFilterPolicyEvaluators != null) { + for (RangerPolicyEvaluator policyEvaluator : rowFilterPolicyEvaluators) { + if (policyEvaluator != null) { + sb.append(policyEvaluator).append(" "); + } + } + } + sb.append("} "); + + sb.append("contextEnrichers={"); + if (contextEnrichers != null) { + for (RangerContextEnricher contextEnricher : contextEnrichers) { + if (contextEnricher != null) { + sb.append(contextEnricher).append(" "); + } + } + } + sb.append("} "); + + sb.append("} "); + + return sb; + } + List<RangerContextEnricher> shareWith(RangerPolicyRepository other) { if (other != null && other.contextEnrichers != null) { other.setShared(); @@ -1383,62 +1447,4 @@ public class RangerPolicyRepository { return ret; } - - private StringBuilder toString(StringBuilder sb) { - - sb.append("RangerPolicyRepository={"); - - sb.append("serviceName={").append(serviceName).append("} "); - sb.append("zoneName={").append(zoneName).append("} "); - sb.append("serviceDef={").append(serviceDef).append("} "); - sb.append("appId={").append(appId).append("} "); - - sb.append("policyEvaluators={"); - if (policyEvaluators != null) { - for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) { - if (policyEvaluator != null) { - sb.append(policyEvaluator).append(" "); - } - } - } - sb.append("} "); - - sb.append("dataMaskPolicyEvaluators={"); - - if (this.dataMaskPolicyEvaluators != null) { - for (RangerPolicyEvaluator policyEvaluator : dataMaskPolicyEvaluators) { - if (policyEvaluator != null) { - sb.append(policyEvaluator).append(" "); - } - } - } - sb.append("} "); - - sb.append("rowFilterPolicyEvaluators={"); - - if (this.rowFilterPolicyEvaluators != null) { - for (RangerPolicyEvaluator policyEvaluator : rowFilterPolicyEvaluators) { - if (policyEvaluator != null) { - sb.append(policyEvaluator).append(" "); - } - } - } - sb.append("} "); - - sb.append("contextEnrichers={"); - - if (contextEnrichers != null) { - for (RangerContextEnricher contextEnricher : contextEnrichers) { - if (contextEnricher != null) { - sb.append(contextEnricher).append(" "); - } - } - } - sb.append("} "); - - sb.append("} "); - - return sb; - } - } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 11c1eeb..99ae598 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -26,6 +26,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerPluginContext; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; @@ -36,10 +37,10 @@ import java.util.Map; public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class); - private RangerPolicy policy; - private RangerServiceDef serviceDef; - private RangerServiceDef.RangerResourceDef leafResourceDef; - private int evalOrder; + private RangerPolicy policy; + private RangerServiceDef serviceDef; + private RangerResourceDef leafResourceDef; + private int evalOrder; protected RangerPluginContext pluginContext = null; @@ -53,9 +54,9 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); } - this.policy = policy; - this.serviceDef = serviceDef; - this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource()); + this.policy = policy; + this.serviceDef = serviceDef; + this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource()); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); @@ -88,7 +89,7 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu } @Override - public boolean isAncestorOf(RangerServiceDef.RangerResourceDef resourceDef) { + public boolean isAncestorOf(RangerResourceDef resourceDef) { return ServiceDefUtil.isAncestorOf(serviceDef, leafResourceDef, resourceDef); } @@ -132,8 +133,11 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu public StringBuilder toString(StringBuilder sb) { sb.append("RangerAbstractPolicyEvaluator={"); - sb.append("policy={").append(policy).append("} "); - sb.append("serviceDef={").append(serviceDef).append("} "); + sb.append("policy={"); + if (policy != null) { + policy.toString(sb); + } + sb.append("} "); sb.append("}"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java index b9dff76..eed6432 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java @@ -36,7 +36,6 @@ import java.util.Set; import java.util.concurrent.ConcurrentHashMap; public class RangerAuthContext { - private final Map<RangerContextEnricher, Object> requestContextEnrichers; private RangerRolesUtil rangerRolesUtil; @@ -44,6 +43,12 @@ public class RangerAuthContext { this.requestContextEnrichers = requestContextEnrichers != null ? requestContextEnrichers : new ConcurrentHashMap<>(); } + public RangerAuthContext(Map<RangerContextEnricher, Object> requestContextEnrichers, RangerRoles roles) { + this.requestContextEnrichers = requestContextEnrichers != null ? requestContextEnrichers : new ConcurrentHashMap<>(); + + setRangerRoles(roles); + } + public Map<RangerContextEnricher, Object> getRequestContextEnrichers() { return requestContextEnrichers; } @@ -63,15 +68,14 @@ public class RangerAuthContext { } public Set<String> getRolesForUserAndGroups(String user, Set<String> groups) { - RangerRolesUtil rangerRolesUtil = this.rangerRolesUtil; - + RangerRolesUtil rangerRolesUtil = this.rangerRolesUtil; Map<String, Set<String>> userRoleMapping = rangerRolesUtil.getUserRoleMapping(); Map<String, Set<String>> groupRoleMapping = rangerRolesUtil.getGroupRoleMapping(); - - Set<String> allRoles = new HashSet<>(); + Set<String> allRoles = new HashSet<>(); if (MapUtils.isNotEmpty(userRoleMapping) && StringUtils.isNotEmpty(user)) { Set<String> userRoles = userRoleMapping.get(user); + if (CollectionUtils.isNotEmpty(userRoles)) { allRoles.addAll(userRoles); } @@ -81,12 +85,15 @@ public class RangerAuthContext { if (CollectionUtils.isNotEmpty(groups)) { for (String group : groups) { Set<String> groupRoles = groupRoleMapping.get(group); + if (CollectionUtils.isNotEmpty(groupRoles)) { allRoles.addAll(groupRoles); } } } + Set<String> publicGroupRoles = groupRoleMapping.get(RangerPolicyEngine.GROUP_PUBLIC); + if (CollectionUtils.isNotEmpty(publicGroupRoles)) { allRoles.addAll(publicGroupRoles); } @@ -101,8 +108,10 @@ public class RangerAuthContext { public RangerResourceACLs getResourceACLs(RangerAccessRequest request) { // Invoke getResourceACLs on the first service in this plugin Collection<RangerBasePlugin> plugins = RangerBasePlugin.getServicePluginMap().values(); + if (plugins.size() > 0) { RangerBasePlugin[] array = plugins.toArray(new RangerBasePlugin[0]); + return array[0].getResourceACLs(request); } else { return null; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index a0808f9..186cf19 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -65,30 +65,28 @@ public class RangerBasePlugin { private static Map<String, RangerBasePlugin> servicePluginMap = new ConcurrentHashMap<>(); - private final String serviceType; - private final String appId; - private final RangerPluginConfig config; - private String serviceName; - private String clusterName; - private PolicyRefresher refresher; - private RangerPolicyEngine policyEngine; - private RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); - private RangerPluginContext rangerPluginContext; - private RangerAuthContext currentAuthContext; - private RangerAccessResultProcessor resultProcessor; - private boolean useForwardedIPAddress; - private String[] trustedProxyAddresses; - private Timer policyDownloadTimer; - private Timer policyEngineRefreshTimer; - private RangerAuthContextListener authContextListener; - private AuditProviderFactory auditProviderFactory; - private RangerRoles rangerRoles; - + private final String serviceType; + private final String appId; + private final RangerPluginConfig config; + private final RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); private final BlockingQueue<DownloadTrigger> policyDownloadQueue = new LinkedBlockingQueue<>(); private final DownloadTrigger accessTrigger = new DownloadTrigger(); - - Map<String, LogHistory> logHistoryList = new Hashtable<String, RangerBasePlugin.LogHistory>(); - int logInterval = 30000; // 30 seconds + private final Map<String, LogHistory> logHistoryList = new Hashtable<String, RangerBasePlugin.LogHistory>(); + private final int logInterval = 30000; // 30 seconds + private String serviceName; + private String clusterName; + private PolicyRefresher refresher; + private RangerPolicyEngine policyEngine; + private RangerPluginContext rangerPluginContext; + private RangerAuthContext currentAuthContext; + private RangerAccessResultProcessor resultProcessor; + private boolean useForwardedIPAddress; + private String[] trustedProxyAddresses; + private Timer policyDownloadTimer; + private Timer policyEngineRefreshTimer; + private RangerAuthContextListener authContextListener; + private AuditProviderFactory auditProviderFactory; + private RangerRoles rangerRoles; public static Map<String, RangerBasePlugin> getServicePluginMap() { return servicePluginMap; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java index 81c278a..aa2cda6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java @@ -30,26 +30,18 @@ import java.util.Map; import java.util.Set; public class RangerRolesUtil { - - private final long roleVersion; - private Map<String, Set<String>> userRoleMapping = new HashMap<>(); - private Map<String, Set<String>> groupRoleMapping = new HashMap<>(); - - public long getRoleVersion() { return roleVersion; } - public Map<String, Set<String>> getUserRoleMapping() { - return this.userRoleMapping; - } - - public Map<String, Set<String>> getGroupRoleMapping() { - return this.groupRoleMapping; - } + private final long roleVersion; + private final Map<String, Set<String>> userRoleMapping = new HashMap<>(); + private final Map<String, Set<String>> groupRoleMapping = new HashMap<>(); public RangerRolesUtil(RangerRoles rangerRoles) { if (rangerRoles != null) { roleVersion = rangerRoles.getRoleVersion(); + if (CollectionUtils.isNotEmpty(rangerRoles.getRangerRoles())) { for (RangerRole role : rangerRoles.getRangerRoles()) { Set<RangerRole> containedRoles = getAllContainedRoles(rangerRoles.getRangerRoles(), role); + buildMap(userRoleMapping, role, containedRoles, true); buildMap(groupRoleMapping, role, containedRoles, false); } @@ -59,17 +51,31 @@ public class RangerRolesUtil { } } + public long getRoleVersion() { return roleVersion; } + + public Map<String, Set<String>> getUserRoleMapping() { + return this.userRoleMapping; + } + + public Map<String, Set<String>> getGroupRoleMapping() { + return this.groupRoleMapping; + } + private Set<RangerRole> getAllContainedRoles(Set<RangerRole> rangerRoles, RangerRole role) { Set<RangerRole> allRoles = new HashSet<>(); + allRoles.add(role); addContainedRoles(allRoles, rangerRoles, role); + return allRoles; } private void addContainedRoles(Set<RangerRole> allRoles, Set<RangerRole> rangerRoles, RangerRole role) { List<RangerRole.RoleMember> roleMembers = role.getRoles(); + for (RangerRole.RoleMember roleMember : roleMembers) { RangerRole containedRole = getContainedRole(rangerRoles, roleMember.getName()); + if (containedRole!= null && !allRoles.contains(containedRole)) { allRoles.add(containedRole); addContainedRoles(allRoles, rangerRoles, containedRole); @@ -79,6 +85,7 @@ public class RangerRolesUtil { private void buildMap(Map<String, Set<String>> map, RangerRole role, Set<RangerRole> containedRoles, boolean isUser) { buildMap(map, role, role.getName(), isUser); + for (RangerRole containedRole : containedRoles) { buildMap(map, containedRole, role.getName(), isUser); } @@ -88,10 +95,13 @@ public class RangerRolesUtil { for (RangerRole.RoleMember userOrGroup : isUser ? role.getUsers() : role.getGroups()) { if (StringUtils.isNotEmpty(userOrGroup.getName())) { Set<String> roleNames = map.get(userOrGroup.getName()); + if (roleNames == null) { roleNames = new HashSet<>(); + map.put(userOrGroup.getName(), roleNames); } + roleNames.add(roleName); } } diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java index bfe767e..1109bdd 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java @@ -91,8 +91,8 @@ public class TestPolicyACLs { for(PolicyACLsTests.TestCase testCase : testCases.testCases) { RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); - RangerPluginContext pluginContext = new RangerPluginContext("hive", "cl1", "on-prem"); - RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext, null); + RangerPluginContext pluginContext = new RangerPluginContext("hive", "cl1", "on-prem"); + RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext, null); for(PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) { if(oneTest == null) { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java similarity index 74% rename from security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java rename to security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java index a86f003..5cbb1b2 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java @@ -42,31 +42,32 @@ import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.RangerRoles; import org.apache.ranger.plugin.util.ServicePolicies; -public class RangerPolicyEngineCache { - private static final Log LOG = LogFactory.getLog(RangerPolicyEngineCache.class); +public class RangerPolicyAdminCache { + private static final Log LOG = LogFactory.getLog(RangerPolicyAdminCache.class); - private final Map<String, RangerPolicyAdmin> policyEngineCache = Collections.synchronizedMap(new HashMap<>()); + private final Map<String, RangerPolicyAdmin> policyAdminCache = Collections.synchronizedMap(new HashMap<>()); final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions options) { RangerPolicyAdmin ret = null; if (serviceName == null || svcStore == null || roleStore == null || zoneStore == null) { - LOG.warn("Cannot get policy-engine for null serviceName or serviceStore or roleStore or zoneStore"); + LOG.warn("Cannot get policy-admin for null serviceName or serviceStore or roleStore or zoneStore"); + return ret; } - ret = policyEngineCache.get(serviceName); + ret = policyAdminCache.get(serviceName); - long policyVersion; - long roleVersion; + long policyVersion; + long roleVersion; RangerRoles rangerRoles; - boolean isRolesUpdated = true; + boolean isRolesUpdated = true; try { if (ret == null) { policyVersion = -1L; - roleVersion = -1L; - rangerRoles = roleStore.getRangerRoles(serviceName, roleVersion); + roleVersion = -1L; + rangerRoles = roleStore.getRangerRoles(serviceName, roleVersion); if (rangerRoles == null) { if (LOG.isDebugEnabled()) { @@ -75,102 +76,105 @@ public class RangerPolicyEngineCache { } } else { policyVersion = ret.getPolicyVersion(); - roleVersion = ret.getRoleVersion(); - rangerRoles = roleStore.getRangerRoles(serviceName, roleVersion); + roleVersion = ret.getRoleVersion(); + rangerRoles = roleStore.getRangerRoles(serviceName, roleVersion); if (rangerRoles == null) { // No changes to roles - rangerRoles = roleStore.getRangerRoles(serviceName, -1L); + rangerRoles = roleStore.getRangerRoles(serviceName, -1L); isRolesUpdated = false; } } + ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion, false); if (policies != null) { if (policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) { ServicePolicies updatedServicePolicies = getUpdatedServicePolicies(serviceName, policies, svcStore, zoneStore); - ret = addOrUpdatePolicyEngine(ret, updatedServicePolicies, rangerRoles, options); + ret = addOrUpdatePolicyAdmin(ret, updatedServicePolicies, rangerRoles, options); } else { - LOG.error("policies object is null or its version is null for getPolicyEngine(" + serviceName + ") !!"); - LOG.error("Returning old policy engine"); + LOG.error("policies object is null or its version is null for getPolicyAdmin(" + serviceName + ") !!"); + LOG.error("Returning old policy admin"); } } else { if (ret == null) { - LOG.error("getPolicyEngine(" + serviceName + "): failed to get any policies from service-store"); + LOG.error("getPolicyAdmin(" + serviceName + "): failed to get any policies from service-store"); } else { if (isRolesUpdated) { ret.setRangerRoles(rangerRoles); } } } - } catch (Exception excp) { - LOG.error("getPolicyEngine(" + serviceName + "): failed to get latest policies from service-store", excp); + LOG.error("getPolicyAdmin(" + serviceName + "): failed to get latest policies from service-store", excp); } return ret; } - private RangerPolicyAdmin addOrUpdatePolicyEngine(RangerPolicyAdmin policyEngine, ServicePolicies policies, RangerRoles rangerRoles, RangerPolicyEngineOptions options) { + private RangerPolicyAdmin addOrUpdatePolicyAdmin(RangerPolicyAdmin policyAdmin, ServicePolicies policies, RangerRoles rangerRoles, RangerPolicyEngineOptions options) { final RangerPolicyAdmin ret; - - RangerPolicyAdminImpl oldPolicyEngine = (RangerPolicyAdminImpl) policyEngine; + RangerPolicyAdminImpl oldPolicyAdmin = (RangerPolicyAdminImpl) policyAdmin; synchronized(this) { - if (oldPolicyEngine == null || CollectionUtils.isEmpty(policies.getPolicyDeltas())) { - ret = addPolicyEngine(policies, rangerRoles, options); + if (oldPolicyAdmin == null || CollectionUtils.isEmpty(policies.getPolicyDeltas())) { + ret = addPolicyAdmin(policies, rangerRoles, options); } else { - RangerPolicyAdmin updatedEngine = RangerPolicyAdminImpl.getPolicyEngine(oldPolicyEngine, policies); + RangerPolicyAdmin updatedPolicyAdmin = RangerPolicyAdminImpl.getPolicyAdmin(oldPolicyAdmin, policies); - if (updatedEngine != null) { - updatedEngine.setRangerRoles(rangerRoles); - policyEngineCache.put(policies.getServiceName(), updatedEngine); + if (updatedPolicyAdmin != null) { + updatedPolicyAdmin.setRangerRoles(rangerRoles); + policyAdminCache.put(policies.getServiceName(), updatedPolicyAdmin); - ret = updatedEngine; + ret = updatedPolicyAdmin; } else { - ret = addPolicyEngine(policies, rangerRoles, options); + ret = addPolicyAdmin(policies, rangerRoles, options); } } - if (oldPolicyEngine != null) { - oldPolicyEngine.releaseResources(); + + if (oldPolicyAdmin != null) { + oldPolicyAdmin.releaseResources(); } } return ret; } - private RangerPolicyAdmin addPolicyEngine(ServicePolicies policies, RangerRoles rangerRoles, RangerPolicyEngineOptions options) { - RangerServiceDef serviceDef = policies.getServiceDef(); - String serviceType = (serviceDef != null) ? serviceDef.getName() : ""; - + private RangerPolicyAdmin addPolicyAdmin(ServicePolicies policies, RangerRoles rangerRoles, RangerPolicyEngineOptions options) { + RangerServiceDef serviceDef = policies.getServiceDef(); + String serviceType = (serviceDef != null) ? serviceDef.getName() : ""; RangerPluginContext rangerPluginContext = new RangerPluginContext(serviceType); - RangerPolicyAdmin ret = new RangerPolicyAdminImpl("ranger-admin", policies, options, rangerPluginContext, rangerRoles); + RangerPolicyAdmin ret = new RangerPolicyAdminImpl("ranger-admin", policies, options, rangerPluginContext, rangerRoles); - policyEngineCache.put(policies.getServiceName(), ret); + policyAdminCache.put(policies.getServiceName(), ret); return ret; } private ServicePolicies getUpdatedServicePolicies(String serviceName, ServicePolicies policies, ServiceStore svcStore, SecurityZoneStore zoneStore) throws Exception{ ServicePolicies ret = policies; + if (ret == null) { ret = svcStore.getServicePoliciesIfUpdated(serviceName, -1L, false); } + if (zoneStore != null) { Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName); + if (MapUtils.isNotEmpty(securityZones)) { ret = getUpdatedServicePoliciesForZones(ret, securityZones); } } + return ret; } public static ServicePolicies getUpdatedServicePoliciesForZones(ServicePolicies servicePolicies, Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones) { - final ServicePolicies ret; if (MapUtils.isNotEmpty(securityZones)) { ret = new ServicePolicies(); + ret.setServiceDef(servicePolicies.getServiceDef()); ret.setServiceId(servicePolicies.getServiceId()); ret.setServiceName(servicePolicies.getServiceName()); @@ -181,11 +185,9 @@ public class RangerPolicyEngineCache { Map<String, ServicePolicies.SecurityZoneInfo> securityZonesInfo = new HashMap<>(); if (CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) { - List<RangerPolicy> allPolicies = new ArrayList<>(servicePolicies.getPolicies()); for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) { - List<RangerPolicy> zonePolicies = extractZonePolicies(allPolicies, entry.getKey()); if (CollectionUtils.isNotEmpty(zonePolicies)) { @@ -193,12 +195,11 @@ public class RangerPolicyEngineCache { } ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo(); + securityZoneInfo.setZoneName(entry.getKey()); securityZoneInfo.setPolicies(zonePolicies); securityZoneInfo.setResources(entry.getValue().getResources()); - securityZoneInfo.setContainsAssociatedTagService(false); - securityZonesInfo.put(entry.getKey(), securityZoneInfo); } @@ -208,7 +209,6 @@ public class RangerPolicyEngineCache { List<RangerPolicyDelta> allPolicyDeltas = new ArrayList<>(servicePolicies.getPolicyDeltas()); for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) { - List<RangerPolicyDelta> zonePolicyDeltas = extractZonePolicyDeltas(allPolicyDeltas, entry.getKey()); if (CollectionUtils.isNotEmpty(zonePolicyDeltas)) { @@ -216,17 +216,17 @@ public class RangerPolicyEngineCache { } ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo(); + securityZoneInfo.setZoneName(entry.getKey()); securityZoneInfo.setPolicyDeltas(zonePolicyDeltas); securityZoneInfo.setResources(entry.getValue().getResources()); - securityZoneInfo.setContainsAssociatedTagService(false); - securityZonesInfo.put(entry.getKey(), securityZoneInfo); } ret.setPolicyDeltas(allPolicyDeltas); } + ret.setSecurityZones(securityZonesInfo); } else { ret = servicePolicies; @@ -236,7 +236,6 @@ public class RangerPolicyEngineCache { } private static List<RangerPolicy> extractZonePolicies(final List<RangerPolicy> allPolicies, final String zoneName) { - final List<RangerPolicy> ret = new ArrayList<>(); for (RangerPolicy policy : allPolicies) { @@ -249,7 +248,6 @@ public class RangerPolicyEngineCache { } private static List<RangerPolicyDelta> extractZonePolicyDeltas(final List<RangerPolicyDelta> allPolicyDeltas, final String zoneName) { - final List<RangerPolicyDelta> ret = new ArrayList<>(); for (RangerPolicyDelta delta : allPolicyDeltas) { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java similarity index 63% rename from security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java rename to security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java index 151143a..b6a1862 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java @@ -28,23 +28,25 @@ import java.util.Collections; import java.util.HashMap; import java.util.Map; -public class RangerPolicyEngineCacheForEngineOptions { +public class RangerPolicyAdminCacheForEngineOptions { + private static volatile RangerPolicyAdminCacheForEngineOptions sInstance = null; - private static volatile RangerPolicyEngineCacheForEngineOptions sInstance = null; + private final Map<RangerPolicyEngineOptions, RangerPolicyAdminCache> policyAdminCacheForEngineOptions = Collections.synchronizedMap(new HashMap<>()); - private final Map<RangerPolicyEngineOptions, RangerPolicyEngineCache> policyEngineCacheForEngineOptions = Collections.synchronizedMap(new HashMap<>()); + public static RangerPolicyAdminCacheForEngineOptions getInstance() { + RangerPolicyAdminCacheForEngineOptions ret = sInstance; - public static RangerPolicyEngineCacheForEngineOptions getInstance() { - RangerPolicyEngineCacheForEngineOptions ret = sInstance; if (ret == null) { - synchronized (RangerPolicyEngineCacheForEngineOptions.class) { + synchronized (RangerPolicyAdminCacheForEngineOptions.class) { ret = sInstance; + if (ret == null) { - sInstance = new RangerPolicyEngineCacheForEngineOptions(); - ret = sInstance; + sInstance = new RangerPolicyAdminCacheForEngineOptions(); + ret = sInstance; } } } + return ret; } @@ -53,16 +55,19 @@ public class RangerPolicyEngineCacheForEngineOptions { } public final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions options) { - RangerPolicyEngineCache policyEngineCache; + RangerPolicyAdminCache policyAdminCache; synchronized (this) { - policyEngineCache = policyEngineCacheForEngineOptions.get(options); - if (policyEngineCache == null) { - policyEngineCache = new RangerPolicyEngineCache(); - policyEngineCacheForEngineOptions.put(options, policyEngineCache); + policyAdminCache = policyAdminCacheForEngineOptions.get(options); + + if (policyAdminCache == null) { + policyAdminCache = new RangerPolicyAdminCache(); + + policyAdminCacheForEngineOptions.put(options, policyAdminCache); } } - return policyEngineCache.getServicePoliciesAdmin(serviceName, svcStore, roleStore, zoneStore, options); + + return policyAdminCache.getServicePoliciesAdmin(serviceName, svcStore, roleStore, zoneStore, options); } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java index ac1d961..390187b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java @@ -56,7 +56,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { private final PolicyEngine policyEngine; private final RangerAccessRequestProcessor requestProcessor; - static public RangerPolicyAdmin getPolicyEngine(final RangerPolicyAdminImpl other, final ServicePolicies servicePolicies) { + static public RangerPolicyAdmin getPolicyAdmin(final RangerPolicyAdminImpl other, final ServicePolicies servicePolicies) { RangerPolicyAdmin ret = null; if (other != null && servicePolicies != null) { diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 43c109d..2a2aa22 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -108,8 +108,8 @@ import org.apache.ranger.plugin.model.validation.RangerValidator.Action; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; -import org.apache.ranger.biz.RangerPolicyEngineCache; -import org.apache.ranger.biz.RangerPolicyEngineCacheForEngineOptions; +import org.apache.ranger.biz.RangerPolicyAdminCache; +import org.apache.ranger.biz.RangerPolicyAdminCacheForEngineOptions; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; @@ -593,18 +593,18 @@ public class ServiceREST { LOG.debug("getServicePolicies with service-name=" + service.getName()); } - RangerPolicyAdmin engine = null; + RangerPolicyAdmin policyAdmin = null; try { - engine = getPolicySearchPolicyEngine(service.getName()); + policyAdmin = getPolicyAdminForSearch(service.getName()); } catch (Exception e) { LOG.error("Cannot initialize Policy-Engine", e); throw restErrorUtil.createRESTException("Cannot initialize Policy Engine", MessageEnums.ERROR_SYSTEM); } - if (engine != null) { - ret = engine.getMatchingPolicies(new RangerAccessResourceImpl(resource)); + if (policyAdmin != null) { + ret = policyAdmin.getMatchingPolicies(new RangerAccessResourceImpl(resource)); } } @@ -3086,7 +3086,7 @@ public class ServiceREST { Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName); ServicePolicies updatedServicePolicies = servicePolicies; if (MapUtils.isNotEmpty(securityZones)) { - updatedServicePolicies = RangerPolicyEngineCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones); + updatedServicePolicies = RangerPolicyAdminCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones); patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies); } downloadedVersion = updatedServicePolicies.getPolicyVersion(); @@ -3208,7 +3208,7 @@ public class ServiceREST { Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName); ServicePolicies updatedServicePolicies = servicePolicies; if (MapUtils.isNotEmpty(securityZones)) { - updatedServicePolicies = RangerPolicyEngineCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones); + updatedServicePolicies = RangerPolicyAdminCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones); patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies); } downloadedVersion = updatedServicePolicies.getPolicyVersion(); @@ -3290,10 +3290,9 @@ public class ServiceREST { LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + ")"); } - RangerPolicy ret = null; - RangerPolicyAdmin policyEngine = getPolicyEngine(serviceName); - - List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource, null) : null; + RangerPolicy ret = null; + RangerPolicyAdmin policyAdmin = getPolicyAdmin(serviceName); + List<RangerPolicy> policies = policyAdmin != null ? policyAdmin.getExactMatchPolicies(resource, null) : null; if(CollectionUtils.isNotEmpty(policies)) { // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store @@ -3312,10 +3311,9 @@ public class ServiceREST { LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + policy + ", " + user + ")"); } - RangerPolicy ret = null; - RangerPolicyAdmin policyEngine = getPolicyEngine(policy.getService()); - - List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(policy, null) : null; + RangerPolicy ret = null; + RangerPolicyAdmin policyAdmin = getPolicyAdmin(policy.getService()); + List<RangerPolicy> policies = policyAdmin != null ? policyAdmin.getExactMatchPolicies(policy, null) : null; if(CollectionUtils.isNotEmpty(policies)) { // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store @@ -3599,16 +3597,16 @@ public class ServiceREST { continue; } - RangerPolicyAdmin policyEngine = getDelegatedAdminPolicyEngine(serviceName); + RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(serviceName); - if (policyEngine != null) { + if (policyAdmin != null) { if(userGroups == null) { userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName); } - Set<String> roles = policyEngine.getRolesFromUserAndGroups(userName, userGroups); + Set<String> roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups); for (RangerPolicy policy : listToFilter) { - if (policyEngine.isAccessAllowed(policy, userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS) + if (policyAdmin.isAccessAllowed(policy, userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS) || (!StringUtils.isEmpty(policy.getZoneName()) && (serviceMgr.isZoneAdmin(policy.getZoneName()) || serviceMgr.isZoneAuditor(policy.getZoneName()))) || isServiceAdminUser) { ret.add(policy); @@ -3699,13 +3697,13 @@ public class ServiceREST { } private boolean hasAdminAccess(RangerPolicy policy, String userName, Set<String> userGroups) { - boolean isAllowed = false; + boolean isAllowed = false; + RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(policy.getService()); - RangerPolicyAdmin policyEngine = getDelegatedAdminPolicyEngine(policy.getService()); + if(policyAdmin != null) { + Set<String> roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups); - if(policyEngine != null) { - Set<String> roles = policyEngine.getRolesFromUserAndGroups(userName, userGroups); - isAllowed = policyEngine.isAccessAllowed(policy, userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS); + isAllowed = policyAdmin.isAccessAllowed(policy, userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS); } return isAllowed; @@ -3713,25 +3711,25 @@ public class ServiceREST { private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, RangerAccessResource resource) { boolean isAllowed = false; - RangerPolicyAdmin policyEngine = getDelegatedAdminPolicyEngine(serviceName); + RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(serviceName); - if(policyEngine != null) { - isAllowed = policyEngine.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS); + if(policyAdmin != null) { + isAllowed = policyAdmin.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS); } return isAllowed; } - public RangerPolicyAdmin getDelegatedAdminPolicyEngine(String serviceName) { - return RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, delegateAdminOptions); + public RangerPolicyAdmin getPolicyAdminForDelegatedAdmin(String serviceName) { + return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, delegateAdminOptions); } - private RangerPolicyAdmin getPolicySearchPolicyEngine(String serviceName) throws Exception { - return RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, policySearchAdminOptions); + private RangerPolicyAdmin getPolicyAdminForSearch(String serviceName) { + return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, policySearchAdminOptions); } - private RangerPolicyAdmin getPolicyEngine(String serviceName) throws Exception { - return RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, defaultAdminOptions); + private RangerPolicyAdmin getPolicyAdmin(String serviceName) { + return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, defaultAdminOptions); } @GET diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java index 5118322..9ac7f24 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java @@ -117,14 +117,15 @@ public class TestPolicyDb { policyEngineOptions.cacheAuditResults = false; policyEngineOptions.disableContextEnrichers = true; policyEngineOptions.disableCustomConditions = true; + RangerPluginContext pluginContext = new RangerPluginContext("hive", "cl1", "on-prem"); - RangerPolicyAdmin policyEngine = new RangerPolicyAdminImpl("test-policydb", testCase.servicePolicies, policyEngineOptions, pluginContext, null); + RangerPolicyAdmin policyAdmin = new RangerPolicyAdminImpl("test-policydb", testCase.servicePolicies, policyEngineOptions, pluginContext, null); for(TestData test : testCase.tests) { boolean expected = test.result; if(test.allowedPolicies != null) { - List<RangerPolicy> allowedPolicies = policyEngine.getAllowedUnzonedPolicies(test.user, test.userGroups, test.accessType); + List<RangerPolicy> allowedPolicies = policyAdmin.getAllowedUnzonedPolicies(test.user, test.userGroups, test.accessType); assertEquals("allowed-policy count mismatch!", test.allowedPolicies.size(), allowedPolicies.size()); @@ -134,7 +135,7 @@ public class TestPolicyDb { } assertEquals("allowed-policy list mismatch!", test.allowedPolicies, allowedPolicyIds); } else { - boolean result = policyEngine.isAccessAllowedByUnzonedPolicies(test.resources, test.user, test.userGroups, test.accessType); + boolean result = policyAdmin.isAccessAllowedByUnzonedPolicies(test.resources, test.user, test.userGroups, test.accessType); assertEquals("isAccessAllowed mismatched! - " + test.name, expected, result); } diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 75e93d9..b67656e 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -230,7 +230,7 @@ public class TestServiceREST { RangerPolicyEngineImpl rpImpl; @Mock - RangerPolicyAdmin policyEngine; + RangerPolicyAdmin policyAdmin; @Mock RangerTransactionService rangerTransactionService; @@ -1093,7 +1093,7 @@ public class TestServiceREST { /*here we are setting serviceAdminRole, so we will get the required policy with serviceAdmi role*/ Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGroupDao); Mockito.when(svcStore.isServiceAdminUser(rPol.getService(), null)).thenReturn(true); - Mockito.doReturn(policyEngine).when(spySVCRest).getDelegatedAdminPolicyEngine("HDFS_1-1-20150316062453"); + Mockito.doReturn(policyAdmin).when(spySVCRest).getPolicyAdminForDelegatedAdmin("HDFS_1-1-20150316062453"); RangerPolicyList dbRangerPolicy = spySVCRest.getPolicies(request); Assert.assertNotNull(dbRangerPolicy); Assert.assertEquals(dbRangerPolicy.getListSize(), 1);