This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3fca183 RANGER-2652: refactor policy-engine - #2 (renames and
whitespace updates)
3fca183 is described below
commit 3fca183e7bd2212489513ced5fa550fe7259e140
Author: Madhan Neethiraj <mad...@apache.org>
AuthorDate: Fri Nov 22 09:03:23 2019 -0800
RANGER-2652: refactor policy-engine - #2 (renames and whitespace updates)
---
.../ranger/plugin/policyengine/PolicyEngine.java | 244 ++++++++++++---------
.../policyengine/RangerAccessRequestProcessor.java | 2 -
.../policyengine/RangerPolicyEngineImpl.java | 123 ++++++-----
.../policyengine/RangerPolicyRepository.java | 198 +++++++++--------
.../RangerAbstractPolicyEvaluator.java | 24 +-
.../ranger/plugin/service/RangerAuthContext.java | 19 +-
.../ranger/plugin/service/RangerBasePlugin.java | 42 ++--
.../apache/ranger/plugin/util/RangerRolesUtil.java | 36 +--
.../ranger/plugin/policyengine/TestPolicyACLs.java | 4 +-
...ngineCache.java => RangerPolicyAdminCache.java} | 94 ++++----
...=> RangerPolicyAdminCacheForEngineOptions.java} | 33 +--
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 2 +-
.../java/org/apache/ranger/rest/ServiceREST.java | 66 +++---
.../java/org/apache/ranger/biz/TestPolicyDb.java | 7 +-
.../org/apache/ranger/rest/TestServiceREST.java | 4 +-
15 files changed, 489 insertions(+), 409 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index b24d37c..f7ca5e8 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -50,39 +50,46 @@ import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
public class PolicyEngine {
-
private static final Log LOG = LogFactory.getLog(PolicyEngine.class);
private static final Log PERF_POLICYENGINE_INIT_LOG =
RangerPerfTracer.getPerfLogger("policyengine.init");
private static final Log PERF_POLICYENGINE_REBALANCE_LOG =
RangerPerfTracer.getPerfLogger("policyengine.rebalance");
- private boolean useForwardedIPAddress;
- private String[] trustedProxyAddresses;
-
- private final RangerPolicyRepository policyRepository;
- private final RangerPolicyRepository tagPolicyRepository;
-
+ private final RangerPolicyRepository policyRepository;
+ private final RangerPolicyRepository tagPolicyRepository;
+ private final List<RangerContextEnricher> allContextEnrichers;
+ private final RangerPluginContext pluginContext;
private final Map<String, RangerPolicyRepository> zonePolicyRepositories =
new HashMap<>();
+ private final Map<String, RangerResourceTrie> resourceZoneTrie = new
HashMap<>();
+ private final Map<String, String> zoneTagServiceMap = new
HashMap<>();
+ private boolean useForwardedIPAddress;
+ private String[] trustedProxyAddresses;
+ private boolean isPreCleaned = false;
- private final List<RangerContextEnricher> allContextEnrichers;
-
- private final Map<String, RangerResourceTrie> resourceZoneTrie = new
HashMap<>();
- private final Map<String, String> zoneTagServiceMap = new
HashMap<>();
- private final RangerPluginContext pluginContext;
-
- private boolean isPreCleaned = false;
public boolean getUseForwardedIPAddress() {
return useForwardedIPAddress;
}
+ public void setUseForwardedIPAddress(boolean useForwardedIPAddress) {
+ this.useForwardedIPAddress = useForwardedIPAddress;
+ }
+
public String[] getTrustedProxyAddresses() {
return trustedProxyAddresses;
}
- public long getRoleVersion() { return
this.pluginContext.getAuthContext().getRoleVersion(); }
+ public void setTrustedProxyAddresses(String[] trustedProxyAddresses) {
+ this.trustedProxyAddresses = trustedProxyAddresses;
+ }
- public void setRangerRoles(RangerRoles rangerRoles) {
this.pluginContext.getAuthContext().setRangerRoles(rangerRoles); }
+ public long getRoleVersion() { return
this.pluginContext.getAuthContext().getRoleVersion(); }
+
+ public void setRangerRoles(RangerRoles rangerRoles) {
this.pluginContext.getAuthContext().setRangerRoles(rangerRoles); }
+
+ public String getServiceName() {
+ return policyRepository.getServiceName();
+ }
public RangerServiceDef getServiceDef() {
return policyRepository.getServiceDef();
@@ -100,34 +107,52 @@ public class PolicyEngine {
return tagPolicyRepository;
}
+ public Map<String, RangerPolicyRepository> getZonePolicyRepositories() {
return zonePolicyRepositories; }
+
public List<RangerContextEnricher> getAllContextEnrichers() { return
allContextEnrichers; }
public RangerPluginContext getPluginContext() { return pluginContext; }
@Override
- public String toString( ) {
- StringBuilder sb = new StringBuilder();
-
- sb.append("PolicyEngine={");
-
- sb.append("serviceName={").append(this.getServiceName()).append("} ");
- sb.append(policyRepository);
-
- sb.append("}");
-
- return sb.toString();
+ public String toString() {
+ return toString(new StringBuilder()).toString();
}
@Override
protected void finalize() throws Throwable {
try {
cleanup();
- }
- finally {
+ } finally {
super.finalize();
}
}
+ public StringBuilder toString(StringBuilder sb) {
+ if (sb == null) {
+ sb = new StringBuilder();
+ }
+
+ sb.append("PolicyEngine={");
+
+ sb.append("serviceName={").append(this.getServiceName()).append("} ");
+
+ sb.append("policyRepository={");
+ if (policyRepository != null) {
+ policyRepository.toString(sb);
+ }
+ sb.append("} ");
+
+ sb.append("tagPolicyRepository={");
+ if (tagPolicyRepository != null) {
+ tagPolicyRepository.toString(sb);
+ }
+ sb.append("} ");
+
+ sb.append("}");
+
+ return sb;
+ }
+
public boolean compare(PolicyEngine other) {
boolean ret;
@@ -147,9 +172,11 @@ public class PolicyEngine {
if (ret) {
ret = Objects.equals(resourceZoneTrie.keySet(),
other.resourceZoneTrie.keySet());
+
if (ret) {
for (Map.Entry<String, RangerResourceTrie> entry :
resourceZoneTrie.entrySet()) {
ret =
entry.getValue().compareSubtree(other.resourceZoneTrie.get(entry.getKey()));
+
if (!ret) {
break;
}
@@ -163,6 +190,7 @@ public class PolicyEngine {
if (ret) {
for (Map.Entry<String, RangerPolicyRepository> entry :
zonePolicyRepositories.entrySet()) {
ret =
entry.getValue().compare(other.zonePolicyRepositories.get(entry.getKey()));
+
if (!ret) {
break;
}
@@ -173,49 +201,47 @@ public class PolicyEngine {
return ret;
}
- public void setUseForwardedIPAddress(boolean useForwardedIPAddress) {
- this.useForwardedIPAddress = useForwardedIPAddress;
- }
-
- public void setTrustedProxyAddresses(String[] trustedProxyAddresses) {
- this.trustedProxyAddresses = trustedProxyAddresses;
- }
-
public List<RangerPolicy> getResourcePolicies(String zoneName) {
RangerPolicyRepository zoneResourceRepository =
zonePolicyRepositories.get(zoneName);
+
return zoneResourceRepository == null ? ListUtils.EMPTY_LIST :
zoneResourceRepository.getPolicies();
}
public RangerAccessResult createAccessResult(RangerAccessRequest request,
int policyType) {
RangerAccessResult ret = new RangerAccessResult(policyType,
getServiceName(), getPolicyRepository().getServiceDef(), request);
+
switch (getPolicyRepository().getAuditModeEnum()) {
case AUDIT_ALL:
ret.setIsAudited(true);
break;
+
case AUDIT_NONE:
ret.setIsAudited(false);
break;
+
default:
if
(CollectionUtils.isEmpty(getPolicyRepository().getPolicies()) &&
getTagPolicyRepository() == null) {
ret.setIsAudited(true);
}
+
break;
}
return ret;
}
- public PolicyEngine(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, RangerPluginContext rangerPluginContext,
RangerRoles rangerRoles) {
-
+ public PolicyEngine(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, RangerPluginContext pluginContext,
RangerRoles roles) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> PolicyEngine(" + appId + ", " + servicePolicies +
", " + options + ", " + rangerPluginContext + ")");
+ LOG.debug("==> PolicyEngine(" + appId + ", " + servicePolicies +
", " + options + ", " + pluginContext + ")");
}
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG,
"RangerPolicyEngine.init(appId=" + appId + ",hashCode=" +
Integer.toHexString(System.identityHashCode(this)) + ")");
- long freeMemory = Runtime.getRuntime().freeMemory();
+
+ long freeMemory = Runtime.getRuntime().freeMemory();
long totalMemory = Runtime.getRuntime().totalMemory();
+
PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory
- freeMemory) + ", Free memory:" + freeMemory);
}
@@ -223,11 +249,9 @@ public class PolicyEngine {
options = new RangerPolicyEngineOptions();
}
- this.pluginContext = rangerPluginContext;
+ this.pluginContext = pluginContext;
- RangerAuthContext authContext = new RangerAuthContext(null);
- authContext.setRangerRoles(rangerRoles);
- this.pluginContext.setAuthContext(authContext);
+ this.pluginContext.setAuthContext(new RangerAuthContext(null, roles));
if(StringUtils.isBlank(options.evaluatorType) ||
StringUtils.equalsIgnoreCase(options.evaluatorType,
RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
options.evaluatorType =
RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
@@ -242,21 +266,21 @@ public class PolicyEngine {
&& !StringUtils.isEmpty(tagPolicies.getServiceName())
&& tagPolicies.getServiceDef() != null
&& !CollectionUtils.isEmpty(tagPolicies.getPolicies())) {
-
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyEngine : Building tag-policy-repository for
tag-service " + tagPolicies.getServiceName());
}
+
tagPolicyRepository = new RangerPolicyRepository(appId,
tagPolicies, options, this.pluginContext, servicePolicies.getServiceDef(),
servicePolicies.getServiceName());
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyEngine : No tag-policy-repository for service
" + servicePolicies.getServiceName());
}
+
tagPolicyRepository = null;
}
List<RangerContextEnricher> tmpList;
-
- List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository
== null ? null :tagPolicyRepository.getContextEnrichers();
+ List<RangerContextEnricher> tagContextEnrichers =
tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
List<RangerContextEnricher> resourceContextEnrichers =
policyRepository.getContextEnrichers();
if (CollectionUtils.isEmpty(tagContextEnrichers)) {
@@ -265,6 +289,7 @@ public class PolicyEngine {
tmpList = tagContextEnrichers;
} else {
tmpList = new ArrayList<>(tagContextEnrichers);
+
tmpList.addAll(resourceContextEnrichers);
}
@@ -272,8 +297,10 @@ public class PolicyEngine {
if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
buildZoneTrie(servicePolicies);
+
for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone :
servicePolicies.getSecurityZones().entrySet()) {
RangerPolicyRepository policyRepository = new
RangerPolicyRepository(appId, servicePolicies, options, this.pluginContext,
zone.getKey());
+
zonePolicyRepositories.put(zone.getKey(), policyRepository);
}
}
@@ -281,8 +308,9 @@ public class PolicyEngine {
RangerPerfTracer.log(perf);
if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) {
- long freeMemory = Runtime.getRuntime().freeMemory();
+ long freeMemory = Runtime.getRuntime().freeMemory();
long totalMemory = Runtime.getRuntime().totalMemory();
+
PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory
- freeMemory) + ", Free memory:" + freeMemory);
}
@@ -295,18 +323,17 @@ public class PolicyEngine {
if (LOG.isDebugEnabled()) {
LOG.debug("==> cloneWithDelta(" +
Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + ", " +
servicePolicies.getPolicyVersion() + ")");
}
- final PolicyEngine ret;
- RangerPerfTracer perf = null;
+ final PolicyEngine ret;
+ RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG,
"RangerPolicyEngine.cloneWithDelta()");
}
- RangerServiceDef serviceDef = this.getServiceDef();
- String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
-
- boolean isValidDeltas = false;
+ RangerServiceDef serviceDef = this.getServiceDef();
+ String serviceType = (serviceDef != null) ?
serviceDef.getName() : "";
+ boolean isValidDeltas = false;
if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) ||
MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
isValidDeltas =
CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas()) ||
RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(),
serviceType);
@@ -318,6 +345,7 @@ public class PolicyEngine {
if (LOG.isDebugEnabled()) {
LOG.debug("Invalid policy-deltas for security
zone:[" + entry.getKey() + "]");
}
+
isValidDeltas = false;
break;
}
@@ -340,20 +368,13 @@ public class PolicyEngine {
return ret;
}
- public String getServiceName() {
- return policyRepository.getServiceName();
- }
-
- public Map<String, RangerPolicyRepository> getZonePolicyRepositories() {
return zonePolicyRepositories; }
-
public RangerPolicyRepository
getRepositoryForMatchedZone(RangerAccessResource resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.getRepositoryForMatchedZone(" +
resource + ")");
}
- String zoneName = getMatchedZoneName(resource);
-
- final RangerPolicyRepository ret = getRepositoryForZone(zoneName);
+ String zoneName = getMatchedZoneName(resource);
+ final RangerPolicyRepository ret = getRepositoryForZone(zoneName);
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyEngine.getRepositoryForMatchedZone(" +
resource + ")");
@@ -367,9 +388,8 @@ public class PolicyEngine {
LOG.debug("==> PolicyEngine.getRepositoryForMatchedZone(" + policy
+ ")");
}
- String zoneName = policy.getZoneName();
-
- final RangerPolicyRepository ret = getRepositoryForZone(zoneName);
+ String zoneName = policy.getZoneName();
+ final RangerPolicyRepository ret = getRepositoryForZone(zoneName);
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyEngine.getRepositoryForMatchedZone(" + policy
+ ")");
@@ -410,28 +430,30 @@ public class PolicyEngine {
public boolean isResourceZoneAssociatedWithTagService(String
resourceZoneName) {
final boolean ret;
+
if (StringUtils.isNotEmpty(resourceZoneName) && tagPolicyRepository !=
null && zoneTagServiceMap.get(resourceZoneName) != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Accessed resource is in a zone:[" +
resourceZoneName + "] which is associated with the tag-service:[" +
tagPolicyRepository.getServiceName() + "]");
}
+
ret = true;
} else {
ret = false;
}
+
return ret;
}
public void preCleanup() {
-
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.preCleanup()");
}
if (!isPreCleaned) {
-
if (policyRepository != null) {
policyRepository.preCleanup();
}
+
if (tagPolicyRepository != null) {
tagPolicyRepository.preCleanup();
}
@@ -441,6 +463,7 @@ public class PolicyEngine {
entry.getValue().preCleanup();
}
}
+
isPreCleaned = true;
} else {
if (LOG.isDebugEnabled()) {
@@ -453,10 +476,6 @@ public class PolicyEngine {
}
}
- List<RangerPolicy> getResourcePolicies() { return policyRepository == null
? ListUtils.EMPTY_LIST : policyRepository.getPolicies(); }
-
- List<RangerPolicy> getTagPolicies() { return tagPolicyRepository == null ?
ListUtils.EMPTY_LIST : tagPolicyRepository.getPolicies(); }
-
private String getMatchedZoneName(Map<String, ?> resource,
RangerAccessResource accessResource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.getMatchedZoneName(" + resource + ", "
+ accessResource + ")");
@@ -465,28 +484,28 @@ public class PolicyEngine {
String ret = null;
if (MapUtils.isNotEmpty(this.resourceZoneTrie)) {
-
List<List<RangerZoneResourceMatcher>> zoneMatchersList = null;
List<RangerZoneResourceMatcher> smallestList = null;
for (Map.Entry<String, ?> entry : resource.entrySet()) {
- String resourceDefName = entry.getKey();
- Object resourceValues = entry.getValue();
-
- RangerResourceTrie<RangerZoneResourceMatcher> trie =
resourceZoneTrie.get(resourceDefName);
+ String resourceDefName
= entry.getKey();
+ Object resourceValues
= entry.getValue();
+ RangerResourceTrie<RangerZoneResourceMatcher> trie
= resourceZoneTrie.get(resourceDefName);
if (trie == null) {
continue;
}
- List<RangerZoneResourceMatcher> matchedZones =
trie.getEvaluatorsForResource(resourceValues);
+ List<RangerZoneResourceMatcher> matchedZones =
trie.getEvaluatorsForResource(resourceValues);
if (LOG.isDebugEnabled()) {
LOG.debug("ResourceDefName:[" + resourceDefName + "],
values:[" + resourceValues + "], matched-zones:[" + matchedZones + "]");
}
+
if (CollectionUtils.isEmpty(matchedZones)) { // no policies
for this resource, bail out
zoneMatchersList = null;
smallestList = null;
+
break;
}
@@ -495,8 +514,10 @@ public class PolicyEngine {
} else {
if (zoneMatchersList == null) {
zoneMatchersList = new ArrayList<>();
+
zoneMatchersList.add(smallestList);
}
+
zoneMatchersList.add(matchedZones);
if (smallestList.size() > matchedZones.size()) {
@@ -505,15 +526,16 @@ public class PolicyEngine {
}
}
if (smallestList != null) {
-
final List<RangerZoneResourceMatcher> intersection;
if (zoneMatchersList != null) {
intersection = new ArrayList<>(smallestList);
+
for (List<RangerZoneResourceMatcher> zoneMatchers :
zoneMatchersList) {
if (zoneMatchers != smallestList) {
// remove zones from intersection that are not in
zoneMatchers
intersection.retainAll(zoneMatchers);
+
if (CollectionUtils.isEmpty(intersection)) { // if
no zoneMatcher exists, bail out and return empty list
break;
}
@@ -534,11 +556,13 @@ public class PolicyEngine {
if (LOG.isDebugEnabled()) {
LOG.debug("Trying to match resource:[" +
accessResource + "] using zoneMatcher:[" + zoneMatcher + "]");
}
+
// These are potential matches. Try to really match
them
if
(zoneMatcher.getPolicyResourceMatcher().isMatch(accessResource,
RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Matched resource:[" +
accessResource + "] using zoneMatcher:[" + zoneMatcher + "]");
}
+
// Actual match happened
matchedZoneNames.add(zoneMatcher.getSecurityZoneName());
} else {
@@ -547,11 +571,16 @@ public class PolicyEngine {
}
}
}
- LOG.info("The following zone-names matched resource:[" +
accessResource + "]: " + matchedZoneNames);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("The following zone-names matched
resource:[" + accessResource + "]: " + matchedZoneNames);
+ }
if (matchedZoneNames.size() == 1) {
String[] zones = new String[1];
+
matchedZoneNames.toArray(zones);
+
ret = zones[0];
} else {
LOG.error("Internal error, multiple zone-names are
matched. The following zone-names matched resource:[" + resource + "]: " +
matchedZoneNames);
@@ -559,14 +588,15 @@ public class PolicyEngine {
}
}
}
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyEngine.getMatchedZoneName(" + resource + ", "
+ accessResource + ") : " + ret);
}
+
return ret;
}
private RangerAccessResource convertToAccessResource(Map<String, ?>
resource) {
-
RangerAccessResourceImpl ret = new RangerAccessResourceImpl();
ret.setServiceDef(getServiceDef());
@@ -579,7 +609,6 @@ public class PolicyEngine {
}
private RangerPolicyRepository getRepositoryForZone(String zoneName) {
-
final RangerPolicyRepository ret;
if (LOG.isDebugEnabled()) {
@@ -595,29 +624,25 @@ public class PolicyEngine {
if (ret == null) {
LOG.error("policyRepository for zoneName:[" + zoneName + "],
serviceName:[" + getServiceName() + "], policyVersion:[" + getPolicyVersion() +
"] is null!! ERROR!");
}
+
return ret;
}
private PolicyEngine(final PolicyEngine other, ServicePolicies
servicePolicies) {
-
- long policyVersion = servicePolicies.getPolicyVersion() !=
null ? servicePolicies.getPolicyVersion() : -1L;
-
this.useForwardedIPAddress = other.useForwardedIPAddress;
this.trustedProxyAddresses = other.trustedProxyAddresses;
+ this.pluginContext = other.pluginContext;
- this.pluginContext = other.pluginContext;
-
- List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>();
+ long policyVersion =
servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion()
: -1L;
+ List<RangerPolicyDelta> defaultZoneDeltas = new
ArrayList<>();
List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new
ArrayList<>();
if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
-
buildZoneTrie(servicePolicies);
Map<String, List<RangerPolicyDelta>> zoneDeltasMap = new
HashMap<>();
for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone :
servicePolicies.getSecurityZones().entrySet()) {
-
List<RangerPolicyDelta> deltas =
zone.getValue().getPolicyDeltas();
for (RangerPolicyDelta delta : deltas) {
@@ -625,10 +650,12 @@ public class PolicyEngine {
if (StringUtils.isNotEmpty(zoneName)) {
List<RangerPolicyDelta> zoneDeltas =
zoneDeltasMap.get(zoneName);
+
if (zoneDeltas == null) {
zoneDeltas = new ArrayList<>();
zoneDeltasMap.put(zoneName, zoneDeltas);
}
+
zoneDeltas.add(delta);
} else {
LOG.warn("policyDelta : [" + delta + "] does not
belong to any zone. Should not have come here.");
@@ -637,15 +664,15 @@ public class PolicyEngine {
}
for (Map.Entry<String, List<RangerPolicyDelta>> entry :
zoneDeltasMap.entrySet()) {
- final String zoneName = entry.getKey();
- List<RangerPolicyDelta> zoneDeltas = entry.getValue();
-
- RangerPolicyRepository otherRepository =
other.zonePolicyRepositories.get(zoneName);
- final RangerPolicyRepository policyRepository;
+ final String zoneName = entry.getKey();
+ final List<RangerPolicyDelta> zoneDeltas =
entry.getValue();
+ final RangerPolicyRepository otherRepository =
other.zonePolicyRepositories.get(zoneName);
+ final RangerPolicyRepository policyRepository;
if (CollectionUtils.isNotEmpty(zoneDeltas)) {
if (otherRepository == null) {
List<RangerPolicy> policies = new ArrayList<>();
+
for (RangerPolicyDelta delta : zoneDeltas) {
if (delta.getChangeType() ==
RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
policies.add(delta.getPolicy());
@@ -653,6 +680,7 @@ public class PolicyEngine {
LOG.warn("Expected changeType:[" +
RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found policy-change-delta:["
+ delta +"]");
}
}
+
servicePolicies.getSecurityZones().get(zoneName).setPolicies(policies);
policyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies,
other.policyRepository.getOptions(), this.pluginContext, zoneName);
@@ -687,6 +715,7 @@ public class PolicyEngine {
if (other.tagPolicyRepository == null) {
// Only creates are expected
List<RangerPolicy> tagPolicies = new ArrayList<>();
+
for (RangerPolicyDelta delta :
defaultZoneDeltasForTagPolicies) {
if (delta.getChangeType() ==
RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
tagPolicies.add(delta.getPolicy());
@@ -694,7 +723,9 @@ public class PolicyEngine {
LOG.warn("Expected changeType:[" +
RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found policy-change-delta:["
+ delta + "]");
}
}
+
servicePolicies.getTagPolicies().setPolicies(tagPolicies);
+
this.tagPolicyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(),
servicePolicies.getTagPolicies(), other.policyRepository.getOptions(),
this.pluginContext, servicePolicies.getServiceDef(),
servicePolicies.getServiceName());
} else {
this.tagPolicyRepository = new
RangerPolicyRepository(other.tagPolicyRepository,
defaultZoneDeltasForTagPolicies, policyVersion);
@@ -704,8 +735,7 @@ public class PolicyEngine {
}
List<RangerContextEnricher> tmpList;
-
- List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository
== null ? null :tagPolicyRepository.getContextEnrichers();
+ List<RangerContextEnricher> tagContextEnrichers =
tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
List<RangerContextEnricher> resourceContextEnrichers =
policyRepository.getContextEnrichers();
if (CollectionUtils.isEmpty(tagContextEnrichers)) {
@@ -714,12 +744,13 @@ public class PolicyEngine {
tmpList = tagContextEnrichers;
} else {
tmpList = new ArrayList<>(tagContextEnrichers);
+
tmpList.addAll(resourceContextEnrichers);
}
+
this.allContextEnrichers = tmpList;
reorderPolicyEvaluators();
-
}
private void buildZoneTrie(ServicePolicies servicePolicies) {
@@ -742,7 +773,6 @@ public class PolicyEngine {
}
for (Map<String, List<String>> resource :
zoneDetails.getResources()) {
-
if (LOG.isDebugEnabled()) {
LOG.debug("Building matcher for resource:[" + resource
+ "] in zone:[" + zoneName +"]");
}
@@ -750,10 +780,9 @@ public class PolicyEngine {
Map<String, RangerPolicy.RangerPolicyResource>
policyResources = new HashMap<>();
for (Map.Entry<String, List<String>> entry :
resource.entrySet()) {
- String resourceDefName = entry.getKey();
- List<String> resourceValues = entry.getValue();
-
- RangerPolicy.RangerPolicyResource policyResource = new
RangerPolicy.RangerPolicyResource();
+ String resourceDefName =
entry.getKey();
+ List<String> resourceValues =
entry.getValue();
+ RangerPolicy.RangerPolicyResource policyResource =
new RangerPolicy.RangerPolicyResource();
policyResource.setIsExcludes(false);
policyResource.setIsRecursive(StringUtils.equals(serviceDef.getName(),
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME));
@@ -784,7 +813,6 @@ public class PolicyEngine {
for (RangerServiceDef.RangerResourceDef resourceDef :
serviceDef.getResources()) {
resourceZoneTrie.put(resourceDef.getName(), new
RangerResourceTrie<>(resourceDef, matchers));
}
-
}
if (LOG.isDebugEnabled()) {
@@ -796,12 +824,14 @@ public class PolicyEngine {
if (other != null) {
other.setShared();
}
+
return other;
}
private void reorderPolicyEvaluators() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> reorderEvaluators()");
}
+
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) {
@@ -823,7 +853,6 @@ public class PolicyEngine {
}
private void cleanup() {
-
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.cleanup()");
}
@@ -833,11 +862,13 @@ public class PolicyEngine {
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG,
"RangerPolicyEngine.cleanUp(hashCode=" +
Integer.toHexString(System.identityHashCode(this)) + ")");
}
+
preCleanup();
if (policyRepository != null) {
policyRepository.cleanup();
}
+
if (tagPolicyRepository != null) {
tagPolicyRepository.cleanup();
}
@@ -854,6 +885,5 @@ public class PolicyEngine {
LOG.debug("<== PolicyEngine.cleanup()");
}
}
-
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java
index a683699..a213b36 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java
@@ -20,9 +20,7 @@
package org.apache.ranger.plugin.policyengine;
public interface RangerAccessRequestProcessor {
-
void preProcess(RangerAccessRequest request);
default void enrich(RangerAccessRequest request) {}
-
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index afe6683..5709fd8 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.policyengine;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.ListUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -57,22 +58,27 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
private final PolicyEngine policyEngine;
private final RangerAccessRequestProcessor requestProcessor;
+
static public RangerPolicyEngine getPolicyEngine(final
RangerPolicyEngineImpl other, final ServicePolicies servicePolicies) {
RangerPolicyEngine ret = null;
if (other != null && servicePolicies != null) {
PolicyEngine policyEngine =
other.policyEngine.cloneWithDelta(servicePolicies);
+
if (policyEngine != null) {
ret = new RangerPolicyEngineImpl(policyEngine);
}
}
+
return ret;
}
- public RangerPolicyEngineImpl(String appId, ServicePolicies
servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext
rangerPluginContext, RangerRoles rangerRoles) {
- policyEngine = new PolicyEngine(appId, servicePolicies,
options, rangerPluginContext, rangerRoles);
-
policyEngine.getPluginContext().getAuthContext().setRangerRoles(rangerRoles);
- this.requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
+ public RangerPolicyEngineImpl(String appId, ServicePolicies
servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext
pluginContext, RangerRoles roles) {
+ policyEngine = new PolicyEngine(appId, servicePolicies,
options, pluginContext, roles);
+
+
policyEngine.getPluginContext().getAuthContext().setRangerRoles(roles);
+
+ requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
}
@Override
@@ -85,22 +91,27 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (LOG.isDebugEnabled()) {
LOG.debug("==>
RangerPolicyEngineImpl.evaluatePolicies(" + request + ", policyType=" +
policyType + ")");
}
+
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
String requestHashCode =
Integer.toHexString(System.identityHashCode(request)) + "_" + policyType;
+
perf =
RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG,
"RangerPolicyEngine.evaluatePolicies(requestHashCode=" + requestHashCode + ")");
+
LOG.info("RangerPolicyEngineImpl.evaluatePolicies(" +
requestHashCode + ", " + request + ")");
}
+
requestProcessor.preProcess(request);
RangerAccessResult ret =
zoneAwareAccessEvaluationWithNoAudit(request, policyType);
if (resultProcessor != null) {
-
RangerPerfTracer perfAuditTracer = null;
+
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) {
String requestHashCode =
Integer.toHexString(System.identityHashCode(request)) + "_" + policyType;
+
perfAuditTracer =
RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG,
"RangerPolicyEngine.processAudit(requestHashCode=" + requestHashCode + ")");
}
@@ -154,7 +165,6 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
RangerResourceACLs ret = new RangerResourceACLs();
-
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_GET_ACLS_LOG)) {
@@ -180,13 +190,11 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (matchedRepository == null) {
LOG.error("policyRepository for zoneName:[" + zoneName
+ "], serviceName:[" + policyEngine.getPolicyRepository().getServiceName() +
"], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!");
} else {
-
- List<RangerPolicyEvaluator> allEvaluators = new
ArrayList<>();
- Map<Long, RangerPolicyResourceMatcher.MatchType>
tagMatchTypeMap = null;
- Set<Long> policyIdForTemporalTags = null;
-
- Set<RangerTagForEval> tags =
RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
- List<PolicyEvaluatorForTag> tagPolicyEvaluators =
policyEngine.getTagPolicyRepository() == null ? null :
policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tags,
RangerPolicy.POLICY_TYPE_ACCESS, null);
+ List<RangerPolicyEvaluator>
allEvaluators = new ArrayList<>();
+ Map<Long, RangerPolicyResourceMatcher.MatchType>
tagMatchTypeMap = null;
+ Set<Long>
policyIdForTemporalTags = null;
+ Set<RangerTagForEval> tags
=
RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
+ List<PolicyEvaluatorForTag>
tagPolicyEvaluators = policyEngine.getTagPolicyRepository() == null ? null
: policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tags,
RangerPolicy.POLICY_TYPE_ACCESS, null);
if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) {
tagMatchTypeMap = new HashMap<>();
@@ -194,13 +202,15 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
final boolean useTagPoliciesFromDefaultZone =
!policyEngine.isResourceZoneAssociatedWithTagService(zoneName);
for (PolicyEvaluatorForTag tagEvaluator :
tagPolicyEvaluators) {
- RangerPolicyEvaluator evaluator =
tagEvaluator.getEvaluator();
- String policyZoneName =
evaluator.getPolicy().getZoneName();
+ RangerPolicyEvaluator evaluator =
tagEvaluator.getEvaluator();
+ String policyZoneName =
evaluator.getPolicy().getZoneName();
+
if (useTagPoliciesFromDefaultZone) {
if
(StringUtils.isNotEmpty(policyZoneName)) {
if
(LOG.isDebugEnabled()) {
LOG.debug("Tag
policy [zone:" + policyZoneName + "] does not belong to default zone. Not
evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
} else {
@@ -208,9 +218,11 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if
(LOG.isDebugEnabled()) {
LOG.debug("Tag
policy [zone:" + policyZoneName + "] does not belong to the zone:[" + zoneName
+ "] of the accessed resource. Not evaluating this policy:[" +
evaluator.getPolicy() + "]");
}
+
continue;
}
}
+
RangerTagForEval tag =
tagEvaluator.getTag();
allEvaluators.add(evaluator);
@@ -267,10 +279,9 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
PolicyACLSummary aclSummary =
evaluator.getPolicyACLSummary();
if (aclSummary != null) {
-
boolean isConditional =
(policyIdForTemporalTags != null &&
policyIdForTemporalTags.contains(evaluator.getId())) ||
evaluator.getValidityScheduleEvaluatorsCount() != 0;
-
Integer accessResult;
+
for (Map.Entry<String,
Map<String, PolicyACLSummary.AccessResult>> userAccessInfo :
aclSummary.getUsersAccessInfo().entrySet()) {
final String userName =
userAccessInfo.getKey();
@@ -279,11 +290,14 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
accessResult = ACCESS_CONDITIONAL;
} else {
accessResult = accessInfo.getValue().getResult();
+
if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
+
RangerPolicy
policy = evaluator.getPolicy();
+
ret.setUserAccessInfo(userName, accessInfo.getKey(), accessResult, policy);
}
}
@@ -296,11 +310,14 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
accessResult = ACCESS_CONDITIONAL;
} else {
accessResult = accessInfo.getValue().getResult();
+
if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
+
RangerPolicy
policy = evaluator.getPolicy();
+
ret.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult, policy);
}
}
@@ -313,11 +330,14 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
accessResult = ACCESS_CONDITIONAL;
} else {
accessResult = accessInfo.getValue().getResult();
+
if
(accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
+
RangerPolicy
policy = evaluator.getPolicy();
+
ret.setRoleAccessInfo(roleName, accessInfo.getKey(), accessResult, policy);
}
}
@@ -346,9 +366,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
requestProcessor.preProcess(request);
- RangerResourceAccessInfo ret = new
RangerResourceAccessInfo(request);
-
- String zoneName =
policyEngine.getMatchedZoneName(request.getResource());
+ RangerResourceAccessInfo ret = new
RangerResourceAccessInfo(request);
+ String zoneName =
policyEngine.getMatchedZoneName(request.getResource());
if (LOG.isDebugEnabled()) {
LOG.debug("zoneName:[" + zoneName + "]");
@@ -365,29 +384,27 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (matchedRepository == null) {
LOG.error("policyRepository for zoneName:[" + zoneName
+ "], serviceName:[" + policyEngine.getPolicyRepository().getServiceName() +
"], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!");
} else {
-
List<RangerPolicyEvaluator> tagPolicyEvaluators =
policyEngine.getTagPolicyRepository() == null ? null :
policyEngine.getTagPolicyRepository().getPolicyEvaluators();
if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) {
-
Set<RangerTagForEval> tags =
RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
if (CollectionUtils.isNotEmpty(tags)) {
-
final boolean
useTagPoliciesFromDefaultZone =
!policyEngine.isResourceZoneAssociatedWithTagService(zoneName);
for (RangerTagForEval tag : tags) {
- RangerAccessRequest
tagEvalRequest = new RangerTagAccessRequest(tag,
policyEngine.getTagPolicyRepository().getServiceDef(), request);
-
- List<RangerPolicyEvaluator>
evaluators =
policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource(),
RangerPolicy.POLICY_TYPE_ACCESS);
+ RangerAccessRequest
tagEvalRequest = new RangerTagAccessRequest(tag,
policyEngine.getTagPolicyRepository().getServiceDef(), request);
+ List<RangerPolicyEvaluator>
evaluators =
policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource(),
RangerPolicy.POLICY_TYPE_ACCESS);
for (RangerPolicyEvaluator
evaluator : evaluators) {
String policyZoneName =
evaluator.getPolicy().getZoneName();
+
if
(useTagPoliciesFromDefaultZone) {
if
(StringUtils.isNotEmpty(policyZoneName)) {
if
(LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to default
zone. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
} else {
@@ -395,9 +412,11 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if
(LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to the
zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:["
+ evaluator.getPolicy() + "]");
}
+
continue;
}
}
+
evaluator.getResourceAccessInfo(tagEvalRequest, ret);
}
}
@@ -478,19 +497,25 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
@Override
public List<RangerPolicy> getResourcePolicies() {
- return policyEngine.getResourcePolicies();
+ RangerPolicyRepository policyRepository =
policyEngine.getPolicyRepository();
+
+ return policyRepository == null ? ListUtils.EMPTY_LIST :
policyRepository.getPolicies();
}
@Override
public List<RangerPolicy> getTagPolicies() {
- return policyEngine.getTagPolicies();
+ RangerPolicyRepository tagPolicyRepository =
policyEngine.getTagPolicyRepository();
+
+ return tagPolicyRepository == null ? ListUtils.EMPTY_LIST :
tagPolicyRepository.getPolicies();
}
public void releaseResources() {
if (LOG.isDebugEnabled()) {
LOG.debug("==>
RangerPolicyEngineImpl.releaseResources()");
}
+
PolicyEngine policyEngine = this.policyEngine;
+
if (policyEngine != null) {
policyEngine.preCleanup();
} else {
@@ -498,6 +523,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("Cannot preCleanup policy-engine as
it is null!");
}
}
+
if (LOG.isDebugEnabled()) {
LOG.debug("<==
RangerPolicyEngineImpl.releaseResources()");
}
@@ -508,7 +534,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
private RangerPolicyEngineImpl(final PolicyEngine policyEngine) {
- this.policyEngine = policyEngine;
+ this.policyEngine = policyEngine;
this.requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
}
@@ -517,13 +543,10 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("==>
RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + request + ",
policyType =" + policyType + ")");
}
- RangerAccessResult ret = null;
-
- RangerPolicyRepository policyRepository =
policyEngine.getPolicyRepository();
+ RangerAccessResult ret = null;
+ RangerPolicyRepository policyRepository =
policyEngine.getPolicyRepository();
RangerPolicyRepository tagPolicyRepository =
policyEngine.getTagPolicyRepository();
-
- // Evaluate zone-name from request
- String zoneName =
policyEngine.getMatchedZoneName(request.getResource());
+ String zoneName =
policyEngine.getMatchedZoneName(request.getResource()); // Evaluate zone-name
from request
if (LOG.isDebugEnabled()) {
LOG.debug("zoneName:[" + zoneName + "]");
@@ -536,15 +559,17 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.error("policyRepository for zoneName:[" +
zoneName + "], serviceName:[" +
policyEngine.getPolicyRepository().getServiceName() + "], policyVersion:[" +
getPolicyVersion() + "] is null!! ERROR!");
}
}
+
if (policyRepository != null) {
ret = evaluatePoliciesNoAudit(request, policyType,
zoneName, policyRepository, tagPolicyRepository);
+
ret.setZoneName(zoneName);
}
-
if (LOG.isDebugEnabled()) {
LOG.debug("<==
RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + request + ",
policyType =" + policyType + "): " + ret);
}
+
return ret;
}
@@ -553,9 +578,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("==>
RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ")");
}
- Date accessTime = request.getAccessTime() != null ?
request.getAccessTime() : new Date();
- RangerAccessResult ret =
policyEngine.createAccessResult(request, policyType);
-
+ Date accessTime = request.getAccessTime() != null
? request.getAccessTime() : new Date();
+ RangerAccessResult ret =
policyEngine.createAccessResult(request, policyType);
evaluateTagPolicies(request, policyType, zoneName,
tagPolicyRepository, ret);
@@ -575,7 +599,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (evaluateResourcePolicies) {
boolean findAuditByResource =
!ret.getIsAuditedDetermined();
- boolean foundInCache = findAuditByResource &&
policyRepository.setAuditEnabledFromCache(request, ret);
+ boolean foundInCache = findAuditByResource &&
policyRepository.setAuditEnabledFromCache(request, ret);
ret.setIsAccessDetermined(false); // discard result by
tag-policies, to evaluate resource policies for possible override
@@ -640,24 +664,23 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("==>
RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
- Date accessTime = request.getAccessTime() != null ?
request.getAccessTime() : new Date();
-
- Set<RangerTagForEval> tags =
RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
-
+ Date accessTime =
request.getAccessTime() != null ? request.getAccessTime() : new Date();
+ Set<RangerTagForEval> tags =
RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
List<PolicyEvaluatorForTag> policyEvaluators =
tagPolicyRepository == null ? null :
tagPolicyRepository.getLikelyMatchPolicyEvaluators(tags, policyType,
accessTime);
if (CollectionUtils.isNotEmpty(policyEvaluators)) {
final boolean useTagPoliciesFromDefaultZone =
!policyEngine.isResourceZoneAssociatedWithTagService(zoneName);
for (PolicyEvaluatorForTag policyEvaluator :
policyEvaluators) {
- RangerPolicyEvaluator evaluator =
policyEvaluator.getEvaluator();
+ RangerPolicyEvaluator evaluator =
policyEvaluator.getEvaluator();
+ String policyZoneName =
evaluator.getPolicy().getZoneName();
- String policyZoneName =
evaluator.getPolicy().getZoneName();
if (useTagPoliciesFromDefaultZone) {
if
(StringUtils.isNotEmpty(policyZoneName)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy
[zone:" + policyZoneName + "] does not belong to default zone. Not evaluating
this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
} else {
@@ -665,14 +688,14 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy
[zone:" + policyZoneName + "] does not belong to the zone:[" + zoneName + "] of
the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() +
"]");
}
+
continue;
}
}
- RangerTagForEval tag = policyEvaluator.getTag();
-
+ RangerTagForEval tag =
policyEvaluator.getTag();
RangerAccessRequest tagEvalRequest = new
RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
- RangerAccessResult tagEvalResult =
policyEngine.createAccessResult(tagEvalRequest, policyType);
+ RangerAccessResult tagEvalResult =
policyEngine.createAccessResult(tagEvalRequest, policyType);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl.evaluateTagPolicies: Evaluating policies for
tag (" + tag.getType() + ")");
@@ -710,6 +733,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
}
}
+
if (result.getIsAllowed()) {
result.setIsAccessDetermined(true);
}
@@ -718,5 +742,4 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("<==
RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
}
-
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 28b441a..e583fa1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -56,7 +56,7 @@ public class RangerPolicyRepository {
private static final Log LOG =
LogFactory.getLog(RangerPolicyRepository.class);
private static final Log PERF_CONTEXTENRICHER_INIT_LOG =
RangerPerfTracer.getPerfLogger("contextenricher.init");
- private static final Log PERF_TRIE_OP_LOG =
RangerPerfTracer.getPerfLogger("resourcetrie.retrieval");
+ private static final Log PERF_TRIE_OP_LOG =
RangerPerfTracer.getPerfLogger("resourcetrie.retrieval");
enum AuditModeEnum {
AUDIT_ALL, AUDIT_NONE, AUDIT_DEFAULT
@@ -78,50 +78,48 @@ public class RangerPolicyRepository {
}
}
- private final String serviceName;
- private final String zoneName;
- private final String appId;
- private final RangerPolicyEngineOptions options;
- private final RangerPluginContext pluginContext;
- private final RangerServiceDef serviceDef;
- private final List<RangerPolicy> policies;
- private final long policyVersion;
- private final List<RangerContextEnricher> contextEnrichers;
- private List<RangerPolicyEvaluator> policyEvaluators;
- private List<RangerPolicyEvaluator> dataMaskPolicyEvaluators;
- private List<RangerPolicyEvaluator> rowFilterPolicyEvaluators;
- private Map<Long, RangerPolicyEvaluator> policyEvaluatorsMap;
- private final AuditModeEnum auditModeEnum;
- private final Map<String, AuditInfo> accessAuditCache;
-
- private final String componentServiceName;
- private final RangerServiceDef componentServiceDef;
+ private final String serviceName;
+ private final String zoneName;
+ private final String appId;
+ private final RangerPolicyEngineOptions options;
+ private final RangerPluginContext pluginContext;
+ private final RangerServiceDef serviceDef;
+ private final List<RangerPolicy> policies;
+ private final long policyVersion;
+ private final List<RangerContextEnricher> contextEnrichers;
+ private final AuditModeEnum auditModeEnum;
+ private final Map<String, AuditInfo> accessAuditCache;
+ private final String componentServiceName;
+ private final RangerServiceDef componentServiceDef;
private final Map<String, RangerResourceTrie> policyResourceTrie;
private final Map<String, RangerResourceTrie> dataMaskResourceTrie;
private final Map<String, RangerResourceTrie> rowFilterResourceTrie;
-
- private boolean isContextEnrichersShared = false;
- private boolean isPreCleaned = false;
+ private List<RangerPolicyEvaluator> policyEvaluators;
+ private List<RangerPolicyEvaluator> dataMaskPolicyEvaluators;
+ private List<RangerPolicyEvaluator> rowFilterPolicyEvaluators;
+ private Map<Long, RangerPolicyEvaluator> policyEvaluatorsMap;
+ private boolean isContextEnrichersShared =
false;
+ private boolean isPreCleaned = false;
RangerPolicyRepository(final RangerPolicyRepository other, final
List<RangerPolicyDelta> deltas, long policyVersion) {
-
- this.serviceName = other.serviceName;
- this.zoneName = other.zoneName;
- this.appId = other.appId;
- this.options = other.options;
- this.pluginContext = other.pluginContext;
- this.serviceDef = other.serviceDef;
- this.policies = new ArrayList<>(other.policies);
- this.policyEvaluators = new ArrayList<>(other.policyEvaluators);
- this.dataMaskPolicyEvaluators = new
ArrayList<>(other.dataMaskPolicyEvaluators);
+ this.serviceName = other.serviceName;
+ this.zoneName = other.zoneName;
+ this.appId = other.appId;
+ this.options = other.options;
+ this.pluginContext = other.pluginContext;
+ this.serviceDef = other.serviceDef;
+ this.policies = new ArrayList<>(other.policies);
+ this.policyEvaluators = new
ArrayList<>(other.policyEvaluators);
+ this.dataMaskPolicyEvaluators = new
ArrayList<>(other.dataMaskPolicyEvaluators);
this.rowFilterPolicyEvaluators = new
ArrayList<>(other.rowFilterPolicyEvaluators);
- this.auditModeEnum = other.auditModeEnum;
- this.componentServiceName = other.componentServiceName;
- this.componentServiceDef = other.componentServiceDef;
- this.policyEvaluatorsMap = new HashMap<>(other.policyEvaluatorsMap);
+ this.auditModeEnum = other.auditModeEnum;
+ this.componentServiceName = other.componentServiceName;
+ this.componentServiceDef = other.componentServiceDef;
+ this.policyEvaluatorsMap = new
HashMap<>(other.policyEvaluatorsMap);
if (other.policyResourceTrie != null) {
this.policyResourceTrie = new HashMap<>();
+
for (Map.Entry<String, RangerResourceTrie> entry :
other.policyResourceTrie.entrySet()) {
policyResourceTrie.put(entry.getKey(), new
RangerResourceTrie(entry.getValue()));
}
@@ -131,6 +129,7 @@ public class RangerPolicyRepository {
if (other.dataMaskResourceTrie != null) {
this.dataMaskResourceTrie = new HashMap<>();
+
for (Map.Entry<String, RangerResourceTrie> entry :
other.dataMaskResourceTrie.entrySet()) {
dataMaskResourceTrie.put(entry.getKey(), new
RangerResourceTrie(entry.getValue()));
}
@@ -140,6 +139,7 @@ public class RangerPolicyRepository {
if (other.rowFilterResourceTrie != null) {
this.rowFilterResourceTrie = new HashMap<>();
+
for (Map.Entry<String, RangerResourceTrie> entry :
other.rowFilterResourceTrie.entrySet()) {
rowFilterResourceTrie.put(entry.getKey(), new
RangerResourceTrie(entry.getValue()));
}
@@ -149,6 +149,7 @@ public class RangerPolicyRepository {
if (other.accessAuditCache != null) {
int auditResultCacheSize = other.accessAuditCache.size();
+
this.accessAuditCache = Collections.synchronizedMap(new
CacheMap<String, AuditInfo>(auditResultCacheSize));
} else {
this.accessAuditCache = null;
@@ -157,7 +158,6 @@ public class RangerPolicyRepository {
boolean[] flags = new boolean[RangerPolicy.POLICY_TYPES.length];
for (RangerPolicyDelta delta : deltas) {
-
final Integer changeType = delta.getChangeType();
final String serviceType = delta.getServiceType();
final Long policyId = delta.getPolicyId();
@@ -175,17 +175,21 @@ public class RangerPolicyRepository {
if (LOG.isDebugEnabled()) {
LOG.debug("Could not find policy for policy-id:["
+ policyId + "]");
}
+
continue;
}
break;
+
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
evaluator = getPolicyEvaluator(policyId);
+
if (evaluator == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Could not find evaluator for
policy-id:[" + policyId + "]");
}
}
break;
+
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
evaluator = getPolicyEvaluator(policyId);
if (evaluator == null) {
@@ -194,6 +198,7 @@ public class RangerPolicyRepository {
}
}
break;
+
default:
LOG.error("Unknown changeType:[" + changeType + "],
Ignoring");
break;
@@ -206,12 +211,15 @@ public class RangerPolicyRepository {
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
policyEvaluatorsMap.put(policyId, evaluator);
break;
+
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
policyEvaluatorsMap.put(policyId, evaluator);
break;
+
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
policyEvaluatorsMap.remove(policyId);
break;
+
default:
break;
}
@@ -221,7 +229,6 @@ public class RangerPolicyRepository {
}
for (int policyType = 0; policyType < flags.length; policyType++) {
-
if (flags[policyType]) {
Map<String, RangerResourceTrie> trie = getTrie(policyType);
@@ -392,6 +399,63 @@ public class RangerPolicyRepository {
return sb.toString();
}
+ public StringBuilder toString(StringBuilder sb) {
+ if (sb == null) {
+ sb = new StringBuilder();
+ }
+
+ sb.append("RangerPolicyRepository={");
+
+ sb.append("serviceName={").append(serviceName).append("} ");
+ sb.append("zoneName={").append(zoneName).append("} ");
+ sb.append("serviceDef={").append(serviceDef).append("} ");
+ sb.append("appId={").append(appId).append("} ");
+
+ sb.append("policyEvaluators={");
+ if (policyEvaluators != null) {
+ for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
+ if (policyEvaluator != null) {
+ sb.append(policyEvaluator).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("dataMaskPolicyEvaluators={");
+ if (this.dataMaskPolicyEvaluators != null) {
+ for (RangerPolicyEvaluator policyEvaluator :
dataMaskPolicyEvaluators) {
+ if (policyEvaluator != null) {
+ sb.append(policyEvaluator).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("rowFilterPolicyEvaluators={");
+ if (this.rowFilterPolicyEvaluators != null) {
+ for (RangerPolicyEvaluator policyEvaluator :
rowFilterPolicyEvaluators) {
+ if (policyEvaluator != null) {
+ sb.append(policyEvaluator).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("contextEnrichers={");
+ if (contextEnrichers != null) {
+ for (RangerContextEnricher contextEnricher : contextEnrichers) {
+ if (contextEnricher != null) {
+ sb.append(contextEnricher).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("} ");
+
+ return sb;
+ }
+
List<RangerContextEnricher> shareWith(RangerPolicyRepository other) {
if (other != null && other.contextEnrichers != null) {
other.setShared();
@@ -1383,62 +1447,4 @@ public class RangerPolicyRepository {
return ret;
}
-
- private StringBuilder toString(StringBuilder sb) {
-
- sb.append("RangerPolicyRepository={");
-
- sb.append("serviceName={").append(serviceName).append("} ");
- sb.append("zoneName={").append(zoneName).append("} ");
- sb.append("serviceDef={").append(serviceDef).append("} ");
- sb.append("appId={").append(appId).append("} ");
-
- sb.append("policyEvaluators={");
- if (policyEvaluators != null) {
- for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
- if (policyEvaluator != null) {
- sb.append(policyEvaluator).append(" ");
- }
- }
- }
- sb.append("} ");
-
- sb.append("dataMaskPolicyEvaluators={");
-
- if (this.dataMaskPolicyEvaluators != null) {
- for (RangerPolicyEvaluator policyEvaluator :
dataMaskPolicyEvaluators) {
- if (policyEvaluator != null) {
- sb.append(policyEvaluator).append(" ");
- }
- }
- }
- sb.append("} ");
-
- sb.append("rowFilterPolicyEvaluators={");
-
- if (this.rowFilterPolicyEvaluators != null) {
- for (RangerPolicyEvaluator policyEvaluator :
rowFilterPolicyEvaluators) {
- if (policyEvaluator != null) {
- sb.append(policyEvaluator).append(" ");
- }
- }
- }
- sb.append("} ");
-
- sb.append("contextEnrichers={");
-
- if (contextEnrichers != null) {
- for (RangerContextEnricher contextEnricher : contextEnrichers) {
- if (contextEnricher != null) {
- sb.append(contextEnricher).append(" ");
- }
- }
- }
- sb.append("} ");
-
- sb.append("} ");
-
- return sb;
- }
-
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 11c1eeb..99ae598 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -26,6 +26,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
@@ -36,10 +37,10 @@ import java.util.Map;
public abstract class RangerAbstractPolicyEvaluator implements
RangerPolicyEvaluator {
private static final Log LOG =
LogFactory.getLog(RangerAbstractPolicyEvaluator.class);
- private RangerPolicy policy;
- private RangerServiceDef serviceDef;
- private RangerServiceDef.RangerResourceDef leafResourceDef;
- private int evalOrder;
+ private RangerPolicy policy;
+ private RangerServiceDef serviceDef;
+ private RangerResourceDef leafResourceDef;
+ private int evalOrder;
protected RangerPluginContext pluginContext = null;
@@ -53,9 +54,9 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" +
policy + ", " + serviceDef + ")");
}
- this.policy = policy;
- this.serviceDef = serviceDef;
- this.leafResourceDef =
ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
+ this.policy = policy;
+ this.serviceDef = serviceDef;
+ this.leafResourceDef =
ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAbstractPolicyEvaluator.init(" +
policy + ", " + serviceDef + ")");
@@ -88,7 +89,7 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
}
@Override
- public boolean isAncestorOf(RangerServiceDef.RangerResourceDef
resourceDef) {
+ public boolean isAncestorOf(RangerResourceDef resourceDef) {
return ServiceDefUtil.isAncestorOf(serviceDef, leafResourceDef,
resourceDef);
}
@@ -132,8 +133,11 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
public StringBuilder toString(StringBuilder sb) {
sb.append("RangerAbstractPolicyEvaluator={");
- sb.append("policy={").append(policy).append("} ");
- sb.append("serviceDef={").append(serviceDef).append("} ");
+ sb.append("policy={");
+ if (policy != null) {
+ policy.toString(sb);
+ }
+ sb.append("} ");
sb.append("}");
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index b9dff76..eed6432 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -36,7 +36,6 @@ import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
public class RangerAuthContext {
-
private final Map<RangerContextEnricher, Object> requestContextEnrichers;
private RangerRolesUtil rangerRolesUtil;
@@ -44,6 +43,12 @@ public class RangerAuthContext {
this.requestContextEnrichers = requestContextEnrichers != null ?
requestContextEnrichers : new ConcurrentHashMap<>();
}
+ public RangerAuthContext(Map<RangerContextEnricher, Object>
requestContextEnrichers, RangerRoles roles) {
+ this.requestContextEnrichers = requestContextEnrichers != null ?
requestContextEnrichers : new ConcurrentHashMap<>();
+
+ setRangerRoles(roles);
+ }
+
public Map<RangerContextEnricher, Object> getRequestContextEnrichers() {
return requestContextEnrichers;
}
@@ -63,15 +68,14 @@ public class RangerAuthContext {
}
public Set<String> getRolesForUserAndGroups(String user, Set<String>
groups) {
- RangerRolesUtil rangerRolesUtil = this.rangerRolesUtil;
-
+ RangerRolesUtil rangerRolesUtil = this.rangerRolesUtil;
Map<String, Set<String>> userRoleMapping =
rangerRolesUtil.getUserRoleMapping();
Map<String, Set<String>> groupRoleMapping =
rangerRolesUtil.getGroupRoleMapping();
-
- Set<String> allRoles = new HashSet<>();
+ Set<String> allRoles = new HashSet<>();
if (MapUtils.isNotEmpty(userRoleMapping) &&
StringUtils.isNotEmpty(user)) {
Set<String> userRoles = userRoleMapping.get(user);
+
if (CollectionUtils.isNotEmpty(userRoles)) {
allRoles.addAll(userRoles);
}
@@ -81,12 +85,15 @@ public class RangerAuthContext {
if (CollectionUtils.isNotEmpty(groups)) {
for (String group : groups) {
Set<String> groupRoles = groupRoleMapping.get(group);
+
if (CollectionUtils.isNotEmpty(groupRoles)) {
allRoles.addAll(groupRoles);
}
}
}
+
Set<String> publicGroupRoles =
groupRoleMapping.get(RangerPolicyEngine.GROUP_PUBLIC);
+
if (CollectionUtils.isNotEmpty(publicGroupRoles)) {
allRoles.addAll(publicGroupRoles);
}
@@ -101,8 +108,10 @@ public class RangerAuthContext {
public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
// Invoke getResourceACLs on the first service in this plugin
Collection<RangerBasePlugin> plugins =
RangerBasePlugin.getServicePluginMap().values();
+
if (plugins.size() > 0) {
RangerBasePlugin[] array = plugins.toArray(new
RangerBasePlugin[0]);
+
return array[0].getResourceACLs(request);
} else {
return null;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index a0808f9..186cf19 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -65,30 +65,28 @@ public class RangerBasePlugin {
private static Map<String, RangerBasePlugin> servicePluginMap = new
ConcurrentHashMap<>();
- private final String serviceType;
- private final String appId;
- private final RangerPluginConfig config;
- private String serviceName;
- private String clusterName;
- private PolicyRefresher refresher;
- private RangerPolicyEngine policyEngine;
- private RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
- private RangerPluginContext rangerPluginContext;
- private RangerAuthContext currentAuthContext;
- private RangerAccessResultProcessor resultProcessor;
- private boolean useForwardedIPAddress;
- private String[] trustedProxyAddresses;
- private Timer policyDownloadTimer;
- private Timer policyEngineRefreshTimer;
- private RangerAuthContextListener authContextListener;
- private AuditProviderFactory auditProviderFactory;
- private RangerRoles rangerRoles;
-
+ private final String serviceType;
+ private final String appId;
+ private final RangerPluginConfig config;
+ private final RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
private final BlockingQueue<DownloadTrigger> policyDownloadQueue = new
LinkedBlockingQueue<>();
private final DownloadTrigger accessTrigger = new
DownloadTrigger();
-
- Map<String, LogHistory> logHistoryList = new Hashtable<String,
RangerBasePlugin.LogHistory>();
- int logInterval = 30000; // 30 seconds
+ private final Map<String, LogHistory> logHistoryList = new
Hashtable<String, RangerBasePlugin.LogHistory>();
+ private final int logInterval =
30000; // 30 seconds
+ private String serviceName;
+ private String clusterName;
+ private PolicyRefresher refresher;
+ private RangerPolicyEngine policyEngine;
+ private RangerPluginContext rangerPluginContext;
+ private RangerAuthContext currentAuthContext;
+ private RangerAccessResultProcessor resultProcessor;
+ private boolean useForwardedIPAddress;
+ private String[] trustedProxyAddresses;
+ private Timer policyDownloadTimer;
+ private Timer policyEngineRefreshTimer;
+ private RangerAuthContextListener authContextListener;
+ private AuditProviderFactory auditProviderFactory;
+ private RangerRoles rangerRoles;
public static Map<String, RangerBasePlugin> getServicePluginMap() {
return servicePluginMap;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
index 81c278a..aa2cda6 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
@@ -30,26 +30,18 @@ import java.util.Map;
import java.util.Set;
public class RangerRolesUtil {
-
- private final long roleVersion;
- private Map<String, Set<String>> userRoleMapping = new HashMap<>();
- private Map<String, Set<String>> groupRoleMapping = new HashMap<>();
-
- public long getRoleVersion() { return roleVersion; }
- public Map<String, Set<String>> getUserRoleMapping() {
- return this.userRoleMapping;
- }
-
- public Map<String, Set<String>> getGroupRoleMapping() {
- return this.groupRoleMapping;
- }
+ private final long roleVersion;
+ private final Map<String, Set<String>> userRoleMapping = new HashMap<>();
+ private final Map<String, Set<String>> groupRoleMapping = new HashMap<>();
public RangerRolesUtil(RangerRoles rangerRoles) {
if (rangerRoles != null) {
roleVersion = rangerRoles.getRoleVersion();
+
if (CollectionUtils.isNotEmpty(rangerRoles.getRangerRoles())) {
for (RangerRole role : rangerRoles.getRangerRoles()) {
Set<RangerRole> containedRoles =
getAllContainedRoles(rangerRoles.getRangerRoles(), role);
+
buildMap(userRoleMapping, role, containedRoles, true);
buildMap(groupRoleMapping, role, containedRoles, false);
}
@@ -59,17 +51,31 @@ public class RangerRolesUtil {
}
}
+ public long getRoleVersion() { return roleVersion; }
+
+ public Map<String, Set<String>> getUserRoleMapping() {
+ return this.userRoleMapping;
+ }
+
+ public Map<String, Set<String>> getGroupRoleMapping() {
+ return this.groupRoleMapping;
+ }
+
private Set<RangerRole> getAllContainedRoles(Set<RangerRole> rangerRoles,
RangerRole role) {
Set<RangerRole> allRoles = new HashSet<>();
+
allRoles.add(role);
addContainedRoles(allRoles, rangerRoles, role);
+
return allRoles;
}
private void addContainedRoles(Set<RangerRole> allRoles, Set<RangerRole>
rangerRoles, RangerRole role) {
List<RangerRole.RoleMember> roleMembers = role.getRoles();
+
for (RangerRole.RoleMember roleMember : roleMembers) {
RangerRole containedRole = getContainedRole(rangerRoles,
roleMember.getName());
+
if (containedRole!= null && !allRoles.contains(containedRole)) {
allRoles.add(containedRole);
addContainedRoles(allRoles, rangerRoles, containedRole);
@@ -79,6 +85,7 @@ public class RangerRolesUtil {
private void buildMap(Map<String, Set<String>> map, RangerRole role,
Set<RangerRole> containedRoles, boolean isUser) {
buildMap(map, role, role.getName(), isUser);
+
for (RangerRole containedRole : containedRoles) {
buildMap(map, containedRole, role.getName(), isUser);
}
@@ -88,10 +95,13 @@ public class RangerRolesUtil {
for (RangerRole.RoleMember userOrGroup : isUser ? role.getUsers() :
role.getGroups()) {
if (StringUtils.isNotEmpty(userOrGroup.getName())) {
Set<String> roleNames = map.get(userOrGroup.getName());
+
if (roleNames == null) {
roleNames = new HashSet<>();
+
map.put(userOrGroup.getName(), roleNames);
}
+
roleNames.add(roleName);
}
}
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
index bfe767e..1109bdd 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -91,8 +91,8 @@ public class TestPolicyACLs {
for(PolicyACLsTests.TestCase testCase : testCases.testCases) {
RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
- RangerPluginContext pluginContext = new
RangerPluginContext("hive", "cl1", "on-prem");
- RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies,
policyEngineOptions, pluginContext, null);
+ RangerPluginContext pluginContext = new
RangerPluginContext("hive", "cl1", "on-prem");
+ RangerPolicyEngine policyEngine = new
RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies,
policyEngineOptions, pluginContext, null);
for(PolicyACLsTests.TestCase.OneTest oneTest :
testCase.tests) {
if(oneTest == null) {
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
similarity index 74%
rename from
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java
rename to
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index a86f003..5cbb1b2 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -42,31 +42,32 @@ import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
-public class RangerPolicyEngineCache {
- private static final Log LOG =
LogFactory.getLog(RangerPolicyEngineCache.class);
+public class RangerPolicyAdminCache {
+ private static final Log LOG =
LogFactory.getLog(RangerPolicyAdminCache.class);
- private final Map<String, RangerPolicyAdmin> policyEngineCache =
Collections.synchronizedMap(new HashMap<>());
+ private final Map<String, RangerPolicyAdmin> policyAdminCache =
Collections.synchronizedMap(new HashMap<>());
final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName,
ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore,
RangerPolicyEngineOptions options) {
RangerPolicyAdmin ret = null;
if (serviceName == null || svcStore == null || roleStore ==
null || zoneStore == null) {
- LOG.warn("Cannot get policy-engine for null serviceName
or serviceStore or roleStore or zoneStore");
+ LOG.warn("Cannot get policy-admin for null serviceName
or serviceStore or roleStore or zoneStore");
+
return ret;
}
- ret = policyEngineCache.get(serviceName);
+ ret = policyAdminCache.get(serviceName);
- long policyVersion;
- long roleVersion;
+ long policyVersion;
+ long roleVersion;
RangerRoles rangerRoles;
- boolean isRolesUpdated = true;
+ boolean isRolesUpdated = true;
try {
if (ret == null) {
policyVersion = -1L;
- roleVersion = -1L;
- rangerRoles =
roleStore.getRangerRoles(serviceName, roleVersion);
+ roleVersion = -1L;
+ rangerRoles =
roleStore.getRangerRoles(serviceName, roleVersion);
if (rangerRoles == null) {
if (LOG.isDebugEnabled()) {
@@ -75,102 +76,105 @@ public class RangerPolicyEngineCache {
}
} else {
policyVersion = ret.getPolicyVersion();
- roleVersion = ret.getRoleVersion();
- rangerRoles =
roleStore.getRangerRoles(serviceName, roleVersion);
+ roleVersion = ret.getRoleVersion();
+ rangerRoles =
roleStore.getRangerRoles(serviceName, roleVersion);
if (rangerRoles == null) { // No changes to
roles
- rangerRoles =
roleStore.getRangerRoles(serviceName, -1L);
+ rangerRoles =
roleStore.getRangerRoles(serviceName, -1L);
isRolesUpdated = false;
}
}
+
ServicePolicies policies =
svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion, false);
if (policies != null) {
if (policies.getPolicyVersion() != null &&
!policies.getPolicyVersion().equals(policyVersion)) {
ServicePolicies updatedServicePolicies
= getUpdatedServicePolicies(serviceName, policies, svcStore, zoneStore);
- ret = addOrUpdatePolicyEngine(ret,
updatedServicePolicies, rangerRoles, options);
+ ret = addOrUpdatePolicyAdmin(ret,
updatedServicePolicies, rangerRoles, options);
} else {
- LOG.error("policies object is null or
its version is null for getPolicyEngine(" + serviceName + ") !!");
- LOG.error("Returning old policy
engine");
+ LOG.error("policies object is null or
its version is null for getPolicyAdmin(" + serviceName + ") !!");
+ LOG.error("Returning old policy admin");
}
} else {
if (ret == null) {
- LOG.error("getPolicyEngine(" +
serviceName + "): failed to get any policies from service-store");
+ LOG.error("getPolicyAdmin(" +
serviceName + "): failed to get any policies from service-store");
} else {
if (isRolesUpdated) {
ret.setRangerRoles(rangerRoles);
}
}
}
-
} catch (Exception excp) {
- LOG.error("getPolicyEngine(" + serviceName + "): failed
to get latest policies from service-store", excp);
+ LOG.error("getPolicyAdmin(" + serviceName + "): failed
to get latest policies from service-store", excp);
}
return ret;
}
- private RangerPolicyAdmin addOrUpdatePolicyEngine(RangerPolicyAdmin
policyEngine, ServicePolicies policies, RangerRoles rangerRoles,
RangerPolicyEngineOptions options) {
+ private RangerPolicyAdmin addOrUpdatePolicyAdmin(RangerPolicyAdmin
policyAdmin, ServicePolicies policies, RangerRoles rangerRoles,
RangerPolicyEngineOptions options) {
final RangerPolicyAdmin ret;
-
- RangerPolicyAdminImpl oldPolicyEngine = (RangerPolicyAdminImpl)
policyEngine;
+ RangerPolicyAdminImpl oldPolicyAdmin =
(RangerPolicyAdminImpl) policyAdmin;
synchronized(this) {
- if (oldPolicyEngine == null ||
CollectionUtils.isEmpty(policies.getPolicyDeltas())) {
- ret = addPolicyEngine(policies, rangerRoles,
options);
+ if (oldPolicyAdmin == null ||
CollectionUtils.isEmpty(policies.getPolicyDeltas())) {
+ ret = addPolicyAdmin(policies, rangerRoles,
options);
} else {
- RangerPolicyAdmin updatedEngine =
RangerPolicyAdminImpl.getPolicyEngine(oldPolicyEngine, policies);
+ RangerPolicyAdmin updatedPolicyAdmin =
RangerPolicyAdminImpl.getPolicyAdmin(oldPolicyAdmin, policies);
- if (updatedEngine != null) {
-
updatedEngine.setRangerRoles(rangerRoles);
-
policyEngineCache.put(policies.getServiceName(), updatedEngine);
+ if (updatedPolicyAdmin != null) {
+
updatedPolicyAdmin.setRangerRoles(rangerRoles);
+
policyAdminCache.put(policies.getServiceName(), updatedPolicyAdmin);
- ret = updatedEngine;
+ ret = updatedPolicyAdmin;
} else {
- ret = addPolicyEngine(policies,
rangerRoles, options);
+ ret = addPolicyAdmin(policies,
rangerRoles, options);
}
}
- if (oldPolicyEngine != null) {
- oldPolicyEngine.releaseResources();
+
+ if (oldPolicyAdmin != null) {
+ oldPolicyAdmin.releaseResources();
}
}
return ret;
}
- private RangerPolicyAdmin addPolicyEngine(ServicePolicies policies,
RangerRoles rangerRoles, RangerPolicyEngineOptions options) {
- RangerServiceDef serviceDef = policies.getServiceDef();
- String serviceType = (serviceDef != null) ?
serviceDef.getName() : "";
-
+ private RangerPolicyAdmin addPolicyAdmin(ServicePolicies policies,
RangerRoles rangerRoles, RangerPolicyEngineOptions options) {
+ RangerServiceDef serviceDef =
policies.getServiceDef();
+ String serviceType = (serviceDef != null)
? serviceDef.getName() : "";
RangerPluginContext rangerPluginContext = new
RangerPluginContext(serviceType);
- RangerPolicyAdmin ret = new
RangerPolicyAdminImpl("ranger-admin", policies, options, rangerPluginContext,
rangerRoles);
+ RangerPolicyAdmin ret = new
RangerPolicyAdminImpl("ranger-admin", policies, options, rangerPluginContext,
rangerRoles);
- policyEngineCache.put(policies.getServiceName(), ret);
+ policyAdminCache.put(policies.getServiceName(), ret);
return ret;
}
private ServicePolicies getUpdatedServicePolicies(String serviceName,
ServicePolicies policies, ServiceStore svcStore, SecurityZoneStore zoneStore)
throws Exception{
ServicePolicies ret = policies;
+
if (ret == null) {
ret = svcStore.getServicePoliciesIfUpdated(serviceName,
-1L, false);
}
+
if (zoneStore != null) {
Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones =
zoneStore.getSecurityZonesForService(serviceName);
+
if (MapUtils.isNotEmpty(securityZones)) {
ret = getUpdatedServicePoliciesForZones(ret,
securityZones);
}
}
+
return ret;
}
public static ServicePolicies
getUpdatedServicePoliciesForZones(ServicePolicies servicePolicies, Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones) {
-
final ServicePolicies ret;
if (MapUtils.isNotEmpty(securityZones)) {
ret = new ServicePolicies();
+
ret.setServiceDef(servicePolicies.getServiceDef());
ret.setServiceId(servicePolicies.getServiceId());
ret.setServiceName(servicePolicies.getServiceName());
@@ -181,11 +185,9 @@ public class RangerPolicyEngineCache {
Map<String, ServicePolicies.SecurityZoneInfo>
securityZonesInfo = new HashMap<>();
if
(CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) {
-
List<RangerPolicy> allPolicies = new
ArrayList<>(servicePolicies.getPolicies());
for (Map.Entry<String,
RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet())
{
-
List<RangerPolicy> zonePolicies =
extractZonePolicies(allPolicies, entry.getKey());
if
(CollectionUtils.isNotEmpty(zonePolicies)) {
@@ -193,12 +195,11 @@ public class RangerPolicyEngineCache {
}
ServicePolicies.SecurityZoneInfo
securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
+
securityZoneInfo.setZoneName(entry.getKey());
securityZoneInfo.setPolicies(zonePolicies);
securityZoneInfo.setResources(entry.getValue().getResources());
-
securityZoneInfo.setContainsAssociatedTagService(false);
-
securityZonesInfo.put(entry.getKey(),
securityZoneInfo);
}
@@ -208,7 +209,6 @@ public class RangerPolicyEngineCache {
List<RangerPolicyDelta> allPolicyDeltas = new
ArrayList<>(servicePolicies.getPolicyDeltas());
for (Map.Entry<String,
RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet())
{
-
List<RangerPolicyDelta>
zonePolicyDeltas = extractZonePolicyDeltas(allPolicyDeltas, entry.getKey());
if
(CollectionUtils.isNotEmpty(zonePolicyDeltas)) {
@@ -216,17 +216,17 @@ public class RangerPolicyEngineCache {
}
ServicePolicies.SecurityZoneInfo
securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
+
securityZoneInfo.setZoneName(entry.getKey());
securityZoneInfo.setPolicyDeltas(zonePolicyDeltas);
securityZoneInfo.setResources(entry.getValue().getResources());
-
securityZoneInfo.setContainsAssociatedTagService(false);
-
securityZonesInfo.put(entry.getKey(),
securityZoneInfo);
}
ret.setPolicyDeltas(allPolicyDeltas);
}
+
ret.setSecurityZones(securityZonesInfo);
} else {
ret = servicePolicies;
@@ -236,7 +236,6 @@ public class RangerPolicyEngineCache {
}
private static List<RangerPolicy> extractZonePolicies(final
List<RangerPolicy> allPolicies, final String zoneName) {
-
final List<RangerPolicy> ret = new ArrayList<>();
for (RangerPolicy policy : allPolicies) {
@@ -249,7 +248,6 @@ public class RangerPolicyEngineCache {
}
private static List<RangerPolicyDelta> extractZonePolicyDeltas(final
List<RangerPolicyDelta> allPolicyDeltas, final String zoneName) {
-
final List<RangerPolicyDelta> ret = new ArrayList<>();
for (RangerPolicyDelta delta : allPolicyDeltas) {
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java
similarity index 63%
rename from
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java
rename to
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java
index 151143a..b6a1862 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java
@@ -28,23 +28,25 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
-public class RangerPolicyEngineCacheForEngineOptions {
+public class RangerPolicyAdminCacheForEngineOptions {
+ private static volatile RangerPolicyAdminCacheForEngineOptions sInstance =
null;
- private static volatile RangerPolicyEngineCacheForEngineOptions sInstance
= null;
+ private final Map<RangerPolicyEngineOptions, RangerPolicyAdminCache>
policyAdminCacheForEngineOptions = Collections.synchronizedMap(new HashMap<>());
- private final Map<RangerPolicyEngineOptions, RangerPolicyEngineCache>
policyEngineCacheForEngineOptions = Collections.synchronizedMap(new
HashMap<>());
+ public static RangerPolicyAdminCacheForEngineOptions getInstance() {
+ RangerPolicyAdminCacheForEngineOptions ret = sInstance;
- public static RangerPolicyEngineCacheForEngineOptions getInstance() {
- RangerPolicyEngineCacheForEngineOptions ret = sInstance;
if (ret == null) {
- synchronized (RangerPolicyEngineCacheForEngineOptions.class) {
+ synchronized (RangerPolicyAdminCacheForEngineOptions.class) {
ret = sInstance;
+
if (ret == null) {
- sInstance = new RangerPolicyEngineCacheForEngineOptions();
- ret = sInstance;
+ sInstance = new RangerPolicyAdminCacheForEngineOptions();
+ ret = sInstance;
}
}
}
+
return ret;
}
@@ -53,16 +55,19 @@ public class RangerPolicyEngineCacheForEngineOptions {
}
public final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName,
ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore,
RangerPolicyEngineOptions options) {
- RangerPolicyEngineCache policyEngineCache;
+ RangerPolicyAdminCache policyAdminCache;
synchronized (this) {
- policyEngineCache = policyEngineCacheForEngineOptions.get(options);
- if (policyEngineCache == null) {
- policyEngineCache = new RangerPolicyEngineCache();
- policyEngineCacheForEngineOptions.put(options,
policyEngineCache);
+ policyAdminCache = policyAdminCacheForEngineOptions.get(options);
+
+ if (policyAdminCache == null) {
+ policyAdminCache = new RangerPolicyAdminCache();
+
+ policyAdminCacheForEngineOptions.put(options,
policyAdminCache);
}
}
- return policyEngineCache.getServicePoliciesAdmin(serviceName,
svcStore, roleStore, zoneStore, options);
+
+ return policyAdminCache.getServicePoliciesAdmin(serviceName, svcStore,
roleStore, zoneStore, options);
}
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index ac1d961..390187b 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -56,7 +56,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
private final PolicyEngine policyEngine;
private final RangerAccessRequestProcessor requestProcessor;
- static public RangerPolicyAdmin getPolicyEngine(final
RangerPolicyAdminImpl other, final ServicePolicies servicePolicies) {
+ static public RangerPolicyAdmin getPolicyAdmin(final RangerPolicyAdminImpl
other, final ServicePolicies servicePolicies) {
RangerPolicyAdmin ret = null;
if (other != null && servicePolicies != null) {
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 43c109d..2a2aa22 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -108,8 +108,8 @@ import
org.apache.ranger.plugin.model.validation.RangerValidator.Action;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.biz.RangerPolicyEngineCache;
-import org.apache.ranger.biz.RangerPolicyEngineCacheForEngineOptions;
+import org.apache.ranger.biz.RangerPolicyAdminCache;
+import org.apache.ranger.biz.RangerPolicyAdminCacheForEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
@@ -593,18 +593,18 @@ public class ServiceREST {
LOG.debug("getServicePolicies with
service-name=" + service.getName());
}
- RangerPolicyAdmin engine = null;
+ RangerPolicyAdmin policyAdmin = null;
try {
- engine =
getPolicySearchPolicyEngine(service.getName());
+ policyAdmin =
getPolicyAdminForSearch(service.getName());
} catch (Exception e) {
LOG.error("Cannot initialize Policy-Engine", e);
throw restErrorUtil.createRESTException("Cannot
initialize Policy Engine",
MessageEnums.ERROR_SYSTEM);
}
- if (engine != null) {
- ret = engine.getMatchingPolicies(new
RangerAccessResourceImpl(resource));
+ if (policyAdmin != null) {
+ ret = policyAdmin.getMatchingPolicies(new
RangerAccessResourceImpl(resource));
}
}
@@ -3086,7 +3086,7 @@ public class ServiceREST {
Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones =
zoneStore.getSecurityZonesForService(serviceName);
ServicePolicies updatedServicePolicies
= servicePolicies;
if (MapUtils.isNotEmpty(securityZones))
{
- updatedServicePolicies =
RangerPolicyEngineCache.getUpdatedServicePoliciesForZones(servicePolicies,
securityZones);
+ updatedServicePolicies =
RangerPolicyAdminCache.getUpdatedServicePoliciesForZones(servicePolicies,
securityZones);
patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
}
downloadedVersion =
updatedServicePolicies.getPolicyVersion();
@@ -3208,7 +3208,7 @@ public class ServiceREST {
Map<String,
RangerSecurityZone.RangerSecurityZoneService> securityZones =
zoneStore.getSecurityZonesForService(serviceName);
ServicePolicies
updatedServicePolicies = servicePolicies;
if
(MapUtils.isNotEmpty(securityZones)) {
- updatedServicePolicies
= RangerPolicyEngineCache.getUpdatedServicePoliciesForZones(servicePolicies,
securityZones);
+ updatedServicePolicies
= RangerPolicyAdminCache.getUpdatedServicePoliciesForZones(servicePolicies,
securityZones);
patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
}
downloadedVersion =
updatedServicePolicies.getPolicyVersion();
@@ -3290,10 +3290,9 @@ public class ServiceREST {
LOG.debug("==>
ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + ")");
}
- RangerPolicy ret = null;
- RangerPolicyAdmin policyEngine = getPolicyEngine(serviceName);
-
- List<RangerPolicy> policies = policyEngine != null ?
policyEngine.getExactMatchPolicies(resource, null) : null;
+ RangerPolicy ret = null;
+ RangerPolicyAdmin policyAdmin = getPolicyAdmin(serviceName);
+ List<RangerPolicy> policies = policyAdmin != null ?
policyAdmin.getExactMatchPolicies(resource, null) : null;
if(CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the
caller might update the policy (for grant/revoke); so get a copy from the store
@@ -3312,10 +3311,9 @@ public class ServiceREST {
LOG.debug("==>
ServiceREST.getExactMatchPolicyForResource(" + policy + ", " + user + ")");
}
- RangerPolicy ret = null;
- RangerPolicyAdmin policyEngine =
getPolicyEngine(policy.getService());
-
- List<RangerPolicy> policies = policyEngine != null ?
policyEngine.getExactMatchPolicies(policy, null) : null;
+ RangerPolicy ret = null;
+ RangerPolicyAdmin policyAdmin =
getPolicyAdmin(policy.getService());
+ List<RangerPolicy> policies = policyAdmin != null ?
policyAdmin.getExactMatchPolicies(policy, null) : null;
if(CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the
caller might update the policy (for grant/revoke); so get a copy from the store
@@ -3599,16 +3597,16 @@ public class ServiceREST {
continue;
}
- RangerPolicyAdmin policyEngine =
getDelegatedAdminPolicyEngine(serviceName);
+ RangerPolicyAdmin policyAdmin =
getPolicyAdminForDelegatedAdmin(serviceName);
- if (policyEngine != null) {
+ if (policyAdmin != null) {
if(userGroups == null) {
userGroups =
daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
}
- Set<String> roles =
policyEngine.getRolesFromUserAndGroups(userName, userGroups);
+ Set<String> roles =
policyAdmin.getRolesFromUserAndGroups(userName, userGroups);
for (RangerPolicy policy :
listToFilter) {
- if
(policyEngine.isAccessAllowed(policy, userName, userGroups, roles,
RangerPolicyEngine.ADMIN_ACCESS)
+ if
(policyAdmin.isAccessAllowed(policy, userName, userGroups, roles,
RangerPolicyEngine.ADMIN_ACCESS)
||
(!StringUtils.isEmpty(policy.getZoneName()) &&
(serviceMgr.isZoneAdmin(policy.getZoneName()) ||
serviceMgr.isZoneAuditor(policy.getZoneName())))
||
isServiceAdminUser) {
ret.add(policy);
@@ -3699,13 +3697,13 @@ public class ServiceREST {
}
private boolean hasAdminAccess(RangerPolicy policy, String userName,
Set<String> userGroups) {
- boolean isAllowed = false;
+ boolean isAllowed = false;
+ RangerPolicyAdmin policyAdmin =
getPolicyAdminForDelegatedAdmin(policy.getService());
- RangerPolicyAdmin policyEngine =
getDelegatedAdminPolicyEngine(policy.getService());
+ if(policyAdmin != null) {
+ Set<String> roles =
policyAdmin.getRolesFromUserAndGroups(userName, userGroups);
- if(policyEngine != null) {
- Set<String> roles =
policyEngine.getRolesFromUserAndGroups(userName, userGroups);
- isAllowed = policyEngine.isAccessAllowed(policy,
userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS);
+ isAllowed = policyAdmin.isAccessAllowed(policy,
userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS);
}
return isAllowed;
@@ -3713,25 +3711,25 @@ public class ServiceREST {
private boolean hasAdminAccess(String serviceName, String userName,
Set<String> userGroups, RangerAccessResource resource) {
boolean isAllowed = false;
- RangerPolicyAdmin policyEngine =
getDelegatedAdminPolicyEngine(serviceName);
+ RangerPolicyAdmin policyAdmin =
getPolicyAdminForDelegatedAdmin(serviceName);
- if(policyEngine != null) {
- isAllowed = policyEngine.isAccessAllowed(resource,
userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
+ if(policyAdmin != null) {
+ isAllowed = policyAdmin.isAccessAllowed(resource,
userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
}
return isAllowed;
}
- public RangerPolicyAdmin getDelegatedAdminPolicyEngine(String
serviceName) {
- return
RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName,
svcStore, roleDBStore, delegateAdminOptions);
+ public RangerPolicyAdmin getPolicyAdminForDelegatedAdmin(String
serviceName) {
+ return
RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName,
svcStore, roleDBStore, delegateAdminOptions);
}
- private RangerPolicyAdmin getPolicySearchPolicyEngine(String
serviceName) throws Exception {
- return
RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName,
svcStore, roleDBStore, policySearchAdminOptions);
+ private RangerPolicyAdmin getPolicyAdminForSearch(String serviceName) {
+ return
RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName,
svcStore, roleDBStore, policySearchAdminOptions);
}
- private RangerPolicyAdmin getPolicyEngine(String serviceName) throws
Exception {
- return
RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName,
svcStore, roleDBStore, defaultAdminOptions);
+ private RangerPolicyAdmin getPolicyAdmin(String serviceName) {
+ return
RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName,
svcStore, roleDBStore, defaultAdminOptions);
}
@GET
diff --git
a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
index 5118322..9ac7f24 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
@@ -117,14 +117,15 @@ public class TestPolicyDb {
policyEngineOptions.cacheAuditResults = false;
policyEngineOptions.disableContextEnrichers = true;
policyEngineOptions.disableCustomConditions = true;
+
RangerPluginContext pluginContext = new
RangerPluginContext("hive", "cl1", "on-prem");
- RangerPolicyAdmin policyEngine = new
RangerPolicyAdminImpl("test-policydb", testCase.servicePolicies,
policyEngineOptions, pluginContext, null);
+ RangerPolicyAdmin policyAdmin = new
RangerPolicyAdminImpl("test-policydb", testCase.servicePolicies,
policyEngineOptions, pluginContext, null);
for(TestData test : testCase.tests) {
boolean expected = test.result;
if(test.allowedPolicies != null) {
- List<RangerPolicy> allowedPolicies =
policyEngine.getAllowedUnzonedPolicies(test.user, test.userGroups,
test.accessType);
+ List<RangerPolicy> allowedPolicies =
policyAdmin.getAllowedUnzonedPolicies(test.user, test.userGroups,
test.accessType);
assertEquals("allowed-policy count mismatch!",
test.allowedPolicies.size(), allowedPolicies.size());
@@ -134,7 +135,7 @@ public class TestPolicyDb {
}
assertEquals("allowed-policy list mismatch!",
test.allowedPolicies, allowedPolicyIds);
} else {
- boolean result =
policyEngine.isAccessAllowedByUnzonedPolicies(test.resources, test.user,
test.userGroups, test.accessType);
+ boolean result =
policyAdmin.isAccessAllowedByUnzonedPolicies(test.resources, test.user,
test.userGroups, test.accessType);
assertEquals("isAccessAllowed mismatched! - " +
test.name, expected, result);
}
diff --git
a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 75e93d9..b67656e 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -230,7 +230,7 @@ public class TestServiceREST {
RangerPolicyEngineImpl rpImpl;
@Mock
- RangerPolicyAdmin policyEngine;
+ RangerPolicyAdmin policyAdmin;
@Mock
RangerTransactionService rangerTransactionService;
@@ -1093,7 +1093,7 @@ public class TestServiceREST {
/*here we are setting serviceAdminRole, so we will get the
required policy with serviceAdmi role*/
Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGroupDao);
Mockito.when(svcStore.isServiceAdminUser(rPol.getService(),
null)).thenReturn(true);
-
Mockito.doReturn(policyEngine).when(spySVCRest).getDelegatedAdminPolicyEngine("HDFS_1-1-20150316062453");
+
Mockito.doReturn(policyAdmin).when(spySVCRest).getPolicyAdminForDelegatedAdmin("HDFS_1-1-20150316062453");
RangerPolicyList dbRangerPolicy =
spySVCRest.getPolicies(request);
Assert.assertNotNull(dbRangerPolicy);
Assert.assertEquals(dbRangerPolicy.getListSize(), 1);
