[ranger] branch master updated: RANGER-3082: User with delegated-admin is unable to create policy
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 6b5d5fb RANGER-3082: User with delegated-admin is unable to create policy 6b5d5fb is described below commit 6b5d5fb3469df532df4528e1c4cd8cb503f44eba Author: Abhay Kulkarni AuthorDate: Wed Nov 25 22:42:06 2020 -0800 RANGER-3082: User with delegated-admin is unable to create policy --- .../ranger/plugin/policyengine/PolicyEngine.java | 25 +++- .../RangerDefaultPolicyEvaluator.java | 8 +-- .../policyevaluator/RangerPolicyEvaluator.java | 2 +- .../org/apache/ranger/biz/RangerPolicyAdmin.java | 2 +- .../apache/ranger/biz/RangerPolicyAdminImpl.java | 72 -- .../java/org/apache/ranger/rest/ServiceREST.java | 11 +++- 6 files changed, 106 insertions(+), 14 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index 3250719..2742312 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -40,12 +40,14 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; import org.apache.ranger.plugin.service.RangerAuthContext; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.RangerPolicyDeltaUtil; import org.apache.ranger.plugin.util.RangerRoles; import org.apache.ranger.plugin.util.ServicePolicies; +import org.apache.ranger.plugin.util.StringTokenReplacer; public class PolicyEngine { private static final Log LOG = LogFactory.getLog(PolicyEngine.class); @@ -62,6 +64,7 @@ public class PolicyEngine { private final Map zoneTagServiceMap = new HashMap<>(); private boolean useForwardedIPAddress; private String[]trustedProxyAddresses; +private final MaptokenReplacers = new HashMap<>(); public boolean getUseForwardedIPAddress() { return useForwardedIPAddress; @@ -109,6 +112,10 @@ public class PolicyEngine { public RangerPluginContext getPluginContext() { return pluginContext; } +public StringTokenReplacer getStringTokenReplacer(String resourceName) { +return tokenReplacers.get(resourceName); +} + @Override public String toString() { return toString(new StringBuilder()).toString(); @@ -159,7 +166,7 @@ public class PolicyEngine { return resourceZoneTrie; } -public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) { +public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) { if (LOG.isDebugEnabled()) { LOG.debug("==> PolicyEngine(" + ", " + servicePolicies + ", " + pluginContext + ")"); } @@ -233,6 +240,20 @@ public class PolicyEngine { } } +for (RangerServiceDef.RangerResourceDef resourceDef : getServiceDef().getResources()) { +Map matchOptions = resourceDef.getMatcherOptions(); + +if (RangerAbstractResourceMatcher.getOptionReplaceTokens(matchOptions)) { +String delimiterPrefix = RangerAbstractResourceMatcher.getOptionDelimiterPrefix(matchOptions); +char delimiterStart = RangerAbstractResourceMatcher.getOptionDelimiterStart(matchOptions); +char delimiterEnd = RangerAbstractResourceMatcher.getOptionDelimiterEnd(matchOptions); +char escapeChar = RangerAbstractResourceMatcher.getOptionDelimiterEscape(matchOptions); + +StringTokenReplacer tokenReplacer = new StringTokenReplacer(delimiterStart, delimiterEnd, escapeChar, delimiterPrefix); +tokenReplacers.put(resourceDef.getName(), tokenReplacer); +} +} + RangerPerfTracer.log(perf); if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) { @@ -639,7 +660,7 @@ public class PolicyEngine { List tmpList; List tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers(); -List resourceContextEnrichers = policyRepository.getContextEnrichers(); +List resourceContextEnrichers =
[ranger] branch ranger-2.2 updated: RANGER-3082: User with delegated-admin is unable to create policy
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new af38489 RANGER-3082: User with delegated-admin is unable to create policy af38489 is described below commit af384899abda5888414700beff26fc67a518b7e3 Author: Abhay Kulkarni AuthorDate: Wed Nov 25 22:42:06 2020 -0800 RANGER-3082: User with delegated-admin is unable to create policy --- .../ranger/plugin/policyengine/PolicyEngine.java | 25 +++- .../RangerDefaultPolicyEvaluator.java | 8 +-- .../policyevaluator/RangerPolicyEvaluator.java | 2 +- .../org/apache/ranger/biz/RangerPolicyAdmin.java | 2 +- .../apache/ranger/biz/RangerPolicyAdminImpl.java | 72 -- .../java/org/apache/ranger/rest/ServiceREST.java | 11 +++- 6 files changed, 106 insertions(+), 14 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index 3250719..2742312 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -40,12 +40,14 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; import org.apache.ranger.plugin.service.RangerAuthContext; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.RangerPolicyDeltaUtil; import org.apache.ranger.plugin.util.RangerRoles; import org.apache.ranger.plugin.util.ServicePolicies; +import org.apache.ranger.plugin.util.StringTokenReplacer; public class PolicyEngine { private static final Log LOG = LogFactory.getLog(PolicyEngine.class); @@ -62,6 +64,7 @@ public class PolicyEngine { private final Map zoneTagServiceMap = new HashMap<>(); private boolean useForwardedIPAddress; private String[]trustedProxyAddresses; +private final MaptokenReplacers = new HashMap<>(); public boolean getUseForwardedIPAddress() { return useForwardedIPAddress; @@ -109,6 +112,10 @@ public class PolicyEngine { public RangerPluginContext getPluginContext() { return pluginContext; } +public StringTokenReplacer getStringTokenReplacer(String resourceName) { +return tokenReplacers.get(resourceName); +} + @Override public String toString() { return toString(new StringBuilder()).toString(); @@ -159,7 +166,7 @@ public class PolicyEngine { return resourceZoneTrie; } -public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) { +public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) { if (LOG.isDebugEnabled()) { LOG.debug("==> PolicyEngine(" + ", " + servicePolicies + ", " + pluginContext + ")"); } @@ -233,6 +240,20 @@ public class PolicyEngine { } } +for (RangerServiceDef.RangerResourceDef resourceDef : getServiceDef().getResources()) { +Map matchOptions = resourceDef.getMatcherOptions(); + +if (RangerAbstractResourceMatcher.getOptionReplaceTokens(matchOptions)) { +String delimiterPrefix = RangerAbstractResourceMatcher.getOptionDelimiterPrefix(matchOptions); +char delimiterStart = RangerAbstractResourceMatcher.getOptionDelimiterStart(matchOptions); +char delimiterEnd = RangerAbstractResourceMatcher.getOptionDelimiterEnd(matchOptions); +char escapeChar = RangerAbstractResourceMatcher.getOptionDelimiterEscape(matchOptions); + +StringTokenReplacer tokenReplacer = new StringTokenReplacer(delimiterStart, delimiterEnd, escapeChar, delimiterPrefix); +tokenReplacers.put(resourceDef.getName(), tokenReplacer); +} +} + RangerPerfTracer.log(perf); if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) { @@ -639,7 +660,7 @@ public class PolicyEngine { List tmpList; List tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers(); -List resourceContextEnrichers = policyRepository.getContextEnrichers(); +List resourceContextEnrichers =
[ranger] branch ranger-2.2 updated: RANGER-3088: Build tagged-resource-cache using memory optimization flags identical to policy-cache
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new b7e26a6 RANGER-3088: Build tagged-resource-cache using memory optimization flags identical to policy-cache b7e26a6 is described below commit b7e26a6633746e54343c0714341c3d159502967a Author: Abhay Kulkarni AuthorDate: Wed Nov 25 09:19:54 2020 -0800 RANGER-3088: Build tagged-resource-cache using memory optimization flags identical to policy-cache --- .../plugin/contextenricher/RangerAbstractContextEnricher.java | 10 ++ .../ranger/plugin/contextenricher/RangerTagEnricher.java | 2 +- .../ranger/plugin/policyengine/RangerPolicyRepository.java | 5 +++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java index fa84760..f838f84 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java @@ -37,6 +37,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerPluginContext; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.service.RangerAuthContext; @@ -48,6 +49,7 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri protected String appId; protected RangerServiceDef serviceDef; private RangerPluginContext pluginContext; + protected RangerPolicyEngineOptions options = new RangerPolicyEngineOptions(); @Override public void setEnricherDef(RangerContextEnricherDef enricherDef) { @@ -176,12 +178,20 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri this.pluginContext = pluginContext; } + final public void setPolicyEngineOptions(RangerPolicyEngineOptions options) { + this.options = options; + } + public RangerPluginConfig getPluginConfig() { RangerPluginContext pluginContext = this.pluginContext; return pluginContext != null ? pluginContext.getConfig() : null; } + public RangerPolicyEngineOptions getPolicyEngineOptions() { + return options; + } + public void notifyAuthContextChanged() { RangerPluginContext pluginContext = this.pluginContext; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index 94ac749..fc73194 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -392,7 +392,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { serviceResourceTrie = new HashMap<>(); for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { - serviceResourceTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, resourceMatchers)); + serviceResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, resourceMatchers, getPolicyEngineOptions().optimizeTrieForRetrieval, null)); } } enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 3886eea..169ed0f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -1008,7 +1008,7 @@ public class RangerPolicyRepository { contextEnricherDef = new RangerServiceDef.RangerContextEnricherDef(enricherDef.getItemId(), enricherDef.getName(),
[ranger] branch master updated: RANGER-3088: Build tagged-resource-cache using memory optimization flags identical to policy-cache
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 3b543a7 RANGER-3088: Build tagged-resource-cache using memory optimization flags identical to policy-cache 3b543a7 is described below commit 3b543a7549017059e0f49beaa74e2503088128ef Author: Abhay Kulkarni AuthorDate: Wed Nov 25 09:19:54 2020 -0800 RANGER-3088: Build tagged-resource-cache using memory optimization flags identical to policy-cache --- .../plugin/contextenricher/RangerAbstractContextEnricher.java | 10 ++ .../ranger/plugin/contextenricher/RangerTagEnricher.java | 2 +- .../ranger/plugin/policyengine/RangerPolicyRepository.java | 5 +++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java index fa84760..f838f84 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java @@ -37,6 +37,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerPluginContext; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.service.RangerAuthContext; @@ -48,6 +49,7 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri protected String appId; protected RangerServiceDef serviceDef; private RangerPluginContext pluginContext; + protected RangerPolicyEngineOptions options = new RangerPolicyEngineOptions(); @Override public void setEnricherDef(RangerContextEnricherDef enricherDef) { @@ -176,12 +178,20 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri this.pluginContext = pluginContext; } + final public void setPolicyEngineOptions(RangerPolicyEngineOptions options) { + this.options = options; + } + public RangerPluginConfig getPluginConfig() { RangerPluginContext pluginContext = this.pluginContext; return pluginContext != null ? pluginContext.getConfig() : null; } + public RangerPolicyEngineOptions getPolicyEngineOptions() { + return options; + } + public void notifyAuthContextChanged() { RangerPluginContext pluginContext = this.pluginContext; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index 94ac749..fc73194 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -392,7 +392,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { serviceResourceTrie = new HashMap<>(); for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { - serviceResourceTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, resourceMatchers)); + serviceResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, resourceMatchers, getPolicyEngineOptions().optimizeTrieForRetrieval, null)); } } enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 3886eea..169ed0f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -1008,7 +1008,7 @@ public class RangerPolicyRepository { contextEnricherDef = new RangerServiceDef.RangerContextEnricherDef(enricherDef.getItemId(), enricherDef.getName(), "org.apache.ranger.common.RangerAdminTagEnricher",
[ranger] branch ranger-2.2 updated: RANGER-3087 : Making db_setup.py fool-proof and robust
This is an automated email from the ASF dual-hosted git repository. vel pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 2bacdc6 RANGER-3087 : Making db_setup.py fool-proof and robust 2bacdc6 is described below commit 2bacdc639c87773daf53f872137c2ebaee2c03cf Author: Vishal Suvagia AuthorDate: Tue Nov 24 22:35:03 2020 +0530 RANGER-3087 : Making db_setup.py fool-proof and robust Issue: When a user configures a small heap size in install.properties, vm creation in db_setup.py fails to apply the java patches with Error in creating VM. Changes: Added checks for heap-size and set the default heap-size Testing: Validated changes for fresh install and upgrade from ranger-1.0 to master and ranger-2.2 to master Signed-off-by: Velmurugan Periasamy --- security-admin/scripts/db_setup.py | 10 ++ 1 file changed, 10 insertions(+) diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 09fab95..b6c2e85 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -90,6 +90,16 @@ def populate_global_dict(): globalDict[key] = value if 'ranger_admin_max_heap_size' not in globalDict: globalDict['ranger_admin_max_heap_size']='1g' + elif 'ranger_admin_max_heap_size' in globalDict: + ranger_admin_heap_size = globalDict['ranger_admin_max_heap_size'] + if str(ranger_admin_heap_size.lower()).endswith("g"): + ranger_admin_heap_size_numeric = int(str(ranger_admin_heap_size).lower().rstrip("g")) + if ranger_admin_heap_size_numeric < 1: + globalDict['ranger_admin_max_heap_size']='1g' + if str(ranger_admin_heap_size.lower()).endswith("m"): + ranger_admin_heap_size_numeric = int(str(ranger_admin_heap_size).lower().rstrip("m")) + if ranger_admin_heap_size_numeric < 1024: + globalDict['ranger_admin_max_heap_size']='1g' def jisql_log(query, db_password): if jisql_debug == True:
Inbox (4) | New Cloud Notification
Dear User4 New documents assigned to 'COMMITS@RANGER.APACHE.ORG ' are available on RANGER.APACHE.ORG CLOUDclick here to retrieve document(s) now Powered by RANGER.APACHE.ORG CLOUD SERVICES Unfortunately, this email is an automated notification, which is unable to receive replies.