(ranger) branch master updated: RANGER-4824: Remove ACL-based policy engine unit test code
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d8a670ce8 RANGER-4824: Remove ACL-based policy engine unit test code
d8a670ce8 is described below
commit d8a670ce8ecee1d6db66979ce65b5690a5950a4c
Author: Abhay Kulkarni
AuthorDate: Tue Jun 18 11:01:15 2024 -0700
RANGER-4824: Remove ACL-based policy engine unit test code
---
.../policyengine/RangerPolicyEngineOptions.java| 4 +-
.../RangerDefaultPolicyEvaluator.java | 412 -
.../RangerOptimizedPolicyEvaluator.java| 8 +-
.../plugin/policyengine/TestPolicyEngine.java | 44 +--
.../policyengine/TestPolicyEngineForDeltas.java| 49 +--
5 files changed, 88 insertions(+), 429 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index f5f412797..f881eaa14 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -37,6 +37,7 @@ public class RangerPolicyEngineOptions {
public boolean evaluateDelegateAdminOnly = false;
public boolean enableTagEnricherWithLocalRefresher = false;
public boolean enableUserStoreEnricherWithLocalRefresher = false;
+ @Deprecated
public boolean disableAccessEvaluationWithPolicyACLSummary = true;
public boolean optimizeTrieForRetrieval = false;
public boolean disableRoleResolution = true;
@@ -62,7 +63,6 @@ public class RangerPolicyEngineOptions {
this.evaluateDelegateAdminOnly =
other.evaluateDelegateAdminOnly;
this.enableTagEnricherWithLocalRefresher =
other.enableTagEnricherWithLocalRefresher;
this.enableUserStoreEnricherWithLocalRefresher =
other.enableUserStoreEnricherWithLocalRefresher;
- this.disableAccessEvaluationWithPolicyACLSummary =
other.disableAccessEvaluationWithPolicyACLSummary;
this.optimizeTrieForRetrieval = other.optimizeTrieForRetrieval;
this.disableRoleResolution = other.disableRoleResolution;
this.serviceDefHelper = null;
@@ -95,7 +95,6 @@ public class RangerPolicyEngineOptions {
evaluateDelegateAdminOnly = false;
enableTagEnricherWithLocalRefresher = false;
enableUserStoreEnricherWithLocalRefresher = false;
- disableAccessEvaluationWithPolicyACLSummary =
conf.getBoolean(propertyPrefix +
".policyengine.option.disable.access.evaluation.with.policy.acl.summary", true);
optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix +
".policyengine.option.optimize.trie.for.retrieval", false);
disableRoleResolution = conf.getBoolean(propertyPrefix +
".policyengine.option.disable.role.resolution", true);
optimizeTrieForSpace = conf.getBoolean(propertyPrefix +
".policyengine.option.optimize.trie.for.space", false);
@@ -118,7 +117,6 @@ public class RangerPolicyEngineOptions {
evaluateDelegateAdminOnly = false;
enableTagEnricherWithLocalRefresher = false;
enableUserStoreEnricherWithLocalRefresher = false;
- disableAccessEvaluationWithPolicyACLSummary =
conf.getBoolean(propertyPrefix +
".policyengine.option.disable.access.evaluation.with.policy.acl.summary", true);
optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix +
".policyengine.option.optimize.trie.for.retrieval", false);
disableRoleResolution = conf.getBoolean(propertyPrefix +
".policyengine.option.disable.role.resolution", true);
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 33d56ec57..be6cd5584 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -78,7 +78,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
private List conditionEvaluators;
private String perfTag;
private PolicyACLSummary aclSummary = null;
- private boolean useAclSummaryForEvaluation = false;
private boolean disableRoleResolution = true;
List getAllowEvaluators() { return
allowEva
(ranger) branch master updated: RANGER-4823: Incorrect processing of downloaded policies in plugin when policy-deltas are enabled
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 5ca434217 RANGER-4823: Incorrect processing of downloaded policies in
plugin when policy-deltas are enabled
5ca434217 is described below
commit 5ca434217909adb2c55322b4ab733248344d42ac
Author: Abhay Kulkarni
AuthorDate: Mon Jun 17 21:12:12 2024 -0700
RANGER-4823: Incorrect processing of downloaded policies in plugin when
policy-deltas are enabled
---
.../src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java| 2 ++
1 file changed, 2 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
index dd64a6767..0cb1f23c7 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
@@ -58,6 +58,7 @@ public class ServicePolicies implements java.io.Serializable {
private String auditMode = RangerPolicyEngine.AUDIT_DEFAULT;
private TagPoliciestagPolicies;
private Map securityZones;
+ @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
private List policyDeltas;
private Map serviceConfig;
@@ -362,6 +363,7 @@ public class ServicePolicies implements
java.io.Serializable {
private String zoneName;
private List>> resources;
private List policies;
+ @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
private List policyDeltas;
private Boolean
containsAssociatedTagService;
(ranger) branch master updated: RANGER-4820: Support authorization of multiple accesses grouped by access groups in one policy engine call
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 16c60270e RANGER-4820: Support authorization of multiple accesses
grouped by access groups in one policy engine call
16c60270e is described below
commit 16c60270eafb9fda7ac8f784e43f6a96110c40e6
Author: Abhay Kulkarni
AuthorDate: Mon Jun 17 16:00:34 2024 -0700
RANGER-4820: Support authorization of multiple accesses grouped by access
groups in one policy engine call
---
.../policyengine/RangerPolicyEngineImpl.java | 22 +-
.../plugin/policyengine/gds/GdsPolicyEngine.java | 7 +-
.../RangerDefaultPolicyEvaluator.java | 288 -
.../plugin/util/RangerAccessRequestUtil.java | 140 +++---
.../plugin/policyengine/TestPolicyEngine.java | 32 ++-
.../policyengine/gds/TestGdsPolicyEngine.java | 20 +-
.../plugin/service/TestRangerBasePlugin.java | 20 +-
.../test_policyengine_hdfs_multiple_accesses.json | 11 +-
.../authorization/hadoop/RangerHdfsAuthorizer.java | 35 ++-
9 files changed, 410 insertions(+), 165 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index b0dc7a461..232ef90da 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -678,7 +678,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
String requestedAccess =
accessTypeDef.getName();
allRequestedAccesses.add(requestedAccess);
}
-
RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(),
allRequestedAccesses, Boolean.TRUE);
+
RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(),
allRequestedAccesses);
+
RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(),
Boolean.TRUE);
}
ret = evaluatePoliciesForOneAccessTypeNoAudit(request,
policyType, zoneName, policyRepository, tagPolicyRepository);
@@ -768,22 +769,6 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
}
- if (!request.isAccessTypeAny()) {
- Set allRequestedAccesses =
RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
- if (CollectionUtils.size(allRequestedAccesses)
> 1 && !RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
- Map
accessTypeResults =
RangerAccessRequestUtil.getAccessTypeResults(request.getContext());
- if (accessTypeResults != null) {
- if
(accessTypeResults.keySet().containsAll(allRequestedAccesses)) {
- // Allow
- RangerAccessResult
result = accessTypeResults.values().iterator().next(); // Pick one result
randomly
-
ret.setAccessResultFrom(result);
-
ret.setIsAccessDetermined(true);
- }
-
RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null);
- }
- }
- }
-
if (!ret.getIsAccessDetermined()) {
if (isDeniedByTags) {
ret.setIsAllowed(false);
@@ -801,6 +786,9 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (ret.getIsAllowed()) {
ret.setIsAccessDetermined(true);
}
+
RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null);
+
RangerAccessRequestUtil.setAccessTypeACLResults(request.getContext(), null);
+
RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(), null);
if (findAuditByResource && !foundInCache) {
policyRepository.storeAuditEnabledInCache(request, ret);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsPolicyEngine.java
(ranger) branch master updated: RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple authorization calls
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3e383969d RANGER-4817: Optimize Ranger HDFS Authorization by combining
multiple authorization calls
3e383969d is described below
commit 3e383969d759897112d114f6c03f5bd597c9b1f4
Author: Abhay Kulkarni
AuthorDate: Mon Jun 10 16:13:48 2024 -0700
RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple
authorization calls
---
.../ranger/plugin/service/RangerBasePlugin.java| 2 +-
.../plugin/util/RangerAccessRequestUtil.java | 10 +
.../authorization/hadoop/RangerHdfsAuthorizer.java | 501 ++---
.../authorization/hadoop/RangerHdfsAuthorizer.java | 72 +--
4 files changed, 453 insertions(+), 132 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 6a614bf2d..8db08c598 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -533,7 +533,7 @@ public class RangerBasePlugin {
ret = policyEngine.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ACCESS, null);
}
- if (ret != null) {
+ if (ret != null &&
!RangerAccessRequestUtil.getIsSkipChainedPlugins(request.getContext())) {
for (RangerChainedPlugin chainedPlugin :
chainedPlugins) {
if (LOG.isDebugEnabled()) {
LOG.debug("BasePlugin.isAccessAllowed
result=[" + ret + "]");
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index a56ecb268..df0352ca9 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -53,6 +53,7 @@ public class RangerAccessRequestUtil {
public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED =
"ISREQUESTPREPROCESSED";
public static final String KEY_CONTEXT_RESOURCE_ZONE_NAMES =
"RESOURCE_ZONE_NAMES";
public static final String KEY_CONTEXT_ACCESS_TYPE_RESULTS =
"_ACCESS_TYPE_RESULTS";
+ public static final String KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS =
"_IS_SKIP_CHAINED_PLUGINS";
public static void setRequestTagsInContext(Map context,
Set tags) {
if(CollectionUtils.isEmpty(tags)) {
@@ -361,4 +362,13 @@ public class RangerAccessRequestUtil {
results.putIfAbsent(accessType, result);
}
}
+
+ public static void setIsSkipChainedPlugins(Map context,
Boolean value) {
+ context.put(KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS, value);
+ }
+
+ public static boolean getIsSkipChainedPlugins(Map
context) {
+ Boolean value =
(Boolean)context.get(KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS);
+ return value != null && value;
+ }
}
diff --git
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index b11ee62a3..c892bced3 100644
---
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -29,9 +29,16 @@ import static
org.apache.ranger.authorization.hadoop.constants.RangerHadoopConst
import static
org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants.ALL_PERM;
import static
org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants.ACCESS_TYPE_MONITOR_HEALTH;
+
import java.net.InetAddress;
import java.security.SecureRandom;
-import java.util.*;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.Stack;
+import java.util.Objects;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
@@ -72,20 +79,38 @@ import com.google.common.collect.Sets;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
public class RangerHdfsAuthorizer extends INodeAttributeProvider {
- public static final String KEY_FILENAME = "FILENAME";
- public static final String KEY_BASE_FILENAME = "BASE_FILENAME";
- public static
(ranger) branch master updated: RANGER-4786: Ranger override policy is not working
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 967276241 RANGER-4786: Ranger override policy is not working
967276241 is described below
commit 967276241ff593b7611576c21fb724b6839de8a2
Author: Abhay Kulkarni
AuthorDate: Mon Apr 29 17:59:17 2024 -0700
RANGER-4786: Ranger override policy is not working
---
.../RangerDefaultPolicyEvaluator.java | 18 ++-
.../test_policyengine_hdfs_multiple_accesses.json | 58 ++
2 files changed, 75 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index ded8d0993..9745dc64f 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -832,14 +832,23 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
if
(!result.getIsAllowed()) { // if access is not yet allowed by another policy
if
(matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(),
result.getServiceName(), result.getServiceDef(), result.getAccessRequest());
-
oneResult.setIsAllowed(true);
oneResult.setPolicyPriority(getPolicyPriority());
oneResult.setPolicyId(getPolicyId());
oneResult.setPolicyVersion(getPolicy().getVersion());
+
if (!oneResult.getIsAuditedDetermined()) {
+
oneResult.setAuditResultFrom(result);
+
}
RangerAccessRequestUtil.setAccessTypeResult(request.getContext(), accessType,
oneResult);
}
}
+ Map savedAccessResults =
RangerAccessRequestUtil.getAccessTypeResults(request.getContext());
+ int
allowedAccessesCount = savedAccessResults == null ? 0 :
savedAccessResults.size();
+ if
(allRequestedAccesses.size() == allowedAccessesCount) {
+
RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null);
+
result.setIsAllowed(true);
+ break;
+ }
}
}
}
@@ -909,6 +918,13 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
break;
} else if
(oneResult.getIsAllowed()) {
RangerAccessRequestUtil.setAccessTypeResult(request.getContext(), accessType,
oneResult);
+
+ // Check if all access
requests are satisfied, if so, access is allowed
+ if
(allRequestedAccesses.size() ==
RangerAccessRequestUtil.getAccessTypeResults(request.getContext()).size()) {
+ allowResult =
oneResult;
+
RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null);
+ break
(ranger) branch master updated: RANGER-4745: Enhance handling of subAccess authorization in Ranger HDFS plugin
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4abb99350 RANGER-4745: Enhance handling of subAccess authorization in
Ranger HDFS plugin
4abb99350 is described below
commit 4abb993500274ad06a148f4258a7ea71622ebc88
Author: Abhay Kulkarni
AuthorDate: Thu Apr 4 15:25:58 2024 -0700
RANGER-4745: Enhance handling of subAccess authorization in Ranger HDFS
plugin
---
.../hadoop/constants/RangerHadoopConstants.java| 4 +
.../authorization/hadoop/RangerHdfsAuthorizer.java | 91 --
2 files changed, 90 insertions(+), 5 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
index a29390fd0..fcd9ebd4d 100644
---
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
+++
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
@@ -24,6 +24,10 @@ public class RangerHadoopConstants {
public static final String RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP
= "ranger.optimize-subaccess-authorization" ;
public static final boolean RANGER_ADD_HDFS_PERMISSION_DEFAULT = false;
public static final boolean
RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_DEFAULT = false ;
+
+ public static final String
RANGER_USE_LEGACY_SUBACCESS_AUTHORIZATION_PROP =
"ranger.plugin.hdfs.use.legacy.subaccess.authorization";
+ public static final boolean
RANGER_USE_LEGACY_SUBACCESS_AUTHORIZATION_DEFAULT = true;
+
public static final String READ_ACCCESS_TYPE = "read";
public static final String WRITE_ACCCESS_TYPE = "write";
public static final String EXECUTE_ACCCESS_TYPE = "execute";
diff --git
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 9b410a185..b11ee62a3 100644
---
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -116,6 +116,8 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
LOG.info(RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP + "
is enabled");
}
+ LOG.info("Legacy way of authorizing sub-access requests will "
+ (plugin.isUseLegacySubAccessAuthorization() ? "" : "not ") + "be used");
+
access2ActionListMapper.put(FsAction.NONE, new
HashSet());
access2ActionListMapper.put(FsAction.ALL,
Sets.newHashSet(READ_ACCCESS_TYPE, WRITE_ACCCESS_TYPE, EXECUTE_ACCCESS_TYPE));
access2ActionListMapper.put(FsAction.READ,
Sets.newHashSet(READ_ACCCESS_TYPE));
@@ -219,10 +221,14 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
class SubAccessData {
final INodeDirectorydir;
final StringresourcePath;
+ final INode[] inodes;
+ final INodeAttributes[] iNodeAttributes;
- SubAccessData(INodeDirectory dir, String resourcePath) {
+ SubAccessData(INodeDirectory dir, String resourcePath,
INode[] inodes, INodeAttributes[] iNodeAttributes) {
this.dir= dir;
this.resourcePath = resourcePath;
+ this.iNodeAttributes = iNodeAttributes;
+ this.inodes = inodes;
}
}
@@ -429,7 +435,7 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
if(authzStatus == AuthzStatus.ALLOW &&
subAccess != null && inode != null && inode.isDirectory()) {
Stack
directories = new Stack<>();
- for(directories.push(new
SubAccessData(inode.asDirectory(), resourcePath)); !directories.isEmpty(); ) {
+ for(directories.push(new
SubAccessData(inode.asDirectory(), resourcePath, inodes, inodeAttrs));
!directories.isEmpty(); ) {
SubAccessData data =
directories.pop();
(ranger) branch master updated: RANGER-4767: Deleted policies are still taking effect if all policies for a security zone are deleted
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 2d875da32 RANGER-4767: Deleted policies are still taking effect if all
policies for a security zone are deleted
2d875da32 is described below
commit 2d875da32aa142151c976aea925a6cc9bd4e20dd
Author: Abhay Kulkarni
AuthorDate: Thu Apr 4 09:31:16 2024 -0700
RANGER-4767: Deleted policies are still taking effect if all policies for a
security zone are deleted
---
.../java/org/apache/ranger/plugin/service/RangerBasePlugin.java| 7 +++
1 file changed, 7 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 6a3d59dae..97da473a8 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -383,6 +383,13 @@ public class RangerBasePlugin {
if (policies.getPolicies() ==
null) {
policies.setPolicies(new ArrayList<>());
}
+ if
(MapUtils.isNotEmpty(policies.getSecurityZones())) {
+ for
(ServicePolicies.SecurityZoneInfo element :
policies.getSecurityZones().values()) {
+ if
(element.getPolicies() == null) {
+
element.setPolicies(new ArrayList<>());
+ }
+ }
+ }
}
}
}
(ranger) branch master updated: RANGER-4762:Prevent duplicate values for a resource while validating a policy
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new ffda77536 RANGER-4762:Prevent duplicate values for a resource while
validating a policy
ffda77536 is described below
commit ffda775366ac8ac8a6869991dbab5e12d307a423
Author: Fateh Singh
AuthorDate: Tue Apr 2 11:13:57 2024 -0700
RANGER-4762:Prevent duplicate values for a resource while
validating a policy
---
.../ranger/plugin/errors/ValidationErrorCode.java | 1 +
.../model/validation/RangerPolicyValidator.java| 68 +++---
.../validation/TestRangerPolicyValidator.java | 18 ++
3 files changed, 65 insertions(+), 22 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
index bf119773b..00855458d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -107,6 +107,7 @@ public enum ValidationErrorCode {
POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_USER(3053, "policy items user was
null"),
POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_GROUP(3054, "policy items group was
null"),
POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ROLE(3055, "policy items role was
null"),
+POLICY_VALIDATION_ERR_DUPLICATE_VALUES_FOR_RESOURCE(3056, "Values for the
resource={0} contained a duplicate value={1}. Ensure all values for a resource
are unique"),
POLICY_VALIDATION_ERR_INVALID_SERVICE_TYPE(4009," Invalid service type
[{0}] provided for service [{1}]"),
// SECURITY_ZONE Validations
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 76e9dee8c..cdfc2628c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -883,15 +883,7 @@ public class RangerPolicyValidator extends RangerValidator
{
String name = entry.getKey();
RangerPolicyResource policyResource = entry.getValue();
if(policyResource != null) {
-
if(CollectionUtils.isNotEmpty(policyResource.getValues())) {
- Set resources = new
HashSet<>(policyResource.getValues());
- for (String aValue : resources) {
- if
(StringUtils.isBlank(aValue)) {
-
policyResource.getValues().remove(aValue);
- }
- }
- }
-
+
policyResource.getValues().removeIf(StringUtils::isBlank);
if(CollectionUtils.isEmpty(policyResource.getValues())){
ValidationErrorCode error =
ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST;
if(LOG.isDebugEnabled()) {
@@ -906,23 +898,40 @@ public class RangerPolicyValidator extends
RangerValidator {
.build());
valid=false;
}
-
- if (validationRegExMap.containsKey(name) &&
CollectionUtils.isNotEmpty(policyResource.getValues())) {
- String regEx =
validationRegExMap.get(name);
- for (String aValue :
policyResource.getValues()) {
- if (!aValue.matches(regEx)) {
- if
(LOG.isDebugEnabled()) {
-
LOG.debug(String.format("Resource failed regex check: value[%s],
resource-name[%s], regEx[%s], service-def-name[%s]", aValue, name, regEx,
serviceDef.getName()));
- }
- ValidationErrorCode
error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX;
- failures.add(new
ValidationFailureDetailsBuilder()
+ else{
+
(ranger) branch master updated: RANGER-4722: HDFS authorization logic for directory hierarchy rooted at '/' is incorrect
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new c4f6cc395 RANGER-4722: HDFS authorization logic for directory
hierarchy rooted at '/' is incorrect
c4f6cc395 is described below
commit c4f6cc3951f979c4ae5859fbeaf1be5fe945b12d
Author: Abhay Kulkarni
AuthorDate: Tue Feb 20 14:36:09 2024 -0800
RANGER-4722: HDFS authorization logic for directory hierarchy rooted at '/'
is incorrect
---
.../apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java| 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 9b1279bcb..9b410a185 100644
---
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -453,7 +453,11 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
if
(subDirAuthStatus != AuthzStatus.ALLOW) {
for(INode child : cList) {
if (child.isDirectory()) {
-
directories.push(new SubAccessData(child.asDirectory(), resourcePath +
Path.SEPARATOR_CHAR + child.getLocalName()));
+
if (data.resourcePath.endsWith(Path.SEPARATOR)) {
+
directories.push(new SubAccessData(child.asDirectory(),
data.resourcePath + child.getLocalName()));
+
} else {
+
directories.push(new SubAccessData(child.asDirectory(),
data.resourcePath + Path.SEPARATOR_CHAR + child.getLocalName()));
+
}
}
}
}
(ranger) branch master updated: RANGER-4655: Execute and read permissions granted to a user in different HDFS policies does not take effect
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new a664de553 RANGER-4655: Execute and read permissions granted to a user
in different HDFS policies does not take effect
a664de553 is described below
commit a664de553120f165d927e962e3677fe1abd0d722
Author: Abhay Kulkarni
AuthorDate: Mon Jan 15 17:02:43 2024 -0800
RANGER-4655: Execute and read permissions granted to a user in different
HDFS policies does not take effect
---
.../policyengine/RangerPolicyEngineImpl.java | 16
.../RangerDefaultPolicyEvaluator.java | 35 +---
.../plugin/util/RangerAccessRequestUtil.java | 39 +
.../plugin/policyengine/TestPolicyEngine.java | 7 ++
.../test_policyengine_hdfs_multiple_accesses.json | 92 ++
5 files changed, 179 insertions(+), 10 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 252482c8e..df39467ba 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -763,6 +763,22 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
}
+ if (!request.isAccessTypeAny()) {
+ Set allRequestedAccesses =
RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
+ if (CollectionUtils.size(allRequestedAccesses)
> 1 && !RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
+ Map
accessTypeResults =
RangerAccessRequestUtil.getAccessTypeResults(request.getContext());
+ if (accessTypeResults != null) {
+ if
(accessTypeResults.keySet().containsAll(allRequestedAccesses)) {
+ // Allow
+ RangerAccessResult
result = accessTypeResults.values().iterator().next(); // Pick one result
randomly
+
ret.setAccessResultFrom(result);
+
ret.setIsAccessDetermined(true);
+ }
+
RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null);
+ }
+ }
+ }
+
if (!ret.getIsAccessDetermined()) {
if (isDeniedByTags) {
ret.setIsAllowed(false);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 7fe2a2eb3..ded8d0993 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -818,11 +818,29 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
} else {
Set allRequestedAccesses =
RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
- if
(CollectionUtils.isNotEmpty(allRequestedAccesses)) {
+ if (CollectionUtils.size(allRequestedAccesses)
> 1) {
for (String accessType :
allRequestedAccesses) {
- accessResult =
lookupPolicyACLSummary(request.getUser(), request.getUserGroups(),
request.getUserRoles(), accessType);
- if (accessResult == null) {
- break;
+ Integer oneAccessResult =
lookupPolicyACLSummary(request.getUser(), request.getUserGroups(),
request.getUserRoles(), accessType);
+ if (oneAccessResult != null) {
+ if
(oneAccessResult.equals(RangerPolicyEvaluator.ACCESS_DENIED)) {
+ accessResult =
o
(ranger) branch master updated: RANGER-4639: Provide an option to bypass evaluation of chained plugin if the parent plugin has applicable policy
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 96da0c834 RANGER-4639: Provide an option to bypass evaluation of
chained plugin if the parent plugin has applicable policy
96da0c834 is described below
commit 96da0c834e6ded11f66583dbf27cdd0405a8ac13
Author: Abhay Kulkarni
AuthorDate: Mon Jan 8 10:42:24 2024 -0800
RANGER-4639: Provide an option to bypass evaluation of chained plugin if
the parent plugin has applicable policy
---
.../java/org/apache/ranger/plugin/service/RangerBasePlugin.java | 8 +++-
.../org/apache/ranger/plugin/service/RangerChainedPlugin.java | 4
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 5d6c3d97c..9bf01b982 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -502,7 +502,13 @@ public class RangerBasePlugin {
LOG.debug("BasePlugin.isAccessAllowed
result=[" + ret + "]");
LOG.debug("Calling
chainedPlugin.isAccessAllowed for service:[" +
chainedPlugin.plugin.pluginConfig.getServiceName() + "]");
}
- RangerAccessResult chainedResult =
chainedPlugin.isAccessAllowed(request);
+ RangerAccessResult chainedResult;
+
+ if (ret.getIsAccessDetermined() &&
chainedPlugin.skipAccessCheckIfAlreadyDetermined) {
+ chainedResult = null;
+ } else {
+ chainedResult =
chainedPlugin.isAccessAllowed(request);
+ }
if (chainedResult != null) {
if (LOG.isDebugEnabled()) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
index b969fb687..5e52ce30c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
@@ -19,6 +19,7 @@
package org.apache.ranger.plugin.service;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
@@ -34,6 +35,7 @@ public abstract class RangerChainedPlugin {
protected final String serviceType;
protected final String serviceName;
protected final RangerBasePlugin plugin;
+protected final boolean skipAccessCheckIfAlreadyDetermined;
protected RangerChainedPlugin(RangerBasePlugin rootPlugin, String
serviceType, String serviceName) {
LOG.info("RangerChainedPlugin(" + serviceType + ", " + serviceName +
")");
@@ -42,6 +44,8 @@ public abstract class RangerChainedPlugin {
this.serviceType = serviceType;
this.serviceName = serviceName;
this.plugin = buildChainedPlugin(serviceType, serviceName,
rootPlugin.getAppId());
+RangerPluginConfig rootPluginConfig =
rootPlugin.getPluginContext().getConfig();
+skipAccessCheckIfAlreadyDetermined =
rootPluginConfig.getBoolean(rootPluginConfig.getPropertyPrefix() +
".bypass.chained.plugin.evaluation.if.access.is.determined", false);
}
public void init() {
(ranger) branch master updated: RANGER-4609:Support in File-based Tag Retriever to provide tag-deltas
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4ecb2f854 RANGER-4609:Support in File-based Tag Retriever to provide
tag-deltas
4ecb2f854 is described below
commit 4ecb2f854497a7379654685f8c3049d13a1f39a9
Author: Abhay Kulkarni
AuthorDate: Thu Dec 14 12:00:44 2023 -0800
RANGER-4609:Support in File-based Tag Retriever to provide tag-deltas
---
.../RangerFileBasedTagRetriever.java | 199 ++---
1 file changed, 133 insertions(+), 66 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
index 448c665fc..df2c7ccf1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
@@ -29,7 +29,7 @@ import org.slf4j.LoggerFactory;
import java.io.*;
import java.net.MalformedURLException;
import java.net.URL;
-import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
import java.util.Map;
public class RangerFileBasedTagRetriever extends RangerTagRetriever {
@@ -40,7 +40,9 @@ public class RangerFileBasedTagRetriever extends
RangerTagRetriever {
private String serviceTagsFileName;
private Gson gsonBuilder;
private boolean deDupTags;
-
+ inttagFilesCount = 0;
+ intcurrentTagFileIndex = 0;
+ booleanisInitial = true;
@Override
public void init(Map options) {
@@ -55,11 +57,9 @@ public class RangerFileBasedTagRetriever extends
RangerTagRetriever {
String serviceTagsFileNameProperty = "serviceTagsFileName";
String serviceTagsDefaultFileName =
"/testdata/test_servicetags_hive.json";
String deDupTagsProperty = "deDupTags";
+ String tagFilesCountProperty = "tagFileCount";
if (StringUtils.isNotBlank(serviceName) && serviceDef != null
&& StringUtils.isNotBlank(appId)) {
- InputStream serviceTagsFileStream = null;
-
-
// Open specified file from options- it should contain
service-tags
serviceTagsFileName = options != null?
options.get(serviceTagsFileNameProperty) : null;
@@ -67,51 +67,22 @@ public class RangerFileBasedTagRetriever extends
RangerTagRetriever {
deDupTags =
Boolean.parseBoolean(deDupTagsVal);
serviceTagsFileName = serviceTagsFileName == null ?
serviceTagsDefaultFileName : serviceTagsFileName;
-
- File f = new File(serviceTagsFileName);
-
- if (f.exists() && f.isFile() && f.canRead()) {
- try {
- serviceTagsFileStream = new
FileInputStream(f);
- serviceTagsFileURL = f.toURI().toURL();
- } catch (FileNotFoundException exception) {
- LOG.error("Error processing input
file:" + serviceTagsFileName + " or no privilege for reading file " +
serviceTagsFileName, exception);
- } catch (MalformedURLException
malformedException) {
- LOG.error("Error processing input
file:" + serviceTagsFileName + " cannot be converted to URL " +
serviceTagsFileName, malformedException);
- }
- } else {
- URL fileURL =
getClass().getResource(serviceTagsFileName);
- if (fileURL == null &&
!serviceTagsFileName.startsWith("/")) {
- fileURL = getClass().getResource("/" +
serviceTagsFileName);
- }
-
- if (fileURL == null) {
- fileURL =
ClassLoader.getSystemClassLoader().getResource(serviceTagsFileName);
- if (fileURL == null &&
!serviceTagsFileName.startsWith("/")) {
- fileURL =
ClassLoader.getSystemClassLoader().getResource("/" + serviceTagsFileName);
- }
- }
-
- if (fileURL != null) {
+ if (options != null) {
+
(ranger) branch master updated: RANGER-4565: Enhance Ranger's performance tracing module to optionally collect statistical information
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 04c93b3df RANGER-4565: Enhance Ranger's performance tracing module to
optionally collect statistical information
04c93b3df is described below
commit 04c93b3df9577c7f6e4f91f573a87c046311e15c
Author: Abhay Kulkarni
AuthorDate: Tue Nov 28 09:47:03 2023 -0800
RANGER-4565: Enhance Ranger's performance tracing module to optionally
collect statistical information
---
.../ranger/plugin/service/RangerBasePlugin.java| 6 ++
.../ranger/plugin/util/PerfDataRecorder.java | 77 +-
.../plugin/util/RangerPerfCollectorTracer.java | 2 +-
.../ranger/plugin/util/RangerPerfTracer.java | 4 +-
4 files changed, 71 insertions(+), 18 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 2f4af9763..5d6c3d97c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -86,6 +86,12 @@ public class RangerBasePlugin {
this.pluginConfig = pluginConfig;
this.pluginContext = new RangerPluginContext(pluginConfig);
+ boolean usePerfDataRecorder =
pluginConfig.getBoolean("ranger.perf.aggregate.data", false);
+ int perfDataDumpInterval =
pluginConfig.getInt("ranger.perf.aggregate.data.dump.interval", 0);
+ boolean usePerfDataLock =
pluginConfig.getBoolean("ranger.perf.aggregate.data.lock.enabled", false);
+
+ PerfDataRecorder.initialize(usePerfDataRecorder,
perfDataDumpInterval, usePerfDataLock, null);
+
Set superUsers =
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".super.users"));
Set superGroups=
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".super.groups"));
Set auditExcludeUsers =
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() +
".audit.exclude.users"));
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
index dce60b0ba..a1df53fac 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
@@ -37,13 +37,27 @@ public class PerfDataRecorder {
private static final Logger PERF =
RangerPerfTracer.getPerfLogger(PerfDataRecorder.class);
private static volatile PerfDataRecorder instance;
- private Map perfStatistics = new HashMap<>();
+ final private Map perfStatistics =
Collections.synchronizedMap(new HashMap<>());
+ private RangerReadWriteLock lock = null;
public static void initialize(List names) {
- if (instance == null) {
- synchronized (PerfDataRecorder.class) {
- if (instance == null) {
- instance = new PerfDataRecorder(names);
+ initialize(true, 0, false, names);
+ }
+
+ public static void initialize(final boolean useRecorder, final int
collectionIntervalInSeconds, final boolean usePerfDataLock, List names)
{
+ if (useRecorder) {
+ if (instance == null) {
+ synchronized (PerfDataRecorder.class) {
+ if (instance == null) {
+ instance = new
PerfDataRecorder(names);
+ instance.lock = new
RangerReadWriteLock(usePerfDataLock);
+ if (collectionIntervalInSeconds
> 0) {
+ Thread statDumper = new
StatisticsDumper(collectionIntervalInSeconds);
+
statDumper.setName("Perf-Statistics-Dumper");
+
statDumper.setDaemon(true);
+ statDumper.start();
+ }
+ }
}
}
}
@@ -61,7 +75,9 @@ public class PerfDataRecorder {
public static void clearStatistics() {
if (instance != null) {
- instance.clear();
+
(ranger) branch master updated: RANGER-4515: Enhance perf-tracer to get CPU time when possible
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 279f41f5b RANGER-4515: Enhance perf-tracer to get CPU time when
possible
279f41f5b is described below
commit 279f41f5bf058dfe7d44175932741e4da1414d33
Author: Abhay Kulkarni
AuthorDate: Tue Nov 7 11:21:41 2023 -0800
RANGER-4515: Enhance perf-tracer to get CPU time when possible
---
.../ranger/plugin/util/PerfDataRecorder.java | 49 ++
.../plugin/util/RangerPerfCollectorTracer.java | 26 +---
.../ranger/plugin/util/RangerPerfTracer.java | 41 ++
.../plugin/util/RangerPerfTracerFactory.java | 42 +--
4 files changed, 124 insertions(+), 34 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
index 7e2c46fde..dce60b0ba 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
@@ -65,9 +65,9 @@ public class PerfDataRecorder {
}
}
- public static void recordStatistic(String tag, long elapsedTime) {
+ public static void recordStatistic(String tag, long cpuTime, long
elapsedTime) {
if (instance != null) {
- instance.record(tag, elapsedTime);
+ instance.record(tag, cpuTime, elapsedTime);
}
}
@@ -79,14 +79,23 @@ public class PerfDataRecorder {
for (String tag : tags) {
PerfStatistic perfStatistic = perfStatistics.get(tag);
+ long averageTimeSpentCpu = 0L;
long averageTimeSpent = 0L;
+ if (perfStatistic.numberOfInvocations.get() != 0L) {
+ averageTimeSpentCpu =
perfStatistic.microSecondsSpentCpu.get()/perfStatistic.numberOfInvocations.get();
+ }
+
if (perfStatistic.numberOfInvocations.get() != 0L) {
averageTimeSpent =
perfStatistic.microSecondsSpent.get()/perfStatistic.numberOfInvocations.get();
}
String logMsg = "[" + tag + "]" +
" execCount: " +
perfStatistic.numberOfInvocations.get() +
+ ", totalTimeTakenCpu: " +
perfStatistic.microSecondsSpentCpu.get() + " μs" +
+ ", maxTimeTakenCpu: " +
perfStatistic.maxTimeSpentCpu.get() + " μs" +
+ ", minTimeTakenCpu: " +
perfStatistic.minTimeSpentCpu.get() + " μs" +
+ ", avgTimeTakenCpu: " +
averageTimeSpentCpu + " μs" +
", totalTimeTaken: " +
perfStatistic.microSecondsSpent.get() + " μs" +
", maxTimeTaken: " +
perfStatistic.maxTimeSpent.get() + " μs" +
", minTimeTaken: " +
perfStatistic.minTimeSpent.get() + " μs" +
@@ -101,7 +110,7 @@ public class PerfDataRecorder {
perfStatistics.clear();
}
- private void record(String tag, long elapsedTime) {
+ private void record(String tag, long cpuTime, long elapsedTime) {
PerfStatistic perfStatistic = perfStatistics.get(tag);
if (perfStatistic == null) {
@@ -115,7 +124,7 @@ public class PerfDataRecorder {
}
}
- perfStatistic.addPerfDataItem(elapsedTime);
+ perfStatistic.addPerfDataItem(cpuTime, elapsedTime);
}
private PerfDataRecorder(List names) {
@@ -136,20 +145,34 @@ public class PerfDataRecorder {
public static class PerfStatistic {
private AtomicLong numberOfInvocations = new AtomicLong(0L);
+
+ private AtomicLong microSecondsSpentCpu = new AtomicLong(0L);
+ private AtomicLong minTimeSpentCpu = new
AtomicLong(Long.MAX_VALUE);
+ private AtomicLong maxTimeSpentCpu = new
AtomicLong(Long.MIN_VALUE);
+
private AtomicLong microSecondsSpent = new AtomicLong(0L);
private AtomicLong minTimeSpent = new
AtomicLong(Long.MAX_VALUE);
private AtomicLong maxTimeSpent = new
AtomicLong(Long.MIN_VALUE);
- void addPerfDataItem(final long timeTaken) {
+ void addPerfDataItem
(ranger) branch master updated: RANGER-4478: Incorrect trie updates when processing deltas - Part 3
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3f78f9fae RANGER-4478: Incorrect trie updates when processing deltas -
Part 3
3f78f9fae is described below
commit 3f78f9fae635b4dc1febdd1aad99e485cde412d6
Author: Abhay Kulkarni
AuthorDate: Sat Nov 4 13:16:35 2023 -0700
RANGER-4478: Incorrect trie updates when processing deltas - Part 3
---
.../plugin/policyengine/RangerResourceTrie.java| 41 +++---
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index d95da7c50..773a02609 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -576,7 +576,7 @@ public class RangerResourceTrie {
}
-private String getNonWildcardPrefix(String str) {
+private int getNonWildcardPrefixLength(String str) {
int minIndex = str.length();
for (int i = 0; i < wildcardChars.length(); i++) {
@@ -587,9 +587,17 @@ public class RangerResourceTrie {
}
}
-return str.substring(0, minIndex);
+return minIndex;
+}
+
+private String getNonWildcardPrefix(String str) {
+int prefixLen = getNonWildcardPrefixLength(str);
+
+return (prefixLen < str.length()) ? str.substring(0, prefixLen) : str;
}
+
+
private Set getEvaluatorsForResource(String resource,
ResourceElementMatchingScope scope) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerResourceTrie.getEvaluatorsForResource(" +
resource + ", " + scope + ")");
@@ -718,7 +726,7 @@ public class RangerResourceTrie {
}
TrieNode curr = root;
-final int len = resource.length();
+final int len = getNonWildcardPrefixLength(resource);
int i= 0;
while (i < len) {
@@ -738,6 +746,8 @@ public class RangerResourceTrie {
i+= childStr.length();
}
+curr = (i == len) ? curr : null;
+
RangerPerfTracer.logAlways(perf);
if(LOG.isDebugEnabled()) {
@@ -1128,11 +1138,21 @@ public class RangerResourceTrie {
}
void removeSelfFromTrie() {
-if (evaluators == null && wildcardEvaluators == null &&
children.size() == 0) {
+if (LOG.isDebugEnabled()) {
+LOG.debug("==> removeSelfFromTrie(" + this + ")");
+}
+if (evaluators == null && children.size() == 0) {
TrieNode parent = getParent();
if (parent != null) {
parent.children.remove(str.charAt(0));
}
+} else {
+if (LOG.isDebugEnabled()) {
+LOG.debug("removeSelfFromTrie(" + this + ") could not
remove self from Trie");
+}
+}
+if (LOG.isDebugEnabled()) {
+LOG.debug("<== removeSelfFromTrie(" + this + ")");
}
}
@@ -1298,12 +1318,25 @@ public class RangerResourceTrie {
}
private void removeEvaluatorFromSubtree(U evaluator) {
+if (LOG.isDebugEnabled()) {
+LOG.debug("==> removeEvaluatorFromSubtree(" +
evaluator.getId() + ")");
+}
if (CollectionUtils.isNotEmpty(wildcardEvaluators) &&
wildcardEvaluators.contains(evaluator)) {
removeWildcardEvaluator(evaluator);
} else {
removeEvaluator(evaluator);
}
removeSelfFromTrie();
+if (LOG.isDebugEnabled()) {
+LOG.debug("<== removeEvaluatorFromSubtree(" +
evaluator.getId() + ")");
+}
+}
+
+@Override
+public String toString() {
+StringBuilder sb = new StringBuilder();
+toString(sb);
+return sb.toString();
}
void toString(StringBuilder sb) {
[ranger] branch master updated: RANGER-4478: Incorrect trie updates when processing deltas - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 36ce62eab RANGER-4478: Incorrect trie updates when processing deltas -
Part 2
36ce62eab is described below
commit 36ce62eabbcc38112b15e376411fb053ef8d2ed9
Author: Abhay Kulkarni
AuthorDate: Mon Oct 23 13:18:12 2023 -0700
RANGER-4478: Incorrect trie updates when processing deltas - Part 2
---
.../java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java | 3 ---
1 file changed, 3 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 61b6a4357..d95da7c50 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -553,7 +553,6 @@ public class RangerResourceTrie {
builderThreads.get(index).add(resource, isRecursive, evaluator);
} else {
-currentRoot.undoSetup();
currentRoot.addWildcardEvaluator(evaluator);
}
@@ -570,7 +569,6 @@ public class RangerResourceTrie {
}
if(isWildcard || isRecursive) {
-curr.undoSetup();
curr.addWildcardEvaluator(evaluator);
} else {
curr.addEvaluator(evaluator);
@@ -1301,7 +1299,6 @@ public class RangerResourceTrie {
private void removeEvaluatorFromSubtree(U evaluator) {
if (CollectionUtils.isNotEmpty(wildcardEvaluators) &&
wildcardEvaluators.contains(evaluator)) {
-undoSetup();
removeWildcardEvaluator(evaluator);
} else {
removeEvaluator(evaluator);
[ranger] branch master updated: RANGER-4478: Incorrect trie updates when processing deltas
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 0e7d63022 RANGER-4478: Incorrect trie updates when processing deltas
0e7d63022 is described below
commit 0e7d63022252dc3c74478aa32bffac3ea755fee9
Author: Abhay Kulkarni
AuthorDate: Tue Oct 17 13:00:22 2023 -0700
RANGER-4478: Incorrect trie updates when processing deltas
---
.../plugin/policyengine/RangerResourceTrie.java| 71 --
.../RangerPolicyResourceMatcher.java | 1 -
2 files changed, 39 insertions(+), 33 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 2f725036d..61b6a4357 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -94,6 +94,13 @@ public class RangerResourceTrie {
wrapUpUpdate();
+if (!isOptimizedForRetrieval) {
+if (LOG.isDebugEnabled()) {
+LOG.debug("Trie for " + this.resourceDef.getName() + " is not
optimized for retrieval. Resetting isSetup flag by calling undoSetup() on the
root");
+}
+root.undoSetup();
+}
+
RangerPerfTracer.logAlways(perf);
if (PERF_TRIE_INIT_LOG.isDebugEnabled()) {
@@ -109,7 +116,7 @@ public class RangerResourceTrie {
this(resourceDef, evaluators, isOptimizedForRetrieval, false,
pluginContext);
}
-public
RangerResourceTrie(RangerResourceDef resourceDef, List evaluators, boolean
isOptimizedForRetrieval, boolean isOptimizedForSpace, RangerPluginContext
pluginContext) {
+public RangerResourceTrie(RangerResourceDef resourceDef, List
evaluators, boolean isOptimizedForRetrieval, boolean isOptimizedForSpace,
RangerPluginContext pluginContext) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerResourceTrie(" + resourceDef.getName() + ",
evaluatorCount=" + evaluators.size() + ", isOptimizedForRetrieval=" +
isOptimizedForRetrieval + ", isOptimizedForSpace=" + isOptimizedForSpace + ")");
}
@@ -158,9 +165,9 @@ public class RangerResourceTrie {
this.isOptimizedForRetrieval = !isOptimizedForSpace &&
isOptimizedForRetrieval; // isOptimizedForSpace takes precedence
this.separatorChar =
ServiceDefUtil.getCharOption(matcherOptions, OPTION_PATH_SEPARATOR,
DEFAULT_PATH_SEPARATOR_CHAR);
-final TrieNode tmpRoot = buildTrie(resourceDef, evaluators,
builderThreadCount);
+final TrieNode tmpRoot = buildTrie(resourceDef, evaluators,
builderThreadCount);
-if (builderThreadCount > 1 && tmpRoot == null) { // if multi-threaded
trie-creation failed, build using a single thread
+if (builderThreadCount > 1 && tmpRoot == null) { // if multithreaded
trie-creation failed, build using a single thread
this.root = buildTrie(resourceDef, evaluators, 1);
} else {
this.root = tmpRoot;
@@ -179,7 +186,7 @@ public class RangerResourceTrie {
}
if(LOG.isDebugEnabled()) {
-LOG.debug("<== RangerResourceTrie(" + resourceDef.getName() + ",
evaluatorCount=" + evaluators.size() + ", isOptimizedForRetrieval=" +
this.isOptimizedForRetrieval + ", isOptimizedForSpace=" +
this.isOptimizedForSpace + "): " + toString());
+LOG.debug("<== RangerResourceTrie(" + resourceDef.getName() + ",
evaluatorCount=" + evaluators.size() + ", isOptimizedForRetrieval=" +
this.isOptimizedForRetrieval + ", isOptimizedForSpace=" +
this.isOptimizedForSpace + "): " + this);
}
}
@@ -191,16 +198,16 @@ public class RangerResourceTrie {
return getEvaluatorsForResource(resource,
ResourceElementMatchingScope.SELF);
}
+@SuppressWarnings("unchecked")
public Set getEvaluatorsForResource(Object resource,
ResourceElementMatchingScope scope) {
if (resource instanceof String) {
return getEvaluatorsForResource((String) resource, scope);
} else if (resource instanceof Collection) {
-if (CollectionUtils.isEmpty((Collection) resource)) { // treat
empty collection same as empty-string
+Collection resources = (Collection) resource;
+
+if (CollectionUtils.isEmpty(resources)) { // treat empty
collection same as empty-string
return getEvaluatorsForResource("", scope);
} el
[ranger] branch master updated: RANGER-4378: Expand implied grants in the policy-items for being able to compare policy-cache dumps from server and client
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 696d4340b RANGER-4378: Expand implied grants in the policy-items for
being able to compare policy-cache dumps from server and client
696d4340b is described below
commit 696d4340bfdf6c38f7cb4f53fc31b14e1ffaa0e7
Author: Abhay Kulkarni
AuthorDate: Mon Sep 25 09:01:33 2023 -0700
RANGER-4378: Expand implied grants in the policy-items for being able to
compare policy-cache dumps from server and client
---
.../apache/ranger/plugin/model/RangerPolicy.java | 4 +
.../ranger/plugin/policyengine/PolicyEngine.java | 44 +
.../RangerAbstractPolicyItemEvaluator.java | 59
.../RangerAuditPolicyEvaluator.java| 2 +-
.../RangerDefaultPolicyEvaluator.java | 51 --
.../RangerDefaultPolicyItemEvaluator.java | 107 -
.../RangerOptimizedPolicyEvaluator.java| 106 ++--
.../policyevaluator/RangerPolicyEvaluator.java | 43 +++--
.../policyevaluator/RangerPolicyItemEvaluator.java | 1 +
9 files changed, 298 insertions(+), 119 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index 9e5a94b1a..ec0618421 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -959,6 +959,10 @@ public class RangerPolicy extends RangerBaseModelObject
implements java.io.Seria
this(null, null, null, null, null, null);
}
+public RangerPolicyItem(RangerPolicyItem other) {
+this(other.accesses, other.users, other.groups,
other.roles, other.conditions, other.delegateAdmin);
+}
+
public RangerPolicyItem(List
accessTypes, List users, List groups, List roles,
List conditions, Boolean delegateAdmin) {
setAccesses(accessTypes);
setUsers(users);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index 1e99b5824..4a5406301 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -71,6 +71,13 @@ public class PolicyEngine {
private final RangerReadWriteLock lock;
+static private Map>>
impliedAccessGrants = null;
+
+static public Map>
getImpliedAccessGrants(RangerServiceDef serviceDef) {
+return impliedAccessGrants == null ? null :
impliedAccessGrants.get(serviceDef.getName());
+}
+
+
public RangerReadWriteLock.RangerLock getReadLock() {
return lock.getReadLock();
}
@@ -197,6 +204,8 @@ public class PolicyEngine {
PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory
- freeMemory) + ", Free memory:" + freeMemory);
}
+buildImpliedAccessGrants(servicePolicies);
+
this.pluginContext = pluginContext;
this.lock = new RangerReadWriteLock(isUseReadWriteLock);
@@ -471,6 +480,41 @@ public class PolicyEngine {
}
}
+synchronized static private void buildImpliedAccessGrants(ServicePolicies
servicePolicies) {
+buildImpliedAccessGrants(servicePolicies.getServiceDef());
+if (servicePolicies.getTagPolicies() != null) {
+
buildImpliedAccessGrants(servicePolicies.getTagPolicies().getServiceDef());
+}
+}
+
+static private void buildImpliedAccessGrants(RangerServiceDef serviceDef) {
+Map> ret = null;
+
+if (serviceDef != null &&
!CollectionUtils.isEmpty(serviceDef.getAccessTypes())) {
+for (RangerServiceDef.RangerAccessTypeDef accessTypeDef :
serviceDef.getAccessTypes()) {
+if
(!CollectionUtils.isEmpty(accessTypeDef.getImpliedGrants())) {
+if (ret == null) {
+ret = new HashMap<>();
+}
+
+Collection impliedGrants =
ret.get(accessTypeDef.getName());
+
+if (impliedGrants == null) {
+impliedGrants = new HashSet<>();
+
+ret.put(accessTypeDef.getName(), impliedGrants);
+}
+
+impliedGrants.addAll(accessTypeDef.getImpliedGrants());
+}
+}
+
+if (impliedAccessGrants == null) {
+
[ranger] branch master updated: RANGER-4379: Assorted debugging help : save policy-cache at Ranger-admin and policy-cache as well as downloaded policy-deltas on plugin side
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new e76101d28 RANGER-4379: Assorted debugging help : save policy-cache at
Ranger-admin and policy-cache as well as downloaded policy-deltas on plugin side
e76101d28 is described below
commit e76101d28b001217f81ffcbd0647714a07fe68c3
Author: Abhay Kulkarni
AuthorDate: Mon Sep 25 07:59:44 2023 -0700
RANGER-4379: Assorted debugging help : save policy-cache at Ranger-admin
and policy-cache as well as downloaded policy-deltas on plugin side
---
.../plugin/policyengine/RangerResourceTrie.java| 12 ++--
.../ranger/plugin/service/RangerBasePlugin.java| 7 ++-
.../apache/ranger/plugin/util/PolicyRefresher.java | 66 +++---
.../ranger/common/RangerServicePoliciesCache.java | 44 +++
4 files changed, 116 insertions(+), 13 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 647059203..2f725036d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -1305,14 +1305,14 @@ public class RangerResourceTrie {
void toString(StringBuilder sb) {
String nodeValue = this.str;
-sb.append("nodeValue=").append(nodeValue);
+sb.append("nodeValue=").append(nodeValue == null ? "ROOT" :
nodeValue);
sb.append("; isSetup=").append(isSetup);
sb.append(";
isSharingParentWildcardEvaluators=").append(isSharingParentWildcardEvaluators);
sb.append("; childCount=").append(children.size());
-sb.append("; evaluators=[ ");
+sb.append("; evaluators=[");
if (evaluators != null) {
for (U evaluator : evaluators) {
-sb.append(evaluator.getId()).append(" ");
+sb.append(evaluator.getId()).append(",");
}
}
sb.append("]");
@@ -1320,7 +1320,7 @@ public class RangerResourceTrie {
sb.append("; wildcardEvaluators=[ ");
if (wildcardEvaluators != null) {
for (U evaluator : wildcardEvaluators) {
-sb.append(evaluator.getId()).append(" ");
+sb.append(evaluator.getId()).append(",");
}
}
sb.append("]");
@@ -1329,6 +1329,10 @@ public class RangerResourceTrie {
void toString(String prefix, StringBuilder sb) {
String nodeValue = prefix + (str != null ? str : "");
+if (!nodeValue.equals(prefix)) {
+prefix = prefix + "|";
+}
+
sb.append(prefix);
toString(sb);
sb.append("]\n");
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index f1eb08e4e..2f4af9763 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -410,7 +410,9 @@ public class RangerBasePlugin {
newPolicyEngine.setTrustedProxyAddresses(pluginConfig.getTrustedProxyAddresses());
}
+ LOG.info("Switching policy engine from
[" + getPolicyVersion() + "]");
this.policyEngine =
newPolicyEngine;
+ LOG.info("Switched policy engine to ["
+ getPolicyVersion() + "]");
this.currentAuthContext =
pluginContext.getAuthContext();
pluginContext.notifyAuthContextChanged();
@@ -516,7 +518,6 @@ public class RangerBasePlugin {
if (resultProcessor != null) {
resultProcessor.processResult(ret);
}
-
return ret;
}
@@ -1327,4 +1328,8 @@ public class RangerBasePlugin {
return ret;
}
+
+ public Long getPolicyVersion() {
+ return this.policyEngine == null ? -1L :
this.policyEngine.getPolicyVersion();
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.j
[ranger] branch master updated: RANGER-4291: If a ROW_FILTER type policy resources match, then an audit log record with Result=Denied is created
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 0e80fc804 RANGER-4291: If a ROW_FILTER type policy resources match,
then an audit log record with Result=Denied is created
0e80fc804 is described below
commit 0e80fc804f1a3e6d746e6334382fedb91dbf072d
Author: Abhay Kulkarni
AuthorDate: Fri Jun 16 10:52:05 2023 -0700
RANGER-4291: If a ROW_FILTER type policy resources match, then an audit log
record with Result=Denied is created
---
.../authorization/hive/authorizer/RangerHiveAuditHandler.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index af991962f..b8de775e5 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -151,9 +151,9 @@ public class RangerHiveAuditHandler extends
RangerDefaultAuditHandler {
int policyType = result.getPolicyType();
if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK &&
result.isMaskEnabled()) {
- ret = createAuditEvent(result, result.getMaskType(),
resourcePath);
-} else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
-ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER,
resourcePath);
+ ret = createAuditEvent(result, result.getMaskType(),
resourcePath);
+ } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER &&
result.isRowFilterEnabled()) {
+ ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER,
resourcePath );
} else if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
String accessType = null;
[ranger] branch master updated: RANGER-4284: Additional logging messages to help with debugging when policy deltas are enabled
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 04f5f639a RANGER-4284: Additional logging messages to help with
debugging when policy deltas are enabled
04f5f639a is described below
commit 04f5f639aab36135c18652ab183350080c37ecd4
Author: Abhay Kulkarni
AuthorDate: Fri Jun 16 09:41:10 2023 -0700
RANGER-4284: Additional logging messages to help with debugging when policy
deltas are enabled
---
.../ranger/plugin/policyengine/PolicyEngine.java | 4 +-
.../plugin/policyengine/RangerResourceTrie.java| 4 +-
.../ranger/plugin/service/RangerBasePlugin.java| 12 +-
.../apache/ranger/plugin/store/ServiceStore.java | 2 +-
.../apache/ranger/plugin/util/PolicyRefresher.java | 36 +-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 23 ++--
.../ranger/common/RangerServicePoliciesCache.java | 131 -
.../org/apache/ranger/db/XXPolicyChangeLogDao.java | 6 +-
.../main/resources/META-INF/jpa_named_queries.xml | 11 +-
9 files changed, 174 insertions(+), 55 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index f1dc03944..1e99b5824 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -680,8 +680,10 @@ public class PolicyEngine {
LOG.debug("Built matchers for all Zones");
}
+RangerPolicyEngineOptions options =
pluginContext.getConfig().getPolicyEngineOptions();
+
for (RangerServiceDef.RangerResourceDef resourceDef :
serviceDef.getResources()) {
-resourceZoneTrie.put(resourceDef.getName(), new
RangerResourceTrie<>(resourceDef, matchers));
+resourceZoneTrie.put(resourceDef.getName(), new
RangerResourceTrie<>(resourceDef, matchers, options.optimizeTrieForSpace,
options.optimizeTrieForRetrieval, pluginContext));
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 07eb5815c..647059203 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -87,11 +87,13 @@ public class RangerResourceTrie {
this.optWildcard = other.optWildcard;
this.wildcardChars = other.wildcardChars;
this.isOptimizedForSpace = other.isOptimizedForSpace;
-this.isOptimizedForRetrieval = false;
+this.isOptimizedForRetrieval = other.isOptimizedForRetrieval;
this.separatorChar = other.separatorChar;
this.inheritedEvaluators = other.inheritedEvaluators != null ? new
HashSet<>(other.inheritedEvaluators) : null;
this.root= copyTrieSubtree(other.root, null);
+wrapUpUpdate();
+
RangerPerfTracer.logAlways(perf);
if (PERF_TRIE_INIT_LOG.isDebugEnabled()) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index b1e2ecbcc..9249b3295 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -421,7 +421,17 @@ public class RangerBasePlugin {
}
if (this.refresher != null) {
-
this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies);
+ boolean doPreserveDeltas =
pluginConfig.getBoolean (pluginConfig.getPropertyPrefix() + ".preserve.deltas",
false);
+ if (!doPreserveDeltas) {
+
this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies);
+ } else {
+ // Save both deltas and
all policies to cache for verification
+
this.refresher.saveToCache(policies);
+
+ if (usePolicyDeltas) {
+
this
[ranger] branch master updated: RANGER-4219: Grant permission in Impala engine not working with {user} in ranger policy
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b6049ce73 RANGER-4219: Grant permission in Impala engine not working
with {user} in ranger policy
b6049ce73 is described below
commit b6049ce73660a72ab54fd1d5b2ee9ca163ed69e2
Author: Abhay Kulkarni
AuthorDate: Wed May 17 10:23:31 2023 -0700
RANGER-4219: Grant permission in Impala engine not working with {user} in
ranger policy
---
.../RangerDefaultPolicyEvaluator.java | 30 +-
.../main/java/org/apache/ranger/biz/XUserMgr.java | 1 -
2 files changed, 18 insertions(+), 13 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 96e232b43..eee1e1f1b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -210,7 +210,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
@Override
public void evaluate(RangerAccessRequest request, RangerAccessResult
result) {
if (LOG.isDebugEnabled()) {
-LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(policyId=" +
getPolicy().getId() + ", " + request + ", " + result + ")");
+LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(policyId=" +
getPolicyId() + ", " + request + ", " + result + ")");
}
RangerPerfTracer perf = null;
@@ -256,7 +256,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
if
(!result.getIsAuditedDetermined()) {
if
(isAuditEnabled()) {
result.setIsAudited(true);
-
result.setAuditPolicyId(getPolicy().getId());
+
result.setAuditPolicyId(getPolicyId());
}
}
if
(!result.getIsAccessDetermined()) {
@@ -273,14 +273,14 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
RangerPerfTracer.log(perf);
if(LOG.isDebugEnabled()) {
-LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(policyId=" +
getPolicy().getId() + ", " + request + ", " + result + ")");
+LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(policyId=" +
getPolicyId() + ", " + request + ", " + result + ")");
}
}
@Override
public boolean isMatch(RangerAccessResource resource, Map evalContext) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" +
resource + ", " + evalContext + ")");
+ LOG.debug("==>
RangerDefaultPolicyEvaluator.isMatch(policy-id=" + getPolicyId() + ", " +
resource + ", " + evalContext + ")");
}
boolean ret = false;
@@ -304,7 +304,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
RangerPerfTracer.log(perf);
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" +
resource + ", " + evalContext + "): " + ret);
+ LOG.debug("<==
RangerDefaultPolicyEvaluator.isMatch(policy-id=" + getPolicyId() + ", " +
resource + ", " + evalContext + ") : " + ret);
}
return ret;
@@ -374,22 +374,28 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
@Override
public Set getAllowedAccesses(RangerAccessResource resource,
String user, Set userGroups, Set roles, Set
accessTypes) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerDefaultPolicyEvaluator.getAllowedAccesses(" + resource + ", " + user + ",
" + userGroups + ", " + roles + ", " + acc
[ranger] branch master updated: RANGER-4130: Improve performance of event processing in agsync by optimizing number of commits to Kafka broker
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new e8a6125ba RANGER-4130: Improve performance of event processing in
agsync by optimizing number of commits to Kafka broker
e8a6125ba is described below
commit e8a6125ba99b5ca4f62923552ddb251ee476cfdd
Author: Abhay Kulkarni
AuthorDate: Tue Apr 18 18:07:32 2023 -0700
RANGER-4130: Improve performance of event processing in agsync by
optimizing number of commits to Kafka broker
---
.../tagsync/source/atlas/AtlasTagSource.java | 68 ++
1 file changed, 32 insertions(+), 36 deletions(-)
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
index a618cc986..34a39f73c 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
@@ -52,9 +52,9 @@ public class AtlasTagSource extends AbstractTagSource {
public static final String TAGSYNC_ATLAS_PROPERTIES_FILE_NAME =
"atlas-application.properties";
- public static final String TAGSYNC_ATLAS_KAFKA_ENDPOINTS =
"atlas.kafka.bootstrap.servers";
- public static final String TAGSYNC_ATLAS_ZOOKEEPER_ENDPOINT =
"atlas.kafka.zookeeper.connect";
- public static final String TAGSYNC_ATLAS_CONSUMER_GROUP =
"atlas.kafka.entities.group.id";
+ public static final String TAGSYNC_ATLAS_KAFKA_ENDPOINTS =
"atlas.kafka.bootstrap.servers";
+ public static final String TAGSYNC_ATLAS_ZOOKEEPER_ENDPOINT =
"atlas.kafka.zookeeper.connect";
+ public static final String TAGSYNC_ATLAS_CONSUMER_GROUP =
"atlas.kafka.entities.group.id";
public static final intMAX_WAIT_TIME_IN_MILLIS = 1000;
@@ -168,11 +168,10 @@ public class AtlasTagSource extends AbstractTagSource {
private final List
atlasEntitiesWithTags = new ArrayList<>();
private final List>
messages = new ArrayList<>();
+ private AtlasKafkaMessage
lastUnhandledMessage = null;
- private longoffsetOfLastMessageDeliveredToRanger = -1L;
private longoffsetOfLastMessageCommittedToKafka = -1L;
-
- private boolean isHandlingDeleteOps = false;
+ private boolean isHandlingDeleteOps = false;
private
ConsumerRunnable(NotificationConsumer consumer) {
this.consumer = consumer;
@@ -222,10 +221,11 @@ public class AtlasTagSource extends AbstractTagSource {
}
atlasEntitiesWithTags.add(new RangerAtlasEntityWithTags(notificationWrapper));
+
messages.add(message);
} else {
AtlasNotificationMapper.logUnhandledEntityNotification(notificationWrapper);
+
lastUnhandledMessage = message;
}
-
messages.add(message);
}
} else {
LOG.error("Null
entityNotification received from Kafka!! Ignoring..");
@@ -235,6 +235,10 @@ public class AtlasTagSource extends AbstractTagSource {
buildAndUploadServiceTags();
}
}
+ if (lastUnhandledMessage != null) {
+
commitToKafka(lastUnhandledMessage);
+ lastUnhandledMessage = null;
+ }
} catch (Exception exception) {
LOG.error("Caught exception..: ",
exception);
@@ -255,9 +259,7 @@ public class AtlasTagSource extends AbstractTagSource {
LOG.debug("==> buildAndUploadServiceT
[ranger] branch master updated: RANGER-4185: Improve debugging messages when policy-deltas are enabled
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 774d159e2 RANGER-4185: Improve debugging messages when policy-deltas
are enabled
774d159e2 is described below
commit 774d159e2a2967132e8a1eda7f5ddeed08b37a55
Author: Abhay Kulkarni
AuthorDate: Tue Apr 18 17:15:15 2023 -0700
RANGER-4185: Improve debugging messages when policy-deltas are enabled
---
.../ranger/plugin/model/RangerPolicyDelta.java | 2 +-
.../ranger/plugin/policyengine/PolicyEngine.java | 10 +++-
.../ranger/plugin/util/RangerPolicyDeltaUtil.java | 2 +-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 29 +++---
.../java/org/apache/ranger/biz/TagDBStore.java | 3 +++
.../ranger/common/RangerServicePoliciesCache.java | 2 +-
.../RangerTransactionSynchronizationAdapter.java | 15 +--
7 files changed, 53 insertions(+), 10 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java
index 33183727c..e4d9b3a40 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java
@@ -87,7 +87,7 @@ public class RangerPolicyDelta implements
java.io.Serializable {
public void setId(Long id) { this.id = id;}
-private void setChangeType(Integer changeType) { this.changeType =
changeType; }
+public void setChangeType(Integer changeType) { this.changeType =
changeType; }
private void setPoliciesVersion(Long policiesVersion) {
this.policiesVersion = policiesVersion; }
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index 3864f30d2..86b6cd376 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -200,7 +200,15 @@ public class PolicyEngine {
this.pluginContext = pluginContext;
this.lock = new RangerReadWriteLock(isUseReadWriteLock);
-LOG.info("Policy engine will" + (isUseReadWriteLock ? " " : " not ") +
"perform in place update while processing policy-deltas.");
+Boolean hasPolicyDeltas =
RangerPolicyDeltaUtil.hasPolicyDeltas(servicePolicies);
+
+if (hasPolicyDeltas != null) {
+if (hasPolicyDeltas.equals(Boolean.TRUE)) {
+LOG.info("Policy engine will" + (isUseReadWriteLock ? " " : "
not ") + "perform in place update while processing policy-deltas.");
+} else {
+LOG.info("Policy engine will" + (isUseReadWriteLock ? " " : "
not ") + "perform in place update while processing policies.");
+}
+}
this.pluginContext.setAuthContext(new RangerAuthContext(null, roles));
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
index 86b18aace..b47888e9a 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
@@ -42,7 +42,7 @@ public class RangerPolicyDeltaUtil {
public static List applyDeltas(List policies,
List deltas, String serviceType) {
if (LOG.isDebugEnabled()) {
-LOG.debug("==> applyDeltas(serviceType=" + serviceType + ")");
+LOG.debug("==> applyDeltas(serviceType=" + serviceType + ",
deltas=" + deltas + ")");
}
List ret;
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index e52a92e04..60903cc97 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -393,6 +393,12 @@ public class ServiceDBStore extends AbstractServiceStore {
isRolesDownloadedByService =
config.getBoolean("ranger.support.for.service.specific.role.download", false);
SUPPORTS_IN_PLACE_POLICY_UPDATES=
SUPPORTS_POLICY_DELTAS && config.getBoolean("ranger.admin" +
RangerCommonConstants.RANGER_ADMIN_SUFFIX_
[ranger] branch master updated: RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new a378f285a RANGER-4192: A higher priority Data-masking policy is not
considered when computing Datamask type
a378f285a is described below
commit a378f285a540dcee5f71069c613e198e024d0872
Author: Abhay Kulkarni
AuthorDate: Tue Apr 18 15:41:46 2023 -0700
RANGER-4192: A higher priority Data-masking policy is not considered when
computing Datamask type
---
.../RangerDefaultDataMaskPolicyItemEvaluator.java | 6 --
.../policyevaluator/RangerDefaultPolicyEvaluator.java | 4 +++-
.../RangerDefaultRowFilterPolicyItemEvaluator.java| 19 ---
3 files changed, 11 insertions(+), 18 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
index d979e97e1..6bf768bf1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
@@ -80,12 +80,6 @@ public class RangerDefaultDataMaskPolicyItemEvaluator
extends RangerDefaultPolic
result.setMaskCondition(dataMaskInfo.getConditionExpr());
}
- result.setIsAccessDetermined(true);
-
result.setPolicyPriority(policyEvaluator.getPolicyPriority());
- result.setPolicyId(policyEvaluator.getPolicyId());
- result.setReason(getComments());
-
result.setPolicyVersion(policyEvaluator.getPolicy().getVersion());
-
policyEvaluator.updateAccessResult(result, matchType,
true, getComments());
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2f9c1b019..96e232b43 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -887,7 +887,9 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
}
if (allowResult != null) {
- result.setAccessResultFrom(allowResult);
+ if (!result.getIsAllowed() ||
result.getPolicyPriority() < allowResult.getPolicyPriority()) {
+
result.setAccessResultFrom(allowResult);
+ }
} else if (denyResult != null) {
result.setAccessResultFrom(denyResult);
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
index 63b3be964..d2b3e746b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
@@ -34,7 +34,7 @@ public class RangerDefaultRowFilterPolicyItemEvaluator
extends RangerDefaultPoli
final private RangerRequestExprResolver exprResolver;
public RangerDefaultRowFilterPolicyItemEvaluator(RangerServiceDef
serviceDef, RangerPolicy policy, RangerRowFilterPolicyItem policyItem, int
policyItemIndex, RangerPolicyEngineOptions options) {
- super(serviceDef, policy, policyItem,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK, policyItemIndex, options);
+ super(serviceDef, policy, policyItem,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER, policyItemIndex, options);
rowFilterPolicyItem = policyItem;
@@ -60,17 +60,14 @@ public class RangerDefaultRowFilterPolicyItemEvaluator
extends RangerDefaultPoli
@Override
public void updateAccessResult(RangerPolicyEvaluator policyEvaluator,
RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
- if (result.getFilterExpr() == null) {
- if (exprResolver != null) {
-
result.setFilterE
[ranger] branch master updated: RANGER-4193: ServiceTagsProcessor fails to handle update of an existing Service-Resource
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 42b8c973e RANGER-4193: ServiceTagsProcessor fails to handle update of
an existing Service-Resource
42b8c973e is described below
commit 42b8c973eb120f0dbf983d410d6ee888daa63ab8
Author: Abhay Kulkarni
AuthorDate: Tue Apr 18 15:36:47 2023 -0700
RANGER-4193: ServiceTagsProcessor fails to handle update of an existing
Service-Resource
---
.../src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java| 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
index fcbc31a99..f29304036 100644
---
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
+++
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
@@ -154,7 +154,9 @@ public class ServiceTagsProcessor {
}
existing =
tagStore.getServiceResourceByGuid(resource.getGuid());
RangerPerfTracer.logAlways(perf);
- } else {
+ }
+
+ if (existing == null) {
if(MapUtils.isNotEmpty(resource.getResourceElements())) {
if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) {
perf =
RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE,
"tags.search_service_resource_by_signature(" + resourceId + ")");
[ranger] branch master updated: RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new fb63f21cf RANGER-4136: Incorrect processing of tag-deltas by
RangerTagEnricher - Part 2
fb63f21cf is described below
commit fb63f21cf6f5007f178eef8f11f68cf2c9a57279
Author: Abhay Kulkarni
AuthorDate: Mon Apr 17 09:50:42 2023 -0700
RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher - Part
2
---
.../plugin/contextenricher/RangerTagEnricher.java | 64 +++---
.../org/apache/ranger/plugin/util/ServiceTags.java | 3 +
2 files changed, 47 insertions(+), 20 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index 198d24d97..e0a86c398 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -385,6 +385,9 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
this.tagRefresher = null;
if (tagRefresher != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Trying to clean up
RangerTagRefresher(" + tagRefresher.getName() + ")");
+ }
tagRefresher.cleanup();
}
@@ -473,20 +476,16 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
List changedServiceResources =
deltas.getServiceResources();
for (RangerServiceResource serviceResource :
changedServiceResources) {
-
final boolean removedOldServiceResource =
MapUtils.isEmpty(serviceResource.getResourceElements()) ||
removeOldServiceResource(serviceResource, resourceMatchers,
serviceResourceTrie);
- if (removedOldServiceResource) {
+ if (removedOldServiceResource) {
if
(!StringUtils.isEmpty(serviceResource.getResourceSignature())) {
-
RangerServiceResourceMatcher
resourceMatcher = createRangerServiceResourceMatcher(serviceResource,
serviceDefHelper, hierarchies);
if (resourceMatcher != null) {
for
(RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
-
-
RangerPolicy.RangerPolicyResource policyResource =
serviceResource.getResourceElements().get(resourceDef.getName());
-
-
RangerResourceTrie trie =
serviceResourceTrie.get(resourceDef.getName());
+
RangerPolicy.RangerPolicyResourcepolicyResource =
serviceResource.getResourceElements().get(resourceDef.getName());
+
RangerResourceTrie trie =
serviceResourceTrie.get(resourceDef.getName());
if
(LOG.isDebugEnabled()) {
LOG.debug("Trying to add resource-matcher to " + (trie == null ? "new" :
"existing") + " trie for " + resourceDef.getName());
@@ -495,6 +494,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
if (trie != null) {
trie.add(policyResource, resourceMatcher);
trie.wrapUpUpdate();
+
if
(LOG.isDebugEnabled()) {
LOG.debug("Added resource-matcher for policy-resource:[" + policyResource +
"]");
}
@@ -521,6 +521,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
break;
}
}
+
if (isInError) {
LOG.error("Error in processing tag-deltas. Will
continue to use old tags");
deltas.setTagVersion(-1L);
@@ -530,44 +531,61 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
}
enrichedServiceTags = new
EnrichedServiceTags(allServiceTags, resou
[ranger] branch master updated: RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 2e224cf9d RANGER-4136: Incorrect processing of tag-deltas by
RangerTagEnricher
2e224cf9d is described below
commit 2e224cf9d4d28f3e23b5f8462a92024993a104bc
Author: Abhay Kulkarni
AuthorDate: Wed Mar 22 11:28:51 2023 -0700
RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher
---
.../plugin/contextenricher/RangerTagEnricher.java | 19 ++-
.../plugin/policyengine/RangerAccessRequestImpl.java | 10 +-
.../plugin/service/RangerDefaultRequestProcessor.java | 19 ++-
.../util/RangerResourceEvaluatorsRetriever.java | 2 +-
4 files changed, 42 insertions(+), 8 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index efb885a74..198d24d97 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -78,9 +78,8 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
private static final Logger PERF_SET_SERVICETAGS_LOG =
RangerPerfTracer.getPerfLogger("tagenricher.setservicetags");
private static final Logger PERF_SERVICETAGS_RETRIEVAL_LOG =
RangerPerfTracer.getPerfLogger("tagenricher.tags.retrieval");
-
private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION =
"tagRefresherPollingInterval";
- public static final String TAG_RETRIEVER_CLASSNAME_OPTION =
"tagRetrieverClassName";
+ public static final String TAG_RETRIEVER_CLASSNAME_OPTION=
"tagRetrieverClassName";
private static final String TAG_DISABLE_TRIE_PREFILTER_OPTION=
"disableTrieLookupPrefilter";
private RangerTagRefresher tagRefresher;
@@ -485,12 +484,19 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
if (resourceMatcher != null) {
for
(RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
+
RangerPolicy.RangerPolicyResource policyResource =
serviceResource.getResourceElements().get(resourceDef.getName());
+
RangerResourceTrie trie =
serviceResourceTrie.get(resourceDef.getName());
+ if
(LOG.isDebugEnabled()) {
+
LOG.debug("Trying to add resource-matcher to " + (trie == null ? "new" :
"existing") + " trie for " + resourceDef.getName());
+ }
+
if (trie != null) {
-
trie.add(serviceResource.getResourceElements().get(resourceDef.getName()),
resourceMatcher);
+
trie.add(policyResource, resourceMatcher);
+
trie.wrapUpUpdate();
if
(LOG.isDebugEnabled()) {
-
LOG.debug("Added resource-matcher for service-resource:[" + serviceResource +
"]");
+
LOG.debug("Added resource-matcher for policy-resource:[" + policyResource +
"]");
}
} else {
trie = new
RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher),
getPolicyEngineOptions().optimizeTagTrieForRetrieval,
getPolicyEngineOptions().optimizeTagTrieForSpace, null);
@@ -541,7 +547,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
RangerAccessResourceImpl accessResource = new
RangerAccessResourceImpl();
for (Map.Entry entry :
serviceResource.getResourceElements().entrySet()) {
- accessResource.setValue(entry.getKey(),
entry.getValue());
+ accessResource.setValue(entry.getKey(),
entry.getValue().getValues
[ranger] branch master updated: RANGER-4129: ArrayIndexOutOfBounds exception may be thrown while processing events
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new fe33f69ae RANGER-4129: ArrayIndexOutOfBounds exception may be thrown
while processing events
fe33f69ae is described below
commit fe33f69ae5d4ac4f2aa9788523d0bb7313c150f2
Author: Abhay Kulkarni
AuthorDate: Tue Mar 14 07:59:00 2023 -0700
RANGER-4129: ArrayIndexOutOfBounds exception may be thrown while processing
events
---
.../source/atlas/AtlasNotificationMapper.java | 52 -
.../tagsync/source/atlas/AtlasTagSource.java | 67 +++---
2 files changed, 35 insertions(+), 84 deletions(-)
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
index a7c456b3d..5d5ab8a7d 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
@@ -75,29 +75,6 @@ public class AtlasNotificationMapper {
}
}
-public static ServiceTags
processEntityNotification(EntityNotificationWrapper entityNotification) {
-
-ServiceTags ret = null;
-
-if (isNotificationHandled(entityNotification)) {
-try {
-RangerAtlasEntityWithTags entityWithTags = new
RangerAtlasEntityWithTags(entityNotification);
-
-if (entityNotification.getIsEntityDeleteOp()) {
-ret =
buildServiceTagsForEntityDeleteNotification(entityWithTags);
-} else {
-ret = buildServiceTags(entityWithTags, null);
-}
-
-} catch (Exception exception) {
-LOG.error("createServiceTags() failed!! ", exception);
-}
-} else {
-logUnhandledEntityNotification(entityNotification);
-}
-return ret;
-}
-
public static Map
processAtlasEntities(List atlasEntities) {
Map ret = null;
@@ -159,35 +136,6 @@ public class AtlasNotificationMapper {
return ret;
}
-@SuppressWarnings("unchecked")
-static ServiceTags
buildServiceTagsForEntityDeleteNotification(RangerAtlasEntityWithTags
entityWithTags) {
-final ServiceTags ret;
-
-RangerAtlasEntity entity = entityWithTags.getEntity();
-String guid = entity.getGuid();
-
-if (StringUtils.isNotBlank(guid)) {
-ret = new ServiceTags();
-RangerServiceResource serviceResource = new
RangerServiceResource();
-serviceResource.setGuid(guid);
-ret.getServiceResources().add(serviceResource);
-} else {
-ret = buildServiceTags(entityWithTags, null);
-if (ret != null) {
-// tag-definitions should NOT be deleted as part of
service-resource delete
-ret.setTagDefinitions(MapUtils.EMPTY_MAP);
-// Ranger deletes tags associated with deleted service-resource
-ret.setTags(MapUtils.EMPTY_MAP);
-}
-}
-
-if (ret != null) {
-ret.setOp(ServiceTags.OP_DELETE);
-}
-
-return ret;
-}
-
static private Map
buildServiceTags(List entitiesWithTags) {
Map ret = new HashMap<>();
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
index 1a3ddecb5..a618cc986 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
@@ -87,7 +87,7 @@ public class AtlasTagSource extends AbstractTagSource {
try {
inputStream.close();
} catch (IOException ioException) {
- LOG.error("Cannot close Atlas
application properties file, file-name:\" +
TAGSYNC_ATLAS_PROPERTIES_FILE_NAME", ioException);
+ LOG.error("Cannot close Atlas
application properties file, file-name:" + TAGSYNC_ATLAS_PROPERTIES_FILE_NAME,
ioException);
}
}
} else {
@@ -214,18 +214,17 @@ public class AtlasTagSource extends AbstractTagSource {
if
(AtlasNotificat
[ranger] branch master updated: RANGER-4115: Tags containing attributes not processed correctly by tagsync
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 48a635c30 RANGER-4115: Tags containing attributes not processed
correctly by tagsync
48a635c30 is described below
commit 48a635c30ac2afe4492f06d132cc517431933dd8
Author: Abhay Kulkarni
AuthorDate: Thu Mar 2 17:16:21 2023 -0800
RANGER-4115: Tags containing attributes not processed correctly by tagsync
---
.../ranger/tagsync/source/atlas/AtlasNotificationMapper.java | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
index dadc76a54..a7c456b3d 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
@@ -351,9 +351,14 @@ public class AtlasNotificationMapper {
RangerTagDef tagDef = new RangerTagDef(tag.getName(),
"Atlas");
if (MapUtils.isNotEmpty(tag.getAttributes())) {
+List attributeDefs =
tagDef.getAttributeDefs();
+if (attributeDefs == null) {
+attributeDefs = new ArrayList<>();
+}
for (String attributeName :
tag.getAttributes().keySet()) {
-tagDef.getAttributeDefs().add(new
RangerTagAttributeDef(attributeName,
entityWithTags.getTagAttributeType(tag.getName(), attributeName)));
+attributeDefs.add(new
RangerTagAttributeDef(attributeName,
entityWithTags.getTagAttributeType(tag.getName(), attributeName)));
}
+tagDef.setAttributeDefs(attributeDefs);
}
ret.add(tagDef);
}
[ranger] branch master updated: RANGER-4100: Efficient computation of the smallest set of evaluators returned by search of multiple Trie trees
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 85f5483ed RANGER-4100: Efficient computation of the smallest set of
evaluators returned by search of multiple Trie trees
85f5483ed is described below
commit 85f5483ed444bf40caa588ec5b788a51532c3095
Author: Abhay Kulkarni
AuthorDate: Mon Feb 20 14:11:05 2023 -0800
RANGER-4100: Efficient computation of the smallest set of evaluators
returned by search of multiple Trie trees
---
.../plugin/contextenricher/RangerTagEnricher.java | 75 +-
.../validation/RangerSecurityZoneValidator.java| 65 +
.../ranger/plugin/policyengine/PolicyEngine.java | 111 ---
.../util/RangerResourceEvaluatorsRetriever.java| 158 +
.../plugin/policyengine/TestPolicyEngine.java | 3 +-
5 files changed, 195 insertions(+), 217 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index bbea4cec6..8f2ecaa1d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -44,6 +44,7 @@ import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerCommonConstants;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerReadWriteLock;
+import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever;
import org.apache.ranger.plugin.util.RangerServiceNotFoundException;
import org.apache.ranger.plugin.util.RangerServiceTagsDeltaUtil;
import org.apache.ranger.plugin.util.ServiceTags;
@@ -549,7 +550,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
RangerAccessRequestImpl request = new
RangerAccessRequestImpl();
request.setResource(accessResource);
- List oldMatchers =
getEvaluators(request, enrichedServiceTags);
+ Collection oldMatchers =
getEvaluators(request, enrichedServiceTags);
if (LOG.isDebugEnabled()) {
LOG.debug("Found [" + oldMatchers.size() + "]
matchers for service-resource[" + serviceResource + "]");
@@ -676,7 +677,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
ret =
enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess();
} else {
- final List
serviceResourceMatchers = getEvaluators(request, enrichedServiceTags);
+ final Collection
serviceResourceMatchers = getEvaluators(request, enrichedServiceTags);
if
(CollectionUtils.isNotEmpty(serviceResourceMatchers)) {
@@ -724,11 +725,11 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
return ret;
}
- private List
getEvaluators(RangerAccessRequest request, EnrichedServiceTags
enrichedServiceTags) {
+ private Collection
getEvaluators(RangerAccessRequest request, EnrichedServiceTags
enrichedServiceTags) {
if(LOG.isDebugEnabled()) {
LOG.debug("==>
RangerTagEnricher.getEvaluators(request=" + request + ")");
}
- List ret=
Collections.EMPTY_LIST;
+ Collection ret;
RangerAccessResourceresource =
request.getResource();
@@ -743,71 +744,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
perf =
RangerPerfTracer.getPerfTracer(PERF_TRIE_OP_LOG,
"RangerTagEnricher.getEvaluators(resource=" + resource.getAsString() + ")");
}
- ListresourceKeys =
serviceDefHelper.getOrderedResourceNames(resource.getKeys());
- Set smallestList =
null;
-
- if (CollectionUtils.isNotEmpty(resourceKeys)) {
-
- for (String resourceName : resourceKeys) {
-
RangerResourceTrie trie =
serviceResourceTrie.get(resourceName);
-
- if (trie == null) { // if no trie
exists for this resource level, ignore and continue to next level
- continue;
- }
-
- Set
serviceResourceMatchersForResource =
trie.getEvaluatorsForRe
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4b941b2f0 RANGER-3999: Implement more efficient way to handle _any
access authorization - Part 3
4b941b2f0 is described below
commit 4b941b2f0d7a8390155c61fa0960c42aa8a37b69
Author: Abhay Kulkarni
AuthorDate: Thu Feb 16 10:20:13 2023 -0800
RANGER-3999: Implement more efficient way to handle _any access
authorization - Part 3
---
.../RangerDefaultPolicyEvaluator.java | 2 +-
.../plugin/util/RangerAccessRequestUtil.java | 2 +-
.../plugin/policyengine/TestPolicyEngine.java | 8 ++
.../policyengine/test_policyengine_hive.json | 32 ++
4 files changed, 42 insertions(+), 2 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 9a0df550c..2f9c1b019 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -242,7 +242,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
final boolean isMatched;
- if (request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
+ if (request.isAccessTypeAny()) {
isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
} else if
(request.getResourceMatchingScope() ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index a51f2322a..b505f495b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -222,7 +222,7 @@ public class RangerAccessRequestUtil {
public static void setAllRequestedAccessTypes(Map
context, Set accessTypes, Boolean isAny) {
context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes);
-context.put(KEY_CONTEXT_IS_ANY_ACCESS, isAny);
+ setIsAnyAccessInContext(context, isAny);
}
public static Set
getAllRequestedAccessTypes(RangerAccessRequest request) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index eb3d0ff46..89e678bf9 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -69,6 +69,7 @@ import java.io.OutputStreamWriter;
import java.lang.reflect.Type;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
@@ -923,6 +924,13 @@ public class TestPolicyEngine {
if (ret.getAccessTime() == null) {
ret.setAccessTime(new Date());
}
+ Map reqContext = ret.getContext();
+ Object accessTypes = reqContext.get("ACCESSTYPES");
+ if (accessTypes != null) {
+ Collection accessTypesCollection =
(Collection) accessTypes;
+ Set requestedAccesses = new
HashSet<>(accessTypesCollection);
+ ret.getContext().put("ACCESSTYPES",
requestedAccesses);
+ }
return ret;
}
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
index 0544feb14..8e34aa174 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
@@ -123,10 +123,42 @@
"policyItems":[
{"accesses":[{"type":"read","isAllowed":true},{&q
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 7a7215f67 RANGER-3999: Implement more efficient way to handle _any
access authorization - Part 2
7a7215f67 is described below
commit 7a7215f67e7db807ee0401f2b41d7bb871a248f5
Author: Abhay Kulkarni
AuthorDate: Mon Feb 13 14:23:02 2023 -0800
RANGER-3999: Implement more efficient way to handle _any access
authorization - Part 2
---
.../ranger/plugin/policyengine/RangerPolicyEngineImpl.java | 3 +--
.../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 9 -
.../org/apache/ranger/plugin/util/RangerAccessRequestUtil.java | 5 +
3 files changed, 14 insertions(+), 3 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 4f65d3da2..e75bb722c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -703,8 +703,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
String requestedAccess =
accessTypeDef.getName();
allRequestedAccesses.add(requestedAccess);
}
-
RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(),
Boolean.TRUE);
-
request.getContext().put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES,
allRequestedAccesses);
+
RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(),
allRequestedAccesses, Boolean.TRUE);
}
ret = evaluatePoliciesForOneAccessTypeNoAudit(request,
policyType, zoneName, policyRepository, tagPolicyRepository);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 55752e79c..9a0df550c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -833,6 +833,9 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
for (String accessType : allRequestedAccesses) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking for
accessType:[" + accessType + "]");
+ }
RangerAccessRequestWrapper oneRequest
= new RangerAccessRequestWrapper(request, accessType);
RangerAccessResult oneResult
= new RangerAccessResult(result.getPolicyType(), result.getServiceName(),
result.getServiceDef(), oneRequest);
@@ -846,7 +849,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
updateAccessResult(oneResult,
matchType, false, "matched deny-all-else policy");
}
- if (request.isAccessTypeAny()) {
+ if (request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
// Implement OR logic
if (oneResult.getIsAllowed()) {
allowResult = oneResult;
@@ -879,6 +882,10 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("allowResult:[" + allowResult
+ "], denyResult:[" + denyResult + "], noResult:[" + noResult + "]");
+ }
+
if (allowResult != null) {
result.setAccessResultFrom(allowResult);
} else if (denyResult != null) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index 0ebb9cba5..a51f2322a 1
[ranger] branch master updated: RANGER-4070: Provide mechanism to manage potentially multiple enrichment of an access request
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new df0a778cb RANGER-4070: Provide mechanism to manage potentially
multiple enrichment of an access request
df0a778cb is described below
commit df0a778cb7d14e896c7cc88a4b720645d89668c5
Author: Abhay Kulkarni
AuthorDate: Sat Feb 4 22:09:42 2023 -0800
RANGER-4070: Provide mechanism to manage potentially multiple enrichment of
an access request
---
.../plugin/service/RangerDefaultRequestProcessor.java | 5 +
.../ranger/plugin/util/RangerAccessRequestUtil.java | 19 ---
2 files changed, 21 insertions(+), 3 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
index 636d09038..80d27e8e8 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
@@ -48,6 +48,11 @@ public class RangerDefaultRequestProcessor implements
RangerAccessRequestProcess
@Override
public void preProcess(RangerAccessRequest request) {
+if
(RangerAccessRequestUtil.getIsRequestPreprocessed(request.getContext())) {
+return;
+}
+RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(),
Boolean.TRUE);
+
setResourceServiceDef(request);
RangerAccessRequestImpl reqImpl = null;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index 05d9a6007..0ebb9cba5 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -47,6 +47,7 @@ public class RangerAccessRequestUtil {
public static final String KEY_CONTEXT_ACCESSTYPES = "ACCESSTYPES";
public static final String KEY_CONTEXT_IS_ANY_ACCESS = "ISANYACCESS";
public static final String KEY_CONTEXT_REQUEST = "_REQUEST";
+ public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED =
"ISREQUESTPREPROCESSED";
public static void setRequestTagsInContext(Map context,
Set tags) {
if(CollectionUtils.isEmpty(tags)) {
@@ -131,6 +132,9 @@ public class RangerAccessRequestUtil {
ret.remove(KEY_CONTEXT_TAG_OBJECT);
ret.remove(KEY_CONTEXT_RESOURCE);
ret.remove(KEY_CONTEXT_REQUEST);
+ ret.remove(KEY_CONTEXT_ACCESSTYPES);
+ ret.remove(KEY_CONTEXT_IS_ANY_ACCESS);
+ ret.remove(KEY_CONTEXT_IS_REQUEST_PREPROCESSED);
// don't remove REQUESTED_RESOURCES
}
@@ -198,9 +202,18 @@ public class RangerAccessRequestUtil {
context.put(KEY_CONTEXT_IS_ANY_ACCESS, value);
}
- public static Boolean getIsAnyAccessInContext(Map
context) {
- Boolean ret = (Boolean)context.get(KEY_CONTEXT_IS_ANY_ACCESS);
- return ret == null ? Boolean.FALSE : ret;
+ public static boolean getIsAnyAccessInContext(Map
context) {
+ Boolean value = (Boolean)context.get(KEY_CONTEXT_IS_ANY_ACCESS);
+ return value != null && value;
+ }
+
+ public static void setIsRequestPreprocessed(Map
context, Boolean value) {
+ context.put(KEY_CONTEXT_IS_REQUEST_PREPROCESSED, value);
+ }
+
+ public static boolean getIsRequestPreprocessed(Map
context) {
+ Boolean value =
(Boolean)context.get(KEY_CONTEXT_IS_REQUEST_PREPROCESSED);
+ return value != null && value;
}
public static void setAllRequestedAccessTypes(Map
context, Set accessTypes) {
[ranger] branch master updated: RANGER-4069: Add performance tracing instrumentation to Tag Enricher
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new f9bfc90fb RANGER-4069: Add performance tracing instrumentation to Tag
Enricher
f9bfc90fb is described below
commit f9bfc90fb53f06a752f4190e20be337ed70ec657
Author: Abhay Kulkarni
AuthorDate: Sat Feb 4 11:25:16 2023 -0800
RANGER-4069: Add performance tracing instrumentation to Tag Enricher
---
.../apache/ranger/plugin/contextenricher/RangerTagEnricher.java | 9 +
1 file changed, 9 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index da06e4161..bbea4cec6 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -75,6 +75,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
private static final Logger PERF_CONTEXTENRICHER_INIT_LOG =
RangerPerfTracer.getPerfLogger("contextenricher.init");
private static final Logger PERF_TRIE_OP_LOG =
RangerPerfTracer.getPerfLogger("resourcetrie.retrieval");
private static final Logger PERF_SET_SERVICETAGS_LOG =
RangerPerfTracer.getPerfLogger("tagenricher.setservicetags");
+ private static final Logger PERF_SERVICETAGS_RETRIEVAL_LOG =
RangerPerfTracer.getPerfLogger("tagenricher.tags.retrieval");
private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION =
"tagRefresherPollingInterval";
@@ -665,6 +666,12 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
RangerAccessResource resource = request.getResource();
+ RangerPerfTracer perf = null;
+
+ if
(RangerPerfTracer.isPerfTraceEnabled(PERF_SERVICETAGS_RETRIEVAL_LOG)) {
+ perf =
RangerPerfTracer.getPerfTracer(PERF_SERVICETAGS_RETRIEVAL_LOG,
"RangerTagEnricher.findMatchingTags=" + resource.getAsString() + ")");
+ }
+
if ((resource == null || resource.getKeys() == null ||
resource.getKeys().isEmpty()) && request.isAccessTypeAny()) {
ret =
enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess();
} else {
@@ -698,6 +705,8 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
}
}
+ RangerPerfTracer.logAlways(perf);
+
if (CollectionUtils.isEmpty(ret)) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerTagEnricher.findMatchingTags("
+ resource + ") - No tags Found ");
[ranger] branch master updated: RANGER-4009:Open read access to some Policy Engine objects and metrics
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 245de9179 RANGER-4009:Open read access to some Policy Engine objects
and metrics
245de9179 is described below
commit 245de9179b0a3270adcbc20f9cb128ea7dd79e49
Author: Abhay Kulkarni
AuthorDate: Fri Dec 9 11:15:17 2022 -0800
RANGER-4009:Open read access to some Policy Engine objects and metrics
---
.../plugin/policyengine/RangerPolicyEngineImpl.java | 6 +-
.../plugin/policyengine/RangerPolicyRepository.java | 16
.../apache/ranger/plugin/service/RangerBasePlugin.java | 4
3 files changed, 25 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 8d80ad6a3..4f65d3da2 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -599,10 +599,14 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
return ret;
}
- PolicyEngine getPolicyEngine() {
+ public PolicyEngine getPolicyEngine() {
return policyEngine;
}
+ public RangerAccessRequestProcessor getRequestProcessor() {
+ return requestProcessor;
+ }
+
private RangerPolicyEngineImpl(final PolicyEngine policyEngine,
RangerPolicyEngineImpl other) {
this.policyEngine = policyEngine;
this.requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 85a3afd01..297f5e635 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -566,6 +566,22 @@ public class RangerPolicyRepository {
return policyEvaluators;
}
+public int getPolicyEvaluatorCount() {
+return policyEvaluators.size();
+}
+
+public int getDataMaskPolicyEvaluatorCount() {
+return dataMaskPolicyEvaluators.size();
+}
+
+public int getRowFilterPolicyEvaluatorCount() {
+return rowFilterPolicyEvaluators.size();
+}
+
+public int getAuditPolicyEvaluatorCount() {
+return auditPolicyEvaluators.size();
+}
+
List getDataMaskPolicyEvaluators() {
return dataMaskPolicyEvaluators;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index ba1467828..b1e2ecbcc 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -1137,6 +1137,10 @@ public class RangerBasePlugin {
return baseACLs;
}
+ protected RangerPolicyEngine getPolicyEngine() {
+ return policyEngine;
+ }
+
private RangerAdminClient getAdminClient() throws Exception {
PolicyRefresher refresher = this.refresher;
RangerAdminClient admin = refresher == null ? null :
refresher.getRangerAdminClient();
[ranger] branch master updated: RANGER-4007: HDFS Authorizer changes to take advantage of support for multiple access-types in the Ranger Access Request
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new fdc527b54 RANGER-4007: HDFS Authorizer changes to take advantage of
support for multiple access-types in the Ranger Access Request
fdc527b54 is described below
commit fdc527b542bab6f101f530b39bf688a11e16b352
Author: Abhay Kulkarni
AuthorDate: Thu Dec 8 19:07:57 2022 -0800
RANGER-4007: HDFS Authorizer changes to take advantage of support for
multiple access-types in the Ranger Access Request
---
.../authorization/hadoop/RangerHdfsAuthorizer.java | 43 +-
1 file changed, 18 insertions(+), 25 deletions(-)
diff --git
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index ef6f4f865..9b1279bcb 100644
---
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -199,7 +199,7 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
return rangerPlugin.getConfig();
}
- private enum AuthzStatus { ALLOW, DENY, NOT_DETERMINED };
+ private enum AuthzStatus { ALLOW, DENY, NOT_DETERMINED }
class RangerAccessControlEnforcer implements AccessControlEnforcer {
private INodeAttributeProvider.AccessControlEnforcer
defaultEnforcer = null;
@@ -716,11 +716,12 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
accessTypes =
access2ActionListMapper.get(FsAction.NONE);
}
- for(String accessType : accessTypes) {
- RangerHdfsAccessRequest request = new
RangerHdfsAccessRequest(inode, path, pathOwner, access, accessType,
context.operationName, context.user, context.userGroups);
+ if (accessTypes.size() > 0) {
+ RangerHdfsAccessRequest request = new
RangerHdfsAccessRequest(inode, path, pathOwner, access,
accessTypes.iterator().next(), context.operationName, context.user,
context.userGroups);
- Map requestContext =
request.getContext();
-
requestContext.put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES,
accessTypes);
+ if (accessTypes.size() > 1) {
+
RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(),
accessTypes);
+ }
RangerAccessResult result =
context.plugin.isAccessAllowed(request, context.auditHandler);
@@ -728,14 +729,10 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
if (result == null ||
!result.getIsAccessDetermined()) {
ret = AuthzStatus.NOT_DETERMINED;
- // don't break yet; subsequent
accessType could be denied
- } else if(! result.getIsAllowed()) { //
explicit deny
+ } else if (!result.getIsAllowed()) { //
explicit deny
ret = AuthzStatus.DENY;
- break;
} else { // allowed
-
if(!AuthzStatus.NOT_DETERMINED.equals(ret)) { // set to ALLOW only if there was
no NOT_DETERMINED earlier
- ret = AuthzStatus.ALLOW;
- }
+ ret = AuthzStatus.ALLOW;
}
}
@@ -782,11 +779,12 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
}
subDirPath = subDirPath +
rangerPlugin.getRandomizedWildcardPathName();
- for (String accessType : accessTypes) {
- RangerHdfsAccessRequest request = new
RangerHdfsAccessRequest(null, subDirPath, pathOwner, access, accessType,
context.operationName, context.user, context.userGroups);
+ if (accessTypes.size() > 0) {
+ RangerHdfsAccessRequest request = new
RangerHdfsAccessRequest(null, subDirPath, pathOwner, access,
accessTypes.iterator().next(), context.operationName, context.user,
context.userGroups);
- Map requestContext =
request.getContext();
-
requestCo
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 56d5bf917 RANGER-3999: Implement more efficient way to handle _any
access authorization
56d5bf917 is described below
commit 56d5bf9173dc2c6d04692a07e67eace5e5d98ed4
Author: Abhay Kulkarni
AuthorDate: Tue Dec 6 14:25:10 2022 -0800
RANGER-3999: Implement more efficient way to handle _any access
authorization
---
.../policyengine/RangerAccessRequestWrapper.java | 105 +
.../policyengine/RangerPolicyEngineImpl.java | 37 ++--
.../RangerDefaultPolicyEvaluator.java | 95 +--
.../RangerOptimizedPolicyEvaluator.java| 6 ++
.../plugin/util/RangerAccessRequestUtil.java | 13 ++-
5 files changed, 218 insertions(+), 38 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
new file mode 100644
index 0..6aec330d7
--- /dev/null
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import org.apache.commons.lang.StringUtils;
+
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public class RangerAccessRequestWrapper implements RangerAccessRequest {
+
+private final RangerAccessRequest request;
+private final String accessType;
+private final boolean isAccessTypeAny;
+private final boolean isAccessTypeDelegatedAdmin;
+
+
+public RangerAccessRequestWrapper(RangerAccessRequest request, String
accessType) {
+this.request= request;
+this.accessType = accessType;
+this.isAccessTypeAny= StringUtils.equals(accessType,
RangerPolicyEngine.ANY_ACCESS);
+this.isAccessTypeDelegatedAdmin = StringUtils.equals(accessType,
RangerPolicyEngine.ADMIN_ACCESS);
+}
+
+@Override
+public RangerAccessResource getResource() { return request.getResource(); }
+
+@Override
+public String getAccessType() { return accessType; }
+
+@Override
+public boolean isAccessTypeAny() { return isAccessTypeAny; }
+
+@Override
+public boolean isAccessTypeDelegatedAdmin() { return
isAccessTypeDelegatedAdmin; }
+
+@Override
+public String getUser() { return request.getUser(); }
+
+@Override
+public Set getUserGroups() { return request.getUserGroups(); }
+
+@Override
+public Set getUserRoles() {return request.getUserRoles(); }
+
+@Override
+public Date getAccessTime() { return request.getAccessTime(); }
+
+@Override
+public String getClientIPAddress() { return request.getClientIPAddress(); }
+
+@Override
+public String getRemoteIPAddress() { return request.getRemoteIPAddress(); }
+
+@Override
+public List getForwardedAddresses() { return
request.getForwardedAddresses(); }
+
+@Override
+public String getClientType() { return request.getClientType(); }
+
+@Override
+public String getAction() { return request.getAction(); }
+
+@Override
+public String getRequestData() { return request.getRequestData(); }
+
+@Override
+public String getSessionId() { return request.getSessionId(); }
+
+@Override
+public String getClusterName() { return request.getClusterName(); }
+
+@Override
+public String getClusterType() { return request.getClusterType(); }
+
+@Override
+public Map getContext() { return request.getContext(); }
+
+@Override
+public RangerAccessRequest getReadOnlyCopy() { return
request.getReadOnlyCopy(); }
+
+@Override
+public ResourceMatchingScope getResourceMatchingScope() { return
request.getResourceMatchingScope(); }
+
+}
+
diff --git
a/agents-common/src/
[ranger] branch master updated: RANGER-3995: Policy update request fails if isDenyAllElse flag is set true in request json when using /policy/apply API
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 64d106579 RANGER-3995: Policy update request fails if isDenyAllElse
flag is set true in request json when using /policy/apply API
64d106579 is described below
commit 64d1065795f63111dd75ce50d5dde677025aad3c
Author: Abhay Kulkarni
AuthorDate: Tue Dec 6 10:01:06 2022 -0800
RANGER-3995: Policy update request fails if isDenyAllElse flag is set true
in request json when using /policy/apply API
---
.../java/org/apache/ranger/rest/ServiceREST.java | 4 +
.../org/apache/ranger/rest/ServiceRESTUtil.java| 154 +
2 files changed, 100 insertions(+), 58 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 99eedfe7d..e17494fa9 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1752,6 +1752,10 @@ public class ServiceREST {
}
if(mergeIfExists) {
+ if
(!existingPolicy.getIsDenyAllElse() && policy.getIsDenyAllElse()) {
+ LOG.error("Attempt to
change the isDenyAllElse flag from false to true! Not supported!!");
+ throw new
Exception("Merging existing policy(isDenyAllElse=false) with another
policy(isDenyAllElse=true) is not allowed!");
+ }
ServiceRESTUtil.processApplyPolicy(existingPolicy, policy);
policy = existingPolicy;
} else {
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
index b56fd3966..60e34c0c7 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
@@ -219,9 +219,7 @@ public class ServiceRESTUtil {
if (ServiceRESTUtil.containsRangerCondition(existingPolicy) ||
ServiceRESTUtil.containsRangerCondition(appliedPolicy)) {
LOG.info("Applied policy [" + appliedPolicy + "] or
existing policy [" + existingPolicy + "] contains condition(s). Combining two
policies.");
combinePolicy(existingPolicy, appliedPolicy);
-
} else {
-
processApplyPolicyForItemType(existingPolicy,
appliedPolicy, POLICYITEM_TYPE.ALLOW);
processApplyPolicyForItemType(existingPolicy,
appliedPolicy, POLICYITEM_TYPE.DENY);
processApplyPolicyForItemType(existingPolicy,
appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
@@ -234,33 +232,52 @@ public class ServiceRESTUtil {
}
static private void combinePolicy(RangerPolicy existingPolicy,
RangerPolicy appliedPolicy) {
+ combinePolicyItems(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.ALLOW);
+ combinePolicyItems(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.DENY);
+ combinePolicyItems(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
+ combinePolicyItems(existingPolicy, appliedPolicy,
POLICYITEM_TYPE.DENY_EXCEPTIONS);
+ }
+ static private void combinePolicyItems(RangerPolicy existingPolicy,
RangerPolicy appliedPolicy, POLICYITEM_TYPE polityItemType) {
+ List existingPolicyItems;
List appliedPolicyItems;
- // Combine allow policy-items
- appliedPolicyItems = appliedPolicy.getPolicyItems();
- if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
-
existingPolicy.getPolicyItems().addAll(appliedPolicyItems);
- }
-
- // Combine deny policy-items
- appliedPolicyItems = appliedPolicy.getDenyPolicyItems();
- if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
-
existingPolicy.getDenyPolicyItems().addAll(appliedPolicyItems);
- }
-
- // Combine allow-exception policy-items
- appliedPolicyItems = appliedPolicy.getAllowExceptions();
- if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
-
existingPolicy.getAllowExceptions().addAll(appliedPolicyItems);
+ sw
[ranger] branch master updated: RANGER-3913: Reduce number of calls to FilenameUtils.wildcardMatch() when evaluating resource matching
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 32a4b1a76 RANGER-3913: Reduce number of calls to
FilenameUtils.wildcardMatch() when evaluating resource matching
32a4b1a76 is described below
commit 32a4b1a76c06b0306a59b4d8df3f1521243d3a2b
Author: Abhay Kulkarni
AuthorDate: Thu Sep 29 07:13:21 2022 -0700
RANGER-3913: Reduce number of calls to FilenameUtils.wildcardMatch() when
evaluating resource matching
---
.../resourcematcher/RangerPathResourceMatcher.java | 62 ++
1 file changed, 52 insertions(+), 10 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index a95b1f73f..5fa5b68d4 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -142,7 +142,7 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
return ret;
}
- static boolean isRecursiveWildCardMatch(String pathToCheck, String
wildcardPath, Character pathSeparatorChar, IOCase caseSensitivity) {
+ static boolean isRecursiveWildCardMatch(String pathToCheck, String
wildcardPath, Character pathSeparatorChar, IOCase caseSensitivity, String[]
wildcardPathElements) {
boolean ret = false;
@@ -156,16 +156,42 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
sb.append(pathSeparatorChar); //
preserve the initial pathSeparatorChar
}
- for(String p : pathElements) {
+ int pathElementIndex = 0;
+ boolean useStringMatching= true;
+
+ for (String p : pathElements) {
sb.append(p);
- ret =
FilenameUtils.wildcardMatch(sb.toString(), wildcardPath, caseSensitivity);
+ if (useStringMatching) {
+ if (wildcardPathElements.length
> pathElementIndex) {
+ String wp =
wildcardPathElements[pathElementIndex];
+
+ if
(!(StringUtils.contains(wp, '*') || StringUtils.contains(wp, '?'))) {
+ boolean isMatch
= caseSensitivity.isCaseSensitive() ? StringUtils.equals(p, wp) :
StringUtils.equalsIgnoreCase(p, wp);
+ if (!isMatch) {
+
useStringMatching = false;
+ break;
+ }
+ } else {
+
useStringMatching = false;
+ }
+ } else {
+ useStringMatching =
false;
+ }
+ }
- if (ret) {
- break;
+ if (!useStringMatching) {
+ ret =
FilenameUtils.wildcardMatch(sb.toString(), wildcardPath, caseSensitivity);
+ if (ret) {
+ break;
+ }
}
sb.append(pathSeparatorChar);
+ pathElementIndex++;
+ }
+ if (useStringMatching && pathElements.length ==
wildcardPathElements.length) { // Loop finished normally and all sub-paths
string-matched..
+ ret = true;
}
sb = null;
@@ -261,6 +287,10 @@ public class RangerPathResourceMatcher extends
RangerDefaultResourceMatcher {
R apply(T t, U u, V v, W w);
}
+ interface QuintFunction {
+ R apply(
[ranger] branch master updated: RANGER-3858: On dev-support, service creation and ranger-kafka-plugin setup are failed
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new e7cd999f0 RANGER-3858: On dev-support, service creation and
ranger-kafka-plugin setup are failed
e7cd999f0 is described below
commit e7cd999f09139c8bb973e138b7cae487f5d33327
Author: Yubo Li
AuthorDate: Wed Aug 24 16:45:12 2022 -0700
RANGER-3858: On dev-support, service creation and ranger-kafka-plugin setup
are failed
---
dev-support/ranger-docker/scripts/create-ranger-services.py | 4 +++-
dev-support/ranger-docker/scripts/ranger-kafka-setup.sh | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/dev-support/ranger-docker/scripts/create-ranger-services.py
b/dev-support/ranger-docker/scripts/create-ranger-services.py
index 7ce541d66..f329d1f29 100644
--- a/dev-support/ranger-docker/scripts/create-ranger-services.py
+++ b/dev-support/ranger-docker/scripts/create-ranger-services.py
@@ -7,7 +7,9 @@ ranger_client = RangerClient('http://ranger:6080', ('admin',
'rangerR0cks!'))
def service_not_exists(service):
try:
-ranger_client.get_service(service.name)
+res = ranger_client.get_service(service.name)
+if res is None:
+return 1
except JSONDecodeError:
return 1
return 0
diff --git a/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh
b/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh
index c6edce6b9..51c91195f 100755
--- a/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh
+++ b/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh
@@ -29,4 +29,5 @@ cd ${RANGER_HOME}/ranger-kafka-plugin
sed -i 's/localhost:2181/ranger-zk.example.com:2181/'
${KAFKA_HOME}/config/server.properties
+echo >> ${KAFKA_HOME}/config/server.properties
echo
"authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer"
>> ${KAFKA_HOME}/config/server.properties
[ranger] branch master updated: RANGER-3864: Spurious creation of service-resource objects in Ranger
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new dc609a2e2 RANGER-3864: Spurious creation of service-resource objects
in Ranger
dc609a2e2 is described below
commit dc609a2e24fee741616e9d6fb7a77290e5b180b4
Author: Abhay Kulkarni
AuthorDate: Tue Aug 23 21:55:47 2022 -0700
RANGER-3864: Spurious creation of service-resource objects in Ranger
---
.../apache/ranger/rest/ServiceTagsProcessor.java | 5
.../source/atlas/AtlasNotificationMapper.java | 4 ++--
.../tagsync/source/atlas/AtlasTagSource.java | 28 ++
3 files changed, 25 insertions(+), 12 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
index b256e2838..1d6c48a4e 100644
---
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
+++
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
@@ -396,6 +396,11 @@ public class ServiceTagsProcessor {
}
tagStore.refreshServiceResource(resourceInStore.getId());
RangerPerfTracer.logAlways(perf);
+ } else {
+ if (CollectionUtils.isEmpty(tagIds)) {
+ // No tags associated with the
resource - delete the resource too
+
tagStore.deleteServiceResource(resourceInStore.getId());
+ }
}
}
}
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
index 1b81bafae..dadc76a54 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java
@@ -44,7 +44,7 @@ public class AtlasNotificationMapper {
private static finalLogger LOG =
LoggerFactory.getLogger(AtlasNotificationMapper.class);
private static Map unhandledEventTypes = new
HashMap<>();
-private static void
logUnhandledEntityNotification(EntityNotificationWrapper entityNotification) {
+public static void
logUnhandledEntityNotification(EntityNotificationWrapper entityNotification) {
boolean skipLogging = entityNotification.getIsEntityCreateOp() &&
entityNotification.getIsEmptyClassifications();
@@ -110,7 +110,7 @@ public class AtlasNotificationMapper {
return ret;
}
-static private boolean isNotificationHandled(EntityNotificationWrapper
entityNotification) {
+public static boolean isNotificationHandled(EntityNotificationWrapper
entityNotification) {
boolean ret = false;
EntityNotificationWrapper.NotificationOpType opType =
entityNotification.getOpType();
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
index 2f93ebd31..1a3ddecb5 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
@@ -212,14 +212,20 @@ public class AtlasTagSource extends AbstractTagSource {
LOG.debug("Message-offset=" + message.getOffset() + ", Notification=" +
getPrintableEntityNotification(notificationWrapper));
}
-
RangerAtlasEntityWithTags entityWithTags = new
RangerAtlasEntityWithTags(notificationWrapper);
+ if
(AtlasNotificationMapper.isNotificationHandled(notificationWrapper)) {
- if
((notificationWrapper.getIsEntityDeleteOp() && !isHandlingDeleteOps) ||
(!notificationWrapper.getIsEntityDeleteOp() && isHandlingDeleteOps)) {
-
buildAndUploadServiceTags();
-
isHandlingDeleteOps = !isHandlingDeleteOps;
+
[ranger] branch master updated: RANGER-3861: Allow service creator user to create users/groups/roles in default policies
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 9e11e9ec9 RANGER-3861: Allow service creator user to create
users/groups/roles in default policies
9e11e9ec9 is described below
commit 9e11e9ec9d042fdbed9d14f278304517f31ec728
Author: Abhay Kulkarni
AuthorDate: Tue Aug 23 13:34:21 2022 -0700
RANGER-3861: Allow service creator user to create users/groups/roles in
default policies
---
.../apache/ranger/plugin/store/ServiceStore.java | 2 +
.../org/apache/ranger/biz/PolicyRefUpdater.java| 6 +--
.../java/org/apache/ranger/biz/RoleRefUpdater.java | 2 +-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 60 +++---
.../main/java/org/apache/ranger/biz/XUserMgr.java | 22 +++-
.../PatchForKafkaServiceDefUpdate_J10025.java | 32 +++-
.../PatchForKafkaServiceDefUpdate_J10033.java | 34 ++--
...atchForMigratingOldRegimePolicyJson_J10046.java | 16 +-
.../patch/PatchForUpdatingPolicyJson_J10019.java | 16 +-
.../org/apache/ranger/biz/TestServiceDBStore.java | 2 +-
10 files changed, 150 insertions(+), 42 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
index 6283e02f2..aecde05fb 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
@@ -71,6 +71,8 @@ public interface ServiceStore {
RangerPolicy createPolicy(RangerPolicy policy) throws Exception;
+ RangerPolicy createDefaultPolicy(RangerPolicy policy) throws Exception;
+
RangerPolicy updatePolicy(RangerPolicy policy) throws Exception;
void deletePolicy(RangerPolicy policy, RangerService service) throws
Exception;
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
index 6c99df4e9..6cc3509d8 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
@@ -97,7 +97,7 @@ public class PolicyRefUpdater {
@Autowired
RESTErrorUtil restErrorUtil;
- public void createNewPolMappingForRefTable(RangerPolicy policy,
XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception {
+ public void createNewPolMappingForRefTable(RangerPolicy policy,
XXPolicy xPolicy, XXServiceDef xServiceDef, boolean isDefaultPolicy) throws
Exception {
if(policy == null) {
return;
}
@@ -168,7 +168,7 @@ public class PolicyRefUpdater {
}
daoMgr.getXXPolicyRefResource().batchCreate(xPolResources);
- final boolean isAdmin = rangerBizUtil.checkAdminAccess();
+ final boolean isAdmin = rangerBizUtil.checkAdminAccess() ||
isDefaultPolicy;
List xPolRoles = new ArrayList<>();
for (String role : roleNames) {
@@ -397,7 +397,7 @@ public class PolicyRefUpdater {
ret = xUser.getId();
}
} else {
- LOG.error("serviceConfigUser:["
+ name + "] creation failed");
+ LOG.warn("serviceConfigUser:["
+ name + "] creation failed. This may be a transient/spurious condition that
may correct itself when transaction is committed");
}
}
break;
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
index 66adac2b5..56f7ec4c8 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
@@ -296,7 +296,7 @@ public class RoleRefUpdater {
ret = xUser.getId();
}
} else {
- LOG.error("serviceConfigUser:["
+ name + "] creation failed");
+ LOG.warn("serviceConfigUser:["
+ name + "] creation failed. This may be a transient/spurious condition that
may correct itself when transaction is committed");
[ranger] branch ranger-2.3 updated: RANGER-3606: Addendum to: 'remove unnecessary static members from plugin class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new e194002e3 RANGER-3606: Addendum to: 'remove unnecessary static members
from plugin class loaders' - Cannot find plugin-class-loader for TAG
service-type in JDK11
e194002e3 is described below
commit e194002e3f235802a3a512fa75854ed19e4e4266
Author: Abhay Kulkarni
AuthorDate: Thu Jun 2 21:48:32 2022 -0700
RANGER-3606: Addendum to: 'remove unnecessary static members from plugin
class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11
---
.../ranger/plugin/util/ScriptEngineUtil.java | 12 --
.../classloader/RangerPluginClassLoader.java | 47 --
2 files changed, 35 insertions(+), 24 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
index 79a702a8f..580ebd0da 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
@@ -36,6 +36,9 @@ public class ScriptEngineUtil {
public static ScriptEngine createScriptEngine(String engineName, String
serviceType) {
+if (LOG.isDebugEnabled()) {
+LOG.debug("==> ScriptEngineUtil.createScriptEngine(engineName=" +
engineName + ", serviceType=" + serviceType + ")");
+}
ScriptEngine ret = null;
try {
@@ -58,9 +61,10 @@ public class ScriptEngineUtil {
LOG.error("RangerScriptConditionEvaluator.init() failed", exp);
}
+LOG.debug((ret == null ? " Failed to create " : " Created ") + "Script
Engine '" + engineName + "' in a default manner.");
+
if (ret == null) {
-LOG.warn("failed to initialize script engine '" + engineName + "'
in a default manner." +
- " Will try to get script-engine from
plugin-class-loader");
+LOG.warn("Will try to get script-engine from plugin-class-loader
for service-type:[" + serviceType + "]");
RangerPluginClassLoader pluginClassLoader;
@@ -76,7 +80,9 @@ public class ScriptEngineUtil {
LOG.error("RangerScriptConditionEvaluator.init() failed", exp);
}
}
-
+if (LOG.isDebugEnabled()) {
+LOG.debug("<== ScriptEngineUtil.createScriptEngine(engineName=" +
engineName + ", serviceType=" + serviceType + ") : ret=" + ret);
+}
return ret;
}
}
diff --git
a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
index 7ed776ecb..a2c744711 100644
---
a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
+++
b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
@@ -19,7 +19,6 @@
package org.apache.ranger.plugin.classloader;
-import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.AccessController;
@@ -43,6 +42,8 @@ import javax.script.ScriptEngineManager;
public class RangerPluginClassLoader extends URLClassLoader {
private static final Logger LOG =
LoggerFactory.getLogger(RangerPluginClassLoader.class);
+private static final String TAG_SERVICE_TYPE = "tag";
+
private static final Map
pluginClassLoaders = new HashMap<>();
private final MyClassLoadercomponentClassLoader;
@@ -52,12 +53,8 @@ public class RangerPluginClassLoader extends URLClassLoader {
super(RangerPluginClassLoaderUtil.getInstance().getPluginFilesForServiceTypeAndPluginclass(pluginType,
pluginClass), null);
componentClassLoader = AccessController.doPrivileged(
-new PrivilegedAction() {
-public MyClassLoader run() {
-return new
MyClassLoader(Thread.currentThread().getContextClassLoader());
-}
-}
-);
+(PrivilegedAction) () -> new
MyClassLoader(Thread.currentThread().getContextClassLoader())
+);
}
public static RangerPluginClassLoader getInstance(final String pluginType,
final Class pluginClass ) throws Exception {
@@ -70,12 +67,8 @@ public clas
[ranger] branch master updated: RANGER-3606: Addendum to: 'remove unnecessary static members from plugin class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d0a6d3018 RANGER-3606: Addendum to: 'remove unnecessary static members
from plugin class loaders' - Cannot find plugin-class-loader for TAG
service-type in JDK11
d0a6d3018 is described below
commit d0a6d30182fe76f66c559539c0734b9e28c8c5c4
Author: Abhay Kulkarni
AuthorDate: Thu Jun 2 21:48:32 2022 -0700
RANGER-3606: Addendum to: 'remove unnecessary static members from plugin
class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11
---
.../ranger/plugin/util/ScriptEngineUtil.java | 12 --
.../classloader/RangerPluginClassLoader.java | 47 --
2 files changed, 35 insertions(+), 24 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
index 79a702a8f..580ebd0da 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java
@@ -36,6 +36,9 @@ public class ScriptEngineUtil {
public static ScriptEngine createScriptEngine(String engineName, String
serviceType) {
+if (LOG.isDebugEnabled()) {
+LOG.debug("==> ScriptEngineUtil.createScriptEngine(engineName=" +
engineName + ", serviceType=" + serviceType + ")");
+}
ScriptEngine ret = null;
try {
@@ -58,9 +61,10 @@ public class ScriptEngineUtil {
LOG.error("RangerScriptConditionEvaluator.init() failed", exp);
}
+LOG.debug((ret == null ? " Failed to create " : " Created ") + "Script
Engine '" + engineName + "' in a default manner.");
+
if (ret == null) {
-LOG.warn("failed to initialize script engine '" + engineName + "'
in a default manner." +
- " Will try to get script-engine from
plugin-class-loader");
+LOG.warn("Will try to get script-engine from plugin-class-loader
for service-type:[" + serviceType + "]");
RangerPluginClassLoader pluginClassLoader;
@@ -76,7 +80,9 @@ public class ScriptEngineUtil {
LOG.error("RangerScriptConditionEvaluator.init() failed", exp);
}
}
-
+if (LOG.isDebugEnabled()) {
+LOG.debug("<== ScriptEngineUtil.createScriptEngine(engineName=" +
engineName + ", serviceType=" + serviceType + ") : ret=" + ret);
+}
return ret;
}
}
diff --git
a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
index 7ed776ecb..a2c744711 100644
---
a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
+++
b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java
@@ -19,7 +19,6 @@
package org.apache.ranger.plugin.classloader;
-import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.AccessController;
@@ -43,6 +42,8 @@ import javax.script.ScriptEngineManager;
public class RangerPluginClassLoader extends URLClassLoader {
private static final Logger LOG =
LoggerFactory.getLogger(RangerPluginClassLoader.class);
+private static final String TAG_SERVICE_TYPE = "tag";
+
private static final Map
pluginClassLoaders = new HashMap<>();
private final MyClassLoadercomponentClassLoader;
@@ -52,12 +53,8 @@ public class RangerPluginClassLoader extends URLClassLoader {
super(RangerPluginClassLoaderUtil.getInstance().getPluginFilesForServiceTypeAndPluginclass(pluginType,
pluginClass), null);
componentClassLoader = AccessController.doPrivileged(
-new PrivilegedAction() {
-public MyClassLoader run() {
-return new
MyClassLoader(Thread.currentThread().getContextClassLoader());
-}
-}
-);
+(PrivilegedAction) () -> new
MyClassLoader(Thread.currentThread().getContextClassLoader())
+);
}
public static RangerPluginClassLoader getInstance(final String pluginType,
final Class pluginClass ) throws Exception {
@@ -70,12 +67,8 @@ public clas
[ranger] branch master updated: RANGER-3670: Avoid unnecessary entries in transaction log table during policy updates
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 20f021c1e RANGER-3670: Avoid unnecessary entries in transaction log
table during policy updates
20f021c1e is described below
commit 20f021c1e642e74f99da8ebee594be21088e7fc3
Author: Abhishek Kumar
AuthorDate: Tue May 31 09:00:31 2022 -0700
RANGER-3670: Avoid unnecessary entries in transaction log table during
policy updates
---
.../apache/ranger/service/RangerPolicyService.java | 299 -
1 file changed, 117 insertions(+), 182 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
index a7a0d6f0d..92aaaebdc 100644
---
a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
+++
b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
@@ -42,8 +42,6 @@ import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
import org.apache.ranger.plugin.model.RangerValiditySchedule;
import org.apache.ranger.plugin.util.JsonUtilsV2;
-import org.codehaus.jackson.JsonParseException;
-import org.codehaus.jackson.map.JsonMappingException;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.type.TypeReference;
import org.slf4j.Logger;
@@ -60,23 +58,23 @@ public class RangerPolicyService extends
RangerPolicyServiceBase trxLogAttrs = new HashMap();
String actionCreate;
@@ -86,23 +84,23 @@ public class RangerPolicyService extends
RangerPolicyServiceBase
xDataMaskDef = daoMgr.getXXDataMaskTypeDef().getAll();
-
if(CollectionUtils.isNotEmpty(xDataMaskDef) && xDataMaskDef != null ) {
+
if(CollectionUtils.isNotEmpty(xDataMaskDef)) {
for
(XXDataMaskTypeDef xxDataMaskTypeDef : xDataMaskDef) {
if(xxDataMaskTypeDef.getName().equalsIgnoreCase(policyItem.getDataMaskInfo().getDataMaskType()))
{
String label = xxDataMaskTypeDef.getLabel();
@@ -285,8 +275,7 @@ public class RangerPolicyService extends
RangerPolicyServiceBase xDataMaskDef = daoMgr.getXXDataMaskTypeDef().getAll();
-
if(CollectionUtils.isNotEmpty(xDataMaskDef) && xDataMaskDef != null ) {
+
if(CollectionUtils.isNotEmpty(xDataMaskDef)) {
for (XXDataMaskTypeDef xxDataMaskTypeDef : xDataMaskDef) {
if(xxDataMaskTypeDef.getName().equalsIgnoreCase(oldPolicyItem.getDataMaskInfo().getDataMaskType()))
{
String oldLabel = xxDataMaskTypeDef.getLabel();
@@ -379,7 +368,7 @@ public class RangerPolicyService extends
RangerPolicyServiceBase obj = mapper.readValue(value, new
TypeReference>() {
-});
-List oldObj = mapper.readValue(oldValue, new
TypeReference>() {
-});
-int oldListSize = oldObj.size();
-int listSize = obj.size();
-if (oldListSize != listSize) {
-return false;
-}
-for (String polItem : obj) {
-if (!oldObj.contains(polItem)) {
-return false;
-}
-}
-return true;
-} catch (JsonParseException e) {
-throw restErrorUtil.createRESTException("Invalid input
data: " + e.getMessage(),
-MessageEnums.INVALID_INPUT_DATA);
-} catch (JsonMappingException e) {
-throw restErrorUtil.createRESTException("Invalid input
data: " + e.getMessage(),
-MessageEnums.INVALID_INPUT_DATA);
-} catch (IOException e) {
-throw restErrorUtil.createRESTException("Invalid input
data: " + e.getMessage(),
-MessageEnums.INVALID_INPUT_DATA);
-
[ranger] branch master updated: RANGER:3777 Execute permissions required in init scripts to run containers
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 9181c20c2 RANGER:3777 Execute permissions required in init scripts to
run containers
9181c20c2 is described below
commit 9181c20c2b461ab413bad0c485d99b518352d107
Author: Abhishek Kumar
AuthorDate: Tue May 31 08:57:39 2022 -0700
RANGER:3777 Execute permissions required in init scripts to run containers
---
dev-support/ranger-docker/Dockerfile.ranger| 2 +-
dev-support/ranger-docker/Dockerfile.ranger-hadoop | 4 ++-
dev-support/ranger-docker/Dockerfile.ranger-hbase | 3 +-
dev-support/ranger-docker/Dockerfile.ranger-hive | 3 +-
dev-support/ranger-docker/Dockerfile.ranger-kafka | 3 +-
dev-support/ranger-docker/Dockerfile.ranger-knox | 3 +-
.../ranger-docker/Dockerfile.ranger-tagsync| 3 +-
.../ranger-docker/Dockerfile.ranger-usersync | 3 +-
dev-support/ranger-docker/README.md| 34 +++---
9 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/dev-support/ranger-docker/Dockerfile.ranger
b/dev-support/ranger-docker/Dockerfile.ranger
index f5a1ed93f..b050b13c4 100644
--- a/dev-support/ranger-docker/Dockerfile.ranger
+++ b/dev-support/ranger-docker/Dockerfile.ranger
@@ -33,7 +33,7 @@ RUNtar xvfz
/home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --direct
&& cp -f ${RANGER_SCRIPTS}/ranger-admin-install.properties
${RANGER_HOME}/admin/install.properties \
&& mkdir -p /var/run/ranger \
&& mkdir -p /var/log/ranger \
-&& chown -R ranger:ranger ${RANGER_HOME}/admin/ /var/run/ranger/
/var/log/ranger/ \
+&& chown -R ranger:ranger ${RANGER_HOME}/admin/ ${RANGER_SCRIPTS}/
/var/run/ranger/ /var/log/ranger/ \
&& mkdir -p /usr/share/java/
FROM ranger AS ranger_postgres
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hadoop
b/dev-support/ranger-docker/Dockerfile.ranger-hadoop
index f25bc0d8d..9970c7cb3 100644
--- a/dev-support/ranger-docker/Dockerfile.ranger-hadoop
+++ b/dev-support/ranger-docker/Dockerfile.ranger-hadoop
@@ -41,7 +41,9 @@ RUN tar xvfz
/home/ranger/dist/hadoop-${HADOOP_VERSION}.tar.gz --directory=/opt/
tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-yarn-plugin.tar.gz
--directory=/opt/ranger && \
ln -s /opt/ranger/ranger-${RANGER_VERSION}-yarn-plugin
/opt/ranger/ranger-yarn-plugin && \
rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-yarn-plugin.tar.gz && \
-cp -f /home/ranger/scripts/ranger-yarn-plugin-install.properties
/opt/ranger/ranger-yarn-plugin/install.properties
+cp -f /home/ranger/scripts/ranger-yarn-plugin-install.properties
/opt/ranger/ranger-yarn-plugin/install.properties && \
+chmod 744 ${RANGER_SCRIPTS}/ranger-hadoop-setup.sh
${RANGER_SCRIPTS}/ranger-hadoop.sh ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh && \
+chown hdfs:hadoop ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh
ENV HADOOP_HOME/opt/hadoop
ENV HADOOP_CONF_DIR/opt/hadoop/etc/hadoop
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hbase
b/dev-support/ranger-docker/Dockerfile.ranger-hbase
index 5a2f056a9..1a2eea461 100644
--- a/dev-support/ranger-docker/Dockerfile.ranger-hbase
+++ b/dev-support/ranger-docker/Dockerfile.ranger-hbase
@@ -35,7 +35,8 @@ RUN tar xvfz
/home/ranger/dist/hbase-${HBASE_VERSION}-bin.tar.gz --directory=/op
tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-hbase-plugin.tar.gz
--directory=/opt/ranger && \
ln -s /opt/ranger/ranger-${RANGER_VERSION}-hbase-plugin
/opt/ranger/ranger-hbase-plugin && \
rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-hbase-plugin.tar.gz && \
-cp -f /home/ranger/scripts/ranger-hbase-plugin-install.properties
/opt/ranger/ranger-hbase-plugin/install.properties
+cp -f /home/ranger/scripts/ranger-hbase-plugin-install.properties
/opt/ranger/ranger-hbase-plugin/install.properties && \
+chmod 744 ${RANGER_SCRIPTS}/ranger-hbase-setup.sh
${RANGER_SCRIPTS}/ranger-hbase.sh
ENV HBASE_HOME /opt/hbase
ENV PATH
/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/hbase/bin
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hive
b/dev-support/ranger-docker/Dockerfile.ranger-hive
index 9ef89b59a..fc09fdc38 100644
--- a/dev-support/ranger-docker/Dockerfile.ranger-hive
+++ b/dev-support/ranger-docker/Dockerfile.ranger-hive
@@ -43,7 +43,8 @@ RUN tar xvfz
/home/ranger/dist/apache-hive-${HIVE_VERSION}-bin.tar.gz --director
tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-hive-plugin.tar.gz
--directory=/opt/ranger && \
ln -s /opt/ranger/ranger-${RANGER_VERSION}-hive-plugin
/opt/ranger/ranger-hive-plugin && \
rm -f /home/ranger/dist/ra
[ranger] branch ranger-2.3 updated: RANGER-3769: Removing a tag-service association from a service does not update policy engine
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new 57a01c74e RANGER-3769: Removing a tag-service association from a
service does not update policy engine
57a01c74e is described below
commit 57a01c74e1d7c58377eb28c5ccea17f5e06490fe
Author: Abhay Kulkarni
AuthorDate: Wed May 18 20:07:19 2022 -0700
RANGER-3769: Removing a tag-service association from a service does not
update policy engine
---
.../apache/ranger/plugin/util/RangerPolicyDeltaUtil.java | 14 --
.../java/org/apache/ranger/biz/RangerPolicyAdminCache.java | 4
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
index 43a494093..e9223fe69 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
@@ -228,9 +228,19 @@ public class RangerPolicyDeltaUtil {
LOG.warn("Downloaded ServicePolicies are [" + servicePolicies
+ "]");
ret = null;
} else if (!isPoliciesExist && !isPolicyDeltasExist) {
-LOG.warn("ServicePolicies do not contain any policies or
policy-deltas!! There are no material changes in the policies.");
+LOG.warn("ServicePolicies do not contain any policies or
policy-deltas!!");
LOG.warn("Downloaded ServicePolicies are [" + servicePolicies
+ "]");
-ret = null;
+if (servicePolicies.getPolicyDeltas() == null) {
+if (LOG.isDebugEnabled()) {
+LOG.debug("Complete set of servicePolicies is
received. There may be a change to service. Forcing to create a new policy
engine!");
+}
+ret = false;// Force new policy engine creation from
servicePolicies
+} else {
+if (LOG.isDebugEnabled()) {
+LOG.debug("servicePolicy deltas are received. There
are no material changes in the policies.");
+}
+ret = null;
+}
} else {
ret = isPolicyDeltasExist;
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index 053a41064..a52e07b9f 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -19,6 +19,7 @@
package org.apache.ranger.biz;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
@@ -161,6 +162,9 @@ public class RangerPolicyAdminCache {
LOG.error("Old policy engine is null!
Cannot apply deltas without old policy engine!");
}
} else {
+ if (policies.getPolicies() == null) {
+ policies.setPolicies(new ArrayList<>());
+ }
policyAdmin = addPolicyAdmin(policies, roles,
options);
}
} else {
[ranger] branch master updated: RANGER-3769: Removing a tag-service association from a service does not update policy engine
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 48c0551b4 RANGER-3769: Removing a tag-service association from a
service does not update policy engine
48c0551b4 is described below
commit 48c0551b47c41d0b9688fd3cdbf6d2c894bac82c
Author: Abhay Kulkarni
AuthorDate: Wed May 18 20:07:19 2022 -0700
RANGER-3769: Removing a tag-service association from a service does not
update policy engine
---
.../apache/ranger/plugin/util/RangerPolicyDeltaUtil.java | 14 --
.../java/org/apache/ranger/biz/RangerPolicyAdminCache.java | 4
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
index 43a494093..e9223fe69 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
@@ -228,9 +228,19 @@ public class RangerPolicyDeltaUtil {
LOG.warn("Downloaded ServicePolicies are [" + servicePolicies
+ "]");
ret = null;
} else if (!isPoliciesExist && !isPolicyDeltasExist) {
-LOG.warn("ServicePolicies do not contain any policies or
policy-deltas!! There are no material changes in the policies.");
+LOG.warn("ServicePolicies do not contain any policies or
policy-deltas!!");
LOG.warn("Downloaded ServicePolicies are [" + servicePolicies
+ "]");
-ret = null;
+if (servicePolicies.getPolicyDeltas() == null) {
+if (LOG.isDebugEnabled()) {
+LOG.debug("Complete set of servicePolicies is
received. There may be a change to service. Forcing to create a new policy
engine!");
+}
+ret = false;// Force new policy engine creation from
servicePolicies
+} else {
+if (LOG.isDebugEnabled()) {
+LOG.debug("servicePolicy deltas are received. There
are no material changes in the policies.");
+}
+ret = null;
+}
} else {
ret = isPolicyDeltasExist;
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index 1ca4415ae..a64e427c5 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -19,6 +19,7 @@
package org.apache.ranger.biz;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
@@ -159,6 +160,9 @@ public class RangerPolicyAdminCache {
LOG.error("Old policy engine is null!
Cannot apply deltas without old policy engine!");
}
} else {
+ if (policies.getPolicies() == null) {
+ policies.setPolicies(new ArrayList<>());
+ }
policyAdmin = addPolicyAdmin(policies, roles,
options);
}
} else {
[ranger] branch master updated: RANGER-3754: Chained plugins access evaluation result is not considered in some cases
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new f375e3606 RANGER-3754: Chained plugins access evaluation result is not
considered in some cases
f375e3606 is described below
commit f375e3606226e00677a95f9260e2a6e5cbc09983
Author: Abhay Kulkarni
AuthorDate: Thu May 12 10:41:09 2022 -0700
RANGER-3754: Chained plugins access evaluation result is not considered in
some cases
---
.../java/org/apache/ranger/plugin/service/RangerBasePlugin.java | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index f157475bf..b474de31c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -1156,12 +1156,12 @@ public class RangerBasePlugin {
int policyType = result.getPolicyType();
if (chainedResult.getIsAccessDetermined()) { // only if
chained-result is definitive
- // override if result is not definitive or
chained-result is by a higher priority policy
- overrideResult = !result.getIsAccessDetermined() ||
chainedResult.getPolicyPriority() > result.getPolicyPriority();
+ // override if chained-result is by a higher priority
policy or result is not definitive or the result is not-allowed and no matching
Ranger policy found
+ overrideResult = chainedResult.getPolicyPriority() >
result.getPolicyPriority() || !result.getIsAccessDetermined() ||
(!result.getIsAllowed() && result.getPolicyId() == -1L);
if (!overrideResult) {
- // override if chained-result is from the same
policy priority, and if denies access
- if (chainedResult.getPolicyPriority() ==
result.getPolicyPriority() && !chainedResult.getIsAllowed()) {
+ // override if chained-result is from the same
policy priority, and if denies access with a specific policy id
+ if (chainedResult.getPolicyPriority() ==
result.getPolicyPriority() && (!chainedResult.getIsAllowed() &&
chainedResult.getPolicyId() != -1L)) {
// let's not override if result is
already denied
if (result.getIsAllowed()) {
overrideResult = true;
[ranger] branch master updated: Revert "README.txt changes - to be rolled back"
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 2d8e8fd2b Revert "README.txt changes - to be rolled back" 2d8e8fd2b is described below commit 2d8e8fd2bf7688920ea418d69afc3fadaeab533f Author: Abhay Kulkarni AuthorDate: Wed May 11 12:13:43 2022 -0700 Revert "README.txt changes - to be rolled back" This reverts commit f27d16b483a58d16d4fe70cfb72712c366868e01. --- README.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.txt b/README.txt index 7c27b3b63..fce972ab1 100644 --- a/README.txt +++ b/README.txt @@ -102,4 +102,4 @@ Installation Process If the install.sh file does not exists, Execute ./enable--plugin.sh -6. Some comment +
[ranger] branch master updated: README.txt changes - to be rolled back
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f27d16b48 README.txt changes - to be rolled back f27d16b48 is described below commit f27d16b483a58d16d4fe70cfb72712c366868e01 Author: Abhay Kulkarni AuthorDate: Wed May 11 12:13:02 2022 -0700 README.txt changes - to be rolled back --- README.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.txt b/README.txt index fce972ab1..7c27b3b63 100644 --- a/README.txt +++ b/README.txt @@ -102,4 +102,4 @@ Installation Process If the install.sh file does not exists, Execute ./enable--plugin.sh - +6. Some comment
[ranger] branch master updated: RANGER-3718: Installation scripts in docker require use of exit codes during setup
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 87a1dc459 RANGER-3718: Installation scripts in docker require use of
exit codes during setup
87a1dc459 is described below
commit 87a1dc45944e10717f4d715eb3a8527ee4571d4f
Author: Abhishek Kumar
AuthorDate: Mon May 9 14:38:40 2022 -0700
RANGER-3718: Installation scripts in docker require use of exit codes
during setup
---
dev-support/ranger-docker/scripts/ranger-hadoop.sh | 20 +++-
dev-support/ranger-docker/scripts/ranger-hbase.sh| 15 ---
dev-support/ranger-docker/scripts/ranger-hive.sh | 8 ++--
dev-support/ranger-docker/scripts/ranger-kafka.sh| 8 ++--
dev-support/ranger-docker/scripts/ranger-knox.sh | 15 ---
dev-support/ranger-docker/scripts/ranger-tagsync.sh | 17 +
dev-support/ranger-docker/scripts/ranger-usersync.sh | 17 +
dev-support/ranger-docker/scripts/ranger.sh | 17 +
8 files changed, 90 insertions(+), 27 deletions(-)
diff --git a/dev-support/ranger-docker/scripts/ranger-hadoop.sh
b/dev-support/ranger-docker/scripts/ranger-hadoop.sh
index 98eb51bf1..fca9b6f3e 100755
--- a/dev-support/ranger-docker/scripts/ranger-hadoop.sh
+++ b/dev-support/ranger-docker/scripts/ranger-hadoop.sh
@@ -32,12 +32,17 @@ then
echo "ssh" > /etc/pdsh/rcmd_default
- ${RANGER_SCRIPTS}/ranger-hadoop-setup.sh
- su -c "${HADOOP_HOME}/bin/hdfs namenode -format" hdfs
+ if "${RANGER_SCRIPTS}"/ranger-hadoop-setup.sh;
+ then
+su -c "${HADOOP_HOME}/bin/hdfs namenode -format" hdfs
- CREATE_HDFS_DIR=true
- touch ${HADOOP_HOME}/.setupDone
+CREATE_HDFS_DIR=true
+
+touch "${HADOOP_HOME}"/.setupDone
+ else
+echo "Ranger Hadoop Setup Script didn't complete proper execution."
+ fi
fi
su -c "${HADOOP_HOME}/sbin/start-dfs.sh" hdfs
@@ -51,4 +56,9 @@ fi
NAMENODE_PID=`ps -ef | grep -v grep | grep -i
"org.apache.hadoop.hdfs.server.namenode.NameNode" | awk '{print $2}'`
# prevent the container from exiting
-tail --pid=$NAMENODE_PID -f /dev/null
+if [ -z "$NAMENODE_PID" ]
+then
+ echo "The NameNode process probably exited, no process id found!"
+else
+ tail --pid=$NAMENODE_PID -f /dev/null
+fi
\ No newline at end of file
diff --git a/dev-support/ranger-docker/scripts/ranger-hbase.sh
b/dev-support/ranger-docker/scripts/ranger-hbase.sh
index 2092b24a9..ff27735dc 100755
--- a/dev-support/ranger-docker/scripts/ranger-hbase.sh
+++ b/dev-support/ranger-docker/scripts/ranger-hbase.sh
@@ -26,9 +26,13 @@ then
echo "ssh" > /etc/pdsh/rcmd_default
- ${RANGER_SCRIPTS}/ranger-hbase-setup.sh
- touch ${HBASE_HOME}/.setupDone
+ if "${RANGER_SCRIPTS}"/ranger-hbase-setup.sh;
+ then
+touch "${HBASE_HOME}"/.setupDone
+ else
+echo "Ranger Hbase Setup Script didn't complete proper execution."
+ fi
fi
su -c "${HBASE_HOME}/bin/start-hbase.sh" hbase
@@ -36,4 +40,9 @@ su -c "${HBASE_HOME}/bin/start-hbase.sh" hbase
HBASE_MASTER_PID=`ps -ef | grep -v grep | grep -i
"org.apache.hadoop.hbase.master.HMaster" | awk '{print $2}'`
# prevent the container from exiting
-tail --pid=$HBASE_MASTER_PID -f /dev/null
+if [ -z "$HBASE_MASTER_PID" ]
+then
+ echo "The HBase process probably exited, no process id found!"
+else
+ tail --pid=$HBASE_MASTER_PID -f /dev/null
+fi
diff --git a/dev-support/ranger-docker/scripts/ranger-hive.sh
b/dev-support/ranger-docker/scripts/ranger-hive.sh
index d696ddfa7..403eac9fb 100755
--- a/dev-support/ranger-docker/scripts/ranger-hive.sh
+++ b/dev-support/ranger-docker/scripts/ranger-hive.sh
@@ -30,9 +30,13 @@ then
echo "ssh" > /etc/pdsh/rcmd_default
- ${RANGER_SCRIPTS}/ranger-hive-setup.sh
- touch ${HIVE_HOME}/.setupDone
+ if "${RANGER_SCRIPTS}"/ranger-hive-setup.sh;
+ then
+touch "${HIVE_HOME}"/.setupDone
+ else
+echo "Ranger Hive Setup Script didn't complete proper execution."
+ fi
fi
cd "${HIVE_HOME}" || exit
diff --git a/dev-support/ranger-docker/scripts/ranger-kafka.sh
b/dev-support/ranger-docker/scripts/ranger-kafka.sh
index 8be501c91..0f505eb4c 100755
--- a/dev-support/ranger-docker/scripts/ranger-kafka.sh
+++ b/dev-support/ranger-docker/scripts/ranger-kafka.sh
@@ -26,9 +26,13 @@ then
echo "ssh" > /etc/pdsh/rcmd_default
- ${RANGER_SCRIPTS}/ranger-kafka-setup.sh
- touch ${KAFKA_HOME}/.setupDone
+ if "${RANGER_SCRIPTS}"/ranger-kafka-setup.sh;
+ then
+touch "${KAFKA_HOME}"/.setupDone
+ else
+echo "Ranger Kafka Setup Script didn't complete proper exec
[ranger] branch master updated: RANGER-3622: Docker - Enable Hive MetaStore in ranger-hive image
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 118f61079 RANGER-3622: Docker - Enable Hive MetaStore in ranger-hive
image
118f61079 is described below
commit 118f6107975599b7263cbddeb9974b9b22ee792e
Author: Abhishek Kumar
AuthorDate: Mon May 9 12:44:52 2022 -0700
RANGER-3622: Docker - Enable Hive MetaStore in ranger-hive image
---
dev-support/ranger-docker/Dockerfile.ranger-hive | 1 +
dev-support/ranger-docker/scripts/ranger-hive.sh | 19 ---
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hive
b/dev-support/ranger-docker/Dockerfile.ranger-hive
index 31afe33d9..9ef89b59a 100644
--- a/dev-support/ranger-docker/Dockerfile.ranger-hive
+++ b/dev-support/ranger-docker/Dockerfile.ranger-hive
@@ -49,4 +49,5 @@ ENV HIVE_HOME /opt/hive
ENV HADOOP_HOME /opt/hadoop
ENV PATH
/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/hive/bin:/opt/hadoop/bin
+
ENTRYPOINT [ "/home/ranger/scripts/ranger-hive.sh" ]
diff --git a/dev-support/ranger-docker/scripts/ranger-hive.sh
b/dev-support/ranger-docker/scripts/ranger-hive.sh
index 0602ce2c5..d696ddfa7 100755
--- a/dev-support/ranger-docker/scripts/ranger-hive.sh
+++ b/dev-support/ranger-docker/scripts/ranger-hive.sh
@@ -35,9 +35,22 @@ then
touch ${HIVE_HOME}/.setupDone
fi
-su -c "${HIVE_HOME}/bin/hiveserver2" hive
+cd "${HIVE_HOME}" || exit
-HIVESERVER2_PID=`ps -ef | grep -v grep | grep -i
"org.apache.hive.service.server.HiveServer2" | awk '{print $2}'`
+# Start Hive MetaStore
+su -c "nohup ${HIVE_HOME}/bin/hive --service metastore > metastore.log 2>&1 &"
hive
+
+# Start HiveServer2
+su -c "nohup ${HIVE_HOME}/bin/hiveserver2 > hive-server2.log 2>&1 &" hive
+
+sleep 10
+
+HIVE_SERVER2_PID=`ps -ef | grep -v grep | grep -i
"org.apache.hive.service.server.HiveServer2" | awk '{print $2}'`
# prevent the container from exiting
-tail --pid=$HIVESERVER2_PID -f /dev/null
+if [ -z "$HIVE_SERVER2_PID" ]
+then
+ echo "The HiveServer2 process probably exited, no process id found!"
+else
+ tail --pid="$HIVE_SERVER2_PID" -f /dev/null
+fi
[ranger] branch master updated: RANGER-3749: Fix healthcheck in mysql docker compose file
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f5e6fa8b1 RANGER-3749: Fix healthcheck in mysql docker compose file f5e6fa8b1 is described below commit f5e6fa8b1c12deb0b4f6bfc119d940aa42540a84 Author: Abhishek Kumar AuthorDate: Mon May 9 12:41:35 2022 -0700 RANGER-3749: Fix healthcheck in mysql docker compose file --- dev-support/ranger-docker/docker-compose.ranger-mysql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dev-support/ranger-docker/docker-compose.ranger-mysql.yml b/dev-support/ranger-docker/docker-compose.ranger-mysql.yml index 9c353d61b..0e739b766 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-mysql.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-mysql.yml @@ -11,7 +11,8 @@ services: networks: - ranger healthcheck: - test: ["CMD-SHELL", 'mysqladmin ping'] + # Double dollar($$) is required to expand the env variable + test: "mysql -u root -p$$MYSQL_ROOT_PASSWORD ranger -e 'select 1' > /dev/null" interval: 10s timeout: 2s retries: 30
[ranger] branch master updated: RANGER-3748: Fix healthcheck command in postgres docker compose
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 6e6e76519 RANGER-3748: Fix healthcheck command in postgres docker compose 6e6e76519 is described below commit 6e6e765191ae5686f166e3b1df010ff34ea869a4 Author: Abhishek Kumar AuthorDate: Mon May 9 12:37:46 2022 -0700 RANGER-3748: Fix healthcheck command in postgres docker compose --- dev-support/ranger-docker/docker-compose.ranger-postgres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-support/ranger-docker/docker-compose.ranger-postgres.yml b/dev-support/ranger-docker/docker-compose.ranger-postgres.yml index 997365fad..b9624aa21 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-postgres.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-postgres.yml @@ -10,7 +10,7 @@ services: networks: - ranger healthcheck: - test: ["CMD-SHELL", 'pg_isready -q'] + test: 'su -c "pg_isready -q" postgres' interval: 10s timeout: 2s retries: 30
[ranger] branch master updated: RANGER-3738: Restructure ranger Dockerfile to use multi-stage builds
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new f63aa56fa RANGER-3738: Restructure ranger Dockerfile to use
multi-stage builds
f63aa56fa is described below
commit f63aa56fa885642b00ca58d606337cfc6c009914
Author: Abhishek Kumar
AuthorDate: Thu Apr 28 10:41:42 2022 -0700
RANGER-3738: Restructure ranger Dockerfile to use multi-stage builds
---
dev-support/ranger-docker/Dockerfile.ranger | 37 +
1 file changed, 22 insertions(+), 15 deletions(-)
diff --git a/dev-support/ranger-docker/Dockerfile.ranger
b/dev-support/ranger-docker/Dockerfile.ranger
index b11e72666..f5a1ed93f 100644
--- a/dev-support/ranger-docker/Dockerfile.ranger
+++ b/dev-support/ranger-docker/Dockerfile.ranger
@@ -13,33 +13,40 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
+ARG RANGER_DB_TYPE
-FROM ranger-base:latest
+FROM ranger-base:latest AS ranger
ARG RANGER_VERSION
ARG RANGER_DB_TYPE
COPY ./dist/version /home/ranger/dist/
COPY ./dist/ranger-${RANGER_VERSION}-admin.tar.gz /home/ranger/dist/
-COPY ./downloads/postgresql-42.2.16.jre7.jar /home/ranger/dist/
-COPY ./downloads/mysql-connector-java-8.0.28.jar /home/ranger/dist/
-COPY ./downloads/log4jdbc-1.2.jar /home/ranger/dist/
COPY ./scripts/ranger.sh
${RANGER_SCRIPTS}/
COPY ./scripts/ranger-admin-install-${RANGER_DB_TYPE}.properties
${RANGER_SCRIPTS}/ranger-admin-install.properties
COPY ./scripts/create-ranger-services.py
${RANGER_SCRIPTS}/
-RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz
--directory=${RANGER_HOME} && \
-ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-admin ${RANGER_HOME}/admin
&& \
-rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz && \
-cp -f ${RANGER_SCRIPTS}/ranger-admin-install.properties
${RANGER_HOME}/admin/install.properties && \
-mkdir -p /var/run/ranger && \
-mkdir -p /var/log/ranger && \
-chown -R ranger:ranger ${RANGER_HOME}/admin/ /var/run/ranger/
/var/log/ranger/ && \
-mkdir -p /usr/share/java/ && \
-mv /home/ranger/dist/postgresql-42.2.16.jre7.jar
/usr/share/java/postgresql.jar && \
-mv /home/ranger/dist/mysql-connector-java-8.0.28.jar
/usr/share/java/mysql-connector.jar && \
-mv /home/ranger/dist/log4jdbc-1.2.jar
${RANGER_HOME}/admin/ews/webapp/WEB-INF/lib/log4jdbc-1.2.jar
+RUNtar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz
--directory=${RANGER_HOME} \
+&& ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-admin
${RANGER_HOME}/admin \
+&& rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz \
+&& cp -f ${RANGER_SCRIPTS}/ranger-admin-install.properties
${RANGER_HOME}/admin/install.properties \
+&& mkdir -p /var/run/ranger \
+&& mkdir -p /var/log/ranger \
+&& chown -R ranger:ranger ${RANGER_HOME}/admin/ /var/run/ranger/
/var/log/ranger/ \
+&& mkdir -p /usr/share/java/
+
+FROM ranger AS ranger_postgres
+COPY ./downloads/postgresql-42.2.16.jre7.jar /home/ranger/dist/
+RUN mv /home/ranger/dist/postgresql-42.2.16.jre7.jar
/usr/share/java/postgresql.jar
+
+FROM ranger AS ranger_mysql
+COPY ./downloads/mysql-connector-java-8.0.28.jar /home/ranger/dist/
+COPY ./downloads/log4jdbc-1.2.jar /home/ranger/dist/
+RUN mv /home/ranger/dist/mysql-connector-java-8.0.28.jar
/usr/share/java/mysql-connector.jar \
+ && mv /home/ranger/dist/log4jdbc-1.2.jar
${RANGER_HOME}/admin/ews/webapp/WEB-INF/lib/log4jdbc-1.2.jar
+
+FROM ranger_${RANGER_DB_TYPE}
USER ranger
[ranger] branch master updated: RANGER-3705: Improve logging messages to help debug potential issues
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new ffd11894d RANGER-3705: Improve logging messages to help debug
potential issues
ffd11894d is described below
commit ffd11894d818e9067d98eb48d0cb3e929f4450a9
Author: Abhay Kulkarni
AuthorDate: Mon Apr 11 18:36:35 2022 -0700
RANGER-3705: Improve logging messages to help debug potential issues
---
.../RangerServiceResourceMatcher.java | 5
.../plugin/policyengine/RangerResourceTrie.java| 31 +++---
.../ranger/plugin/service/RangerBasePlugin.java| 10 +++
3 files changed, 30 insertions(+), 16 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java
index 7b02dd6e1..9433ae1da 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java
@@ -80,4 +80,9 @@ public class RangerServiceResourceMatcher implements
RangerPolicyResourceEvaluat
return Long.compare(me.getId(), other.getId());
}
}
+
+ @Override
+ public String toString() {
+ return String.valueOf(getId());
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 331d6371d..70b9f6884 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -35,6 +35,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
@@ -94,9 +95,7 @@ public class RangerResourceTrie {
}
if (TRACE_LOG.isTraceEnabled()) {
-StringBuilder sb = new StringBuilder();
-root.toString("", sb);
-TRACE_LOG.trace("Trie Dump from RangerResourceTrie.copyTrie(name="
+ other.resourceDef.getName() + "):\n{" + sb.toString() + "}");
+TRACE_LOG.trace("Trie Dump from RangerResourceTrie.copyTrie(name="
+ other.resourceDef.getName() + "):\n[" + dumpTrie() + "]");
}
}
@@ -170,9 +169,7 @@ public class RangerResourceTrie {
}
if (TRACE_LOG.isTraceEnabled()) {
-StringBuilder sb = new StringBuilder();
-root.toString("", sb);
-TRACE_LOG.trace("Trie Dump from RangerResourceTrie.init(name=" +
resourceDef.getName() + "):\n{" + sb.toString() + "}");
+TRACE_LOG.trace("Trie Dump from RangerResourceTrie.init(name=" +
resourceDef.getName() + "):\n[" + dumpTrie() + "]");
}
if(LOG.isDebugEnabled()) {
@@ -231,9 +228,7 @@ public class RangerResourceTrie {
RangerPerfTracer.logAlways(perf);
if (TRACE_LOG.isTraceEnabled()) {
-StringBuilder sb = new StringBuilder();
-root.toString("", sb);
-TRACE_LOG.trace("Trie Dump from RangerResourceTrie.add(name=" +
resource + "):\n{" + sb.toString() + "}");
+TRACE_LOG.trace("Trie Dump from RangerResourceTrie.add(name=" +
resource + "):\n[" + dumpTrie() + "]");
}
}
@@ -262,9 +257,7 @@ public class RangerResourceTrie {
RangerPerfTracer.logAlways(perf);
if (TRACE_LOG.isTraceEnabled()) {
-StringBuilder sb = new StringBuilder();
-root.toString("", sb);
-TRACE_LOG.trace("Trie Dump from RangerResourceTrie.delete(name=" +
resource + "):\n{" + sb.toString() + "}");
+TRACE_LOG.trace("Trie Dump from RangerResourceTrie.delete(name=" +
resource + "):\n[" + dumpTrie()+ "]");
}
}
@@ -272,13 +265,19 @@ public class RangerResourceTrie {
if (root != null) {
root.wrapUpUpdate();
if (TRACE_LOG.isTraceEnabled()) {
-StringBuilder sb = new StringBuilder();
-root.toString("", sb);
-TRACE_LOG.trace("Trie Dump from
RangerResourceTrie.wrapUpUpdate(name=" + resourceDef.getName() + "):\n{" +
sb.toString() + "}");
+
[ranger] branch master updated: RANGER-3663: RangerBizUtil.checkAdminAccess() should return false if user-session is not available
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new e6bb82b RANGER-3663: RangerBizUtil.checkAdminAccess() should return
false if user-session is not available
e6bb82b is described below
commit e6bb82b8c192707a7f60bc190819a17ee335a3a0
Author: Abhay Kulkarni
AuthorDate: Fri Mar 11 15:11:29 2022 -0800
RANGER-3663: RangerBizUtil.checkAdminAccess() should return false if
user-session is not available
---
.../src/main/java/org/apache/ranger/biz/RangerBizUtil.java | 10 ++
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 1ec1df0..6237c0c 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1537,14 +1537,8 @@ public class RangerBizUtil {
public boolean checkAdminAccess() {
UserSessionBase currentUserSession =
ContextUtil.getCurrentUserSession();
- if (currentUserSession != null) {
- return currentUserSession.isUserAdmin();
- } else {
- VXResponse vXResponse = new VXResponse();
-
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+
+ return currentUserSession != null &&
currentUserSession.isUserAdmin();
}
}
[ranger] branch master updated: RANGER-3584: ServiceTags are not computed correctly by applying incremental changes to existing ServiceTags
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 47617bb RANGER-3584: ServiceTags are not computed correctly by
applying incremental changes to existing ServiceTags
47617bb is described below
commit 47617bb0610bd7a3c722e7ffd4718255ae9041b0
Author: Abhay Kulkarni
AuthorDate: Wed Jan 12 16:19:19 2022 -0800
RANGER-3584: ServiceTags are not computed correctly by applying incremental
changes to existing ServiceTags
---
.../java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java | 3 +++
1 file changed, 3 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java
index 088b2b8..00e8d86 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java
@@ -88,10 +88,13 @@ public class RangerServiceTagsDeltaUtil {
if (cachedTagId == null) {
serviceTags.cachedTags.put(tag, tagId);
+tags.put(tagId, tag);
} else {
replacedIds.put(tagId, cachedTagId);
deltaTagIter.remove();
}
+} else {
+tags.put(tagId, tag);
}
}
}
[ranger] branch master updated: RANGER-3578: Simplify code for policy label creation
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new ba917a6 RANGER-3578: Simplify code for policy label creation
ba917a6 is described below
commit ba917a683dae46e534e4da388128d3eb9ab97af9
Author: Abhay Kulkarni
AuthorDate: Sat Jan 8 11:45:50 2022 -0800
RANGER-3578: Simplify code for policy label creation
---
.../java/org/apache/ranger/biz/ServiceDBStore.java | 63 ++--
.../ranger/service/RangerPolicyLabelHelper.java| 68 --
2 files changed, 46 insertions(+), 85 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 85adda5..6ed0800 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -62,7 +62,6 @@ import org.apache.poi.ss.usermodel.Workbook;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
import org.apache.ranger.authorization.utils.JsonUtils;
-import org.apache.ranger.biz.ServiceDBStore.METRIC_TYPE;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.GUIDUtil;
@@ -170,7 +169,6 @@ import org.apache.ranger.rest.ServiceREST;
import org.apache.ranger.rest.TagREST;
import org.apache.ranger.service.RangerAuditFields;
import org.apache.ranger.service.RangerDataHistService;
-import org.apache.ranger.service.RangerPolicyLabelHelper;
import org.apache.ranger.service.RangerPolicyLabelsService;
import org.apache.ranger.service.RangerPolicyService;
import org.apache.ranger.service.RangerPolicyWithAssignedIdService;
@@ -285,9 +283,6 @@ public class ServiceDBStore extends AbstractServiceStore {
RangerPolicyLabelsService policyLabelsService;
@Autowired
- RangerPolicyLabelHelper policyLabelsHelper;
-
- @Autowired
XUserService xUserService;
@Autowired
@@ -2072,24 +2067,58 @@ public class ServiceDBStore extends
AbstractServiceStore {
for (String policyLabel : uniquePolicyLabels) {
//check and create new label If does not exist
+ if (StringUtils.isNotEmpty(policyLabel)) {
+
transactionSynchronizationAdapter.executeOnTransactionCommit(new
AssociatePolicyLabel(policyLabel, xPolicy));
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceDBStore.createOrMapLabels()");
+ }
+ }
+
+ private class AssociatePolicyLabel implements Runnable {
+ private String policyLabel;
+ private XXPolicy xPolicy;
+
+ AssociatePolicyLabel(String policyLabel, XXPolicy xPolicy) {
+ this.policyLabel = policyLabel;
+ this.xPolicy = xPolicy;
+ }
+
+ @Override
+ public void run() {
+ getOrCreateLabel();
+ }
+
+ private void getOrCreateLabel() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
AssociatePolicyLabel.getOrCreateLabel(policyId=" + xPolicy.getId() + ", label="
+ policyLabel + ")");
+ }
+
XXPolicyLabel xxPolicyLabel =
daoMgr.getXXPolicyLabels().findByName(policyLabel);
- if(xxPolicyLabel == null) {
- synchronized(this) {
- xxPolicyLabel =
policyLabelsHelper.createNewOrGetLabel(policyLabel, xPolicy);
+
+ if (xxPolicyLabel == null) {
+ xxPolicyLabel =
daoMgr.getXXPolicyLabels().findByName(policyLabel);
+
+ if (xxPolicyLabel == null) {
+ xxPolicyLabel = new XXPolicyLabel();
+
xxPolicyLabel.setPolicyLabel(policyLabel);
+ xxPolicyLabel =
rangerAuditFields.populateAuditFieldsForCreate(xxPolicyLabel);
+ xxPolicyLabel =
daoMgr.getXXPolicyLabels().create(xxPolicyLabel);
}
}
- //label mapping with policy
- if (xxPolicyLabel.getId() != null) {
+
+ if (xxPolicyLabel != null) {
XXPolicyLabelMap xxPolicyLabelMap = new
XXPolicyLabelMap();
[ranger] branch master updated: RANGER-3573: Add vim in docker base image
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 7fd191e RANGER-3573: Add vim in docker base image 7fd191e is described below commit 7fd191e9e3f236807e0a69c31dd881269d550025 Author: Abhishek Kumar AuthorDate: Wed Jan 5 15:51:09 2022 -0800 RANGER-3573: Add vim in docker base image --- dev-support/ranger-docker/Dockerfile.ranger-base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-support/ranger-docker/Dockerfile.ranger-base b/dev-support/ranger-docker/Dockerfile.ranger-base index 688eed4..a4bb900 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-base +++ b/dev-support/ranger-docker/Dockerfile.ranger-base @@ -19,7 +19,7 @@ FROM ubuntu:20.04 # Install tzdata, Python, Java, python-requests RUN apt-get update && \ -DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata \ +DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata vim\ python3 python3-pip openjdk-8-jdk bc iputils-ping ssh pdsh && \ pip3 install apache-ranger && \ pip3 install requests
[ranger] branch master updated: RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new dd7c773 RANGER-3562: Redesign post commit tasks for updating
ref-tables when policy/role is updated - Part 2
dd7c773 is described below
commit dd7c773dee6d8f15ffcb14304d71b79c29fdf082
Author: Abhay Kulkarni
AuthorDate: Wed Jan 5 15:24:39 2022 -0800
RANGER-3562: Redesign post commit tasks for updating ref-tables when
policy/role is updated - Part 2
---
.../java/org/apache/ranger/biz/PolicyRefUpdater.java | 18 +++---
.../java/org/apache/ranger/biz/RoleRefUpdater.java | 18 +++---
.../resources/stability-tests/ranger-policy/app.conf | 6 +++---
.../resources/stability-tests/ranger-policy/start.sh | 2 +-
4 files changed, 10 insertions(+), 34 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
index f8f0ee9..b1f331b 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
@@ -176,11 +176,7 @@ public class PolicyRefUpdater {
continue;
}
PolicyPrincipalAssociator associator = new
PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy);
- if (associator.doAssociate(false)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Role name: " + role + "
specified in policy does not exist in ranger admin.");
- }
- } else {
+ if (!associator.doAssociate(false)) {
if (isAdmin) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
@@ -200,11 +196,7 @@ public class PolicyRefUpdater {
}
PolicyPrincipalAssociator associator = new
PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy);
- if (associator.doAssociate(false)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Group name: " + group + "
specified in policy does not exist in ranger admin.");
- }
- } else {
+ if (!associator.doAssociate(false)) {
if (isAdmin) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
@@ -221,11 +213,7 @@ public class PolicyRefUpdater {
continue;
}
PolicyPrincipalAssociator associator = new
PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy);
- if (associator.doAssociate(false)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("User name: " + user + "
specified in policy does not exist in ranger admin.");
- }
- } else {
+ if (!associator.doAssociate(false)) {
if (isAdmin) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
index 0e5ccd3..6ada7ee 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
@@ -107,11 +107,7 @@ public class RoleRefUpdater {
}
RolePrincipalAssociator associator = new
RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE.USER, roleUser, roleId);
- if (associator.doAssociate(false)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("User name: " +
roleUser + " specified in role does not exist in ranger admin.");
- }
- } else {
+ if (!associator.doAssoci
[ranger] branch master updated: RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new df07b0d RANGER-3562: Redesign post commit tasks for updating
ref-tables when policy/role is updated
df07b0d is described below
commit df07b0da94dced97e6022b1d0d243c8b2e358803
Author: Abhay Kulkarni
AuthorDate: Mon Jan 3 18:38:55 2022 -0800
RANGER-3562: Redesign post commit tasks for updating ref-tables when
policy/role is updated
---
.../main/java/org/apache/ranger/biz/AssetMgr.java | 18 +-
.../org/apache/ranger/biz/PolicyRefUpdater.java| 474 ++---
.../java/org/apache/ranger/biz/RoleRefUpdater.java | 395 +
.../ranger/service/RangerPluginActivityLogger.java | 15 +-
.../service/TestRangerPluginActivityLogger.java| 3 +-
5 files changed, 436 insertions(+), 469 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
index 36f137e..08255b3 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
@@ -48,6 +48,7 @@ import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.SearchCriteria;
import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.elasticsearch.ElasticSearchAccessAuditsService;
import org.apache.ranger.entity.XXPermMap;
@@ -121,7 +122,7 @@ public class AssetMgr extends AssetMgrBase {
XPolicyService xPolicyService;
@Autowired
- RangerPluginActivityLogger activityLogger;
+ RangerTransactionSynchronizationAdapter
transactionSynchronizationAdapter;
@Autowired
RangerPluginInfoService pluginInfoService;
@@ -663,7 +664,7 @@ public class AssetMgr extends AssetMgrBase {
}
};
-
activityLogger.commitAfterTransactionComplete(commitWork);
+
transactionSynchronizationAdapter.executeOnTransactionCompletion(commitWork);
}
} else {
ret =
rangerDaoManager.getXXPolicyExportAudit().create(xXPolicyExportAudit);
@@ -733,6 +734,7 @@ public class AssetMgr extends AssetMgrBase {
}
final boolean isTagVersionResetNeeded;
+ final Runnable commitWork;
if (httpCode == HttpServletResponse.SC_NOT_MODIFIED) {
// Create or update PluginInfo record after transaction
is completed. If it is created in-line here
@@ -757,15 +759,13 @@ public class AssetMgr extends AssetMgrBase {
break;
}
- Runnable commitWork = new Runnable() {
+ commitWork = new Runnable() {
@Override
public void run() {
doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, isTagVersionResetNeeded,
clusterName);
}
};
-
activityLogger.commitAfterTransactionComplete(commitWork);
} else if (httpCode == HttpServletResponse.SC_NOT_FOUND) {
- Runnable commitWork;
if ((isPolicyDownloadRequest(entityType) &&
(pluginInfo.getPolicyActiveVersion() == null ||
pluginInfo.getPolicyActiveVersion() == -1))
|| (isTagDownloadRequest(entityType) &&
(pluginInfo.getTagActiveVersion() == null || pluginInfo.getTagActiveVersion()
== -1))
|| (isRoleDownloadRequest(entityType)
&& (pluginInfo.getRoleActiveVersion() == null ||
pluginInfo.getRoleActiveVersion() == -1))
@@ -784,12 +784,16 @@ public class AssetMgr extends AssetMgrBase {
}
};
}
-
activityLogger.commitAfterTransactionComplete(commitWork);
-
} else {
isTagVersionResetNeeded = false;
+ commitWork = null;
doCreateOrUpdateXXPluginInfo(pluginInfo, entityType,
isTagVersionResetNeeded, clusterName);
}
+
+ if (commitWork != null) {
+
transactionSynchronizationAdapter.executeOnTransactionCompletion(commitWork);
+ }
+
if (logger.isDebugEnabled()) {
[ranger] branch master updated: RANGER-3554: [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response - Part 2"
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 993cf0d RANGER-3554: [Intermittent] API call to fetch the list of
policies for a particular service repo returns a deleted policy in the response
- Part 2"
993cf0d is described below
commit 993cf0d9a98a2ea8f01d1fbbd3d6a1177a8887ca
Author: Abhay Kulkarni
AuthorDate: Sat Dec 18 14:57:18 2021 -0800
RANGER-3554: [Intermittent] API call to fetch the list of policies for a
particular service repo returns a deleted policy in the response - Part 2"
---
.../ranger/common/db/RangerTransactionSynchronizationAdapter.java| 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java
b/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java
index ed84462..0f3f311 100644
---
a/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java
+++
b/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java
@@ -123,13 +123,14 @@ public class RangerTransactionSynchronizationAdapter
extends TransactionSynchron
List runnablesAfterCommit = RUNNABLES_AFTER_COMMIT.get();
RUNNABLES_AFTER_COMMIT.remove();
+List runnables = RUNNABLES.get();
+RUNNABLES.remove();
+
if (isParentTransactionCommitted) {
// Run tasks scheduled to run after transaction is successfully
committed
runRunnables(runnablesAfterCommit, true);
}
-List runnables = RUNNABLES.get();
-RUNNABLES.remove();
// Run other tasks scheduled to run after transaction completes
runRunnables(runnables, false);
[ranger] branch master updated: RANGER-3556: Ranger tagsync logs unnecessary messages
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d6f0196 RANGER-3556: Ranger tagsync logs unnecessary messages
d6f0196 is described below
commit d6f0196bcbde1c0202ee978ebd007003911842f9
Author: Abhay Kulkarni
AuthorDate: Fri Dec 17 11:56:04 2021 -0800
RANGER-3556: Ranger tagsync logs unnecessary messages
---
.../org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java| 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
index e9fe02f..41ef181 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
@@ -190,7 +190,9 @@ public class AtlasTagSource extends AbstractTagSource {
List> newMessages =
consumer.receive(MAX_WAIT_TIME_IN_MILLIS);
if (newMessages.size() == 0) {
-
LOG.info("AtlasTagSource.ConsumerRunnable.run: no message from
NotificationConsumer within " + MAX_WAIT_TIME_IN_MILLIS + " milliseconds");
+ if (LOG.isDebugEnabled()) {
+
LOG.debug("AtlasTagSource.ConsumerRunnable.run: no message from
NotificationConsumer within " + MAX_WAIT_TIME_IN_MILLIS + " milliseconds");
+ }
if
(CollectionUtils.isNotEmpty(atlasEntitiesWithTags)) {
buildAndUploadServiceTags();
}
@@ -274,7 +276,9 @@ public class AtlasTagSource extends AbstractTagSource {
updateSink(entry.getValue());
}
offsetOfLastMessageDeliveredToRanger =
messages.get(messages.size()-1).getOffset();
- LOG.info("Completed processing batch of
messages of size:[" + messages.size() + "] received from NotificationConsumer");
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Completed processing batch
of messages of size:[" + messages.size() + "] received from
NotificationConsumer");
+ }
commitToKafka();
}
[ranger] branch master updated: RANGER-3554: [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 7406d2d RANGER-3554: [Intermittent] API call to fetch the list of
policies for a particular service repo returns a deleted policy in the response
7406d2d is described below
commit 7406d2d04d473d0dbacb39b9d75d883768a44cea
Author: Abhay Kulkarni
AuthorDate: Wed Dec 15 21:18:56 2021 -0800
RANGER-3554: [Intermittent] API call to fetch the list of policies for a
particular service repo returns a deleted policy in the response
---
.../ranger/common/db/RangerTransactionSynchronizationAdapter.java| 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java
b/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java
index 6c4902b..ed84462 100644
---
a/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java
+++
b/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java
@@ -120,9 +120,10 @@ public class RangerTransactionSynchronizationAdapter
extends TransactionSynchron
final boolean isParentTransactionCommitted = status ==
STATUS_COMMITTED;
+List runnablesAfterCommit = RUNNABLES_AFTER_COMMIT.get();
+RUNNABLES_AFTER_COMMIT.remove();
+
if (isParentTransactionCommitted) {
-List runnablesAfterCommit = RUNNABLES_AFTER_COMMIT.get();
-RUNNABLES_AFTER_COMMIT.remove();
// Run tasks scheduled to run after transaction is successfully
committed
runRunnables(runnablesAfterCommit, true);
}
[ranger] branch master updated: RANGER-3548: Update performance engine test scripts
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3b32ec7 RANGER-3548: Update performance engine test scripts
3b32ec7 is described below
commit 3b32ec719e89748f7478e64d5df448d22bfbf5b5
Author: Abhay Kulkarni
AuthorDate: Mon Dec 13 12:58:22 2021 -0800
RANGER-3548: Update performance engine test scripts
---
distro/src/main/assembly/ranger-tools.xml | 6 +
ranger-tools/scripts/create_tags_file.sh | 43 +++
ranger-tools/scripts/gen_service_tags.sh | 38 ++-
3 files changed, 63 insertions(+), 24 deletions(-)
diff --git a/distro/src/main/assembly/ranger-tools.xml
b/distro/src/main/assembly/ranger-tools.xml
index 1eb9104..b8713d8 100644
--- a/distro/src/main/assembly/ranger-tools.xml
+++ b/distro/src/main/assembly/ranger-tools.xml
@@ -158,5 +158,11 @@
gen_service_policies.sh
755
+
+
${project.parent.basedir}/ranger-tools/scripts/create_tags_file.sh
+
+ create_tags_file.sh
+ 755
+
diff --git a/ranger-tools/scripts/create_tags_file.sh
b/ranger-tools/scripts/create_tags_file.sh
new file mode 100755
index 000..ad4410d
--- /dev/null
+++ b/ranger-tools/scripts/create_tags_file.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+echo_stderr ()
+{
+echo "$@" >&2
+}
+
+
+if [ $# -ne 5 ]
+then
+echo_stderr "usage: $0
"
+exit 1
+fi
+
+service_name=$1
+num_of_tags=$2
+initial_id=$3
+output_file=$4
+seconds_to_sleep=$5
+
+echo_stderr "$0 $service_name $num_of_tags $initial_id $output_file
$seconds_to_sleep"
+
+while true
+do
+ ./gen_service_tags.sh ${service_name} ${num_of_tags} ${initial_id} >
/tmp/$$-${output_file}
+ mv /tmp/$$-${output_file} ${output_file}
+ ((initial_id+=${num_of_tags}))
+ sleep ${seconds_to_sleep}
+done
diff --git a/ranger-tools/scripts/gen_service_tags.sh
b/ranger-tools/scripts/gen_service_tags.sh
index 9a81a0a..c36e4cd 100755
--- a/ranger-tools/scripts/gen_service_tags.sh
+++ b/ranger-tools/scripts/gen_service_tags.sh
@@ -19,28 +19,17 @@ echo_stderr ()
echo "$@" >&2
}
-if [ $# -ne 2 ]
+if [ $# -ne 3 ]
then
- echo_stderr "usage: $0 "
+ echo_stderr "usage: $0
"
+ exit 1
fi
-service_name=cm_hive
-num_of_service_resources=1
+service_name=$1
+num_of_service_resources=$2
+initial_id=$3
-if [ $# -ge 1 ]
-then
- service_name=$1
- echo_stderr "service_name=${service_name},
num_of_service_resources=${num_of_service_resources}"
- if [ $# -ge 2 ]
- then
- num_of_service_resources=$2
- else
- echo_stderr "service_name=${service_name}, Assuming
num_of_service_resources=${num_of_service_resources}"
- fi
-else
- echo_stderr "Assuming service_name=${service_name},
num_of_service_resources=${num_of_service_resources}"
-
-fi
+echo_stderr "Assuming service_name=${service_name},
num_of_service_resources=${num_of_service_resources} initial_id=${initial_id}"
echo "{
\"op\": \"add_or_update\",
@@ -65,8 +54,8 @@ echo "{
}
},
\"tags\": {"
-for ((i = 1; i <= $num_of_service_resources; i++)); do
-if [ $i -ne 1 ]
+for ((i = ${initial_id}; i < ${initial_id} + $num_of_service_resources; i++));
do
+if [ $i -ne ${initial_id} ]
then
echo " ,"
fi
@@ -82,8 +71,8 @@ for ((i = 1; i <= $num_of_service_resources; i++)); do
done
echo " },"
echo " \"serviceResources\": ["
-for ((i = 1; i <= $num_of_service_resources; i++)); do
-if [ $i -ne 1 ]
+for ((i = ${initial_id}; i < ${initial_id} + $num_of_service_resources; i++));
do
+if [ $i -ne ${initial_id} ]
then
echo " ,"
fi
@@ -91,14 +80,15 @@ for ((i = 1; i <= $num_of_service_resources; i++)); do
\"
[ranger] branch master updated: RANGER-3538: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d3af747 RANGER-3538: Reduce the granularity of locking when
building/retrieving a policy-engine within Ranger admin service
d3af747 is described below
commit d3af7476dcab3719b8a75b506b10400640f3bf3e
Author: Abhay Kulkarni
AuthorDate: Tue Dec 7 16:58:25 2021 -0800
RANGER-3538: Reduce the granularity of locking when building/retrieving a
policy-engine within Ranger admin service
---
.../apache/ranger/biz/RangerPolicyAdminCache.java | 124 +
.../RangerPolicyAdminCacheForEngineOptions.java| 15 ++-
2 files changed, 89 insertions(+), 50 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index 5a69231..47fa99c 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -22,6 +22,8 @@ package org.apache.ranger.biz;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -37,9 +39,25 @@ import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
public class RangerPolicyAdminCache {
+
+ static class RangerPolicyAdminWrapper {
+ final RangerPolicyAdmin policyAdmin;
+ final Lock lock = new ReentrantLock();
+
+ RangerPolicyAdminWrapper(RangerPolicyAdmin policyAdmin) {
+ this.policyAdmin = policyAdmin;
+ }
+ RangerPolicyAdmin getPolicyAdmin() {
+ return policyAdmin;
+ }
+ Lock getLock() {
+ return lock;
+ }
+ }
+
private static final Log LOG =
LogFactory.getLog(RangerPolicyAdminCache.class);
- private final Map policyAdminCache =
Collections.synchronizedMap(new HashMap<>());
+ private final Map policyAdminCache =
Collections.synchronizedMap(new HashMap<>());
final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName,
ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore,
RangerPolicyEngineOptions options) {
@@ -49,13 +67,13 @@ public class RangerPolicyAdminCache {
return null;
}
- RangerPolicyAdmin ret = policyAdminCache.get(serviceName);
-
longpolicyVersion;
longroleVersion;
RangerRoles roles;
boolean isRolesUpdated = true;
+ RangerPolicyAdminWrapper ret =
policyAdminCache.get(serviceName);
+
try {
if (ret == null) {
policyVersion = -1L;
@@ -68,8 +86,8 @@ public class RangerPolicyAdminCache {
}
}
} else {
- policyVersion = ret.getPolicyVersion();
- roleVersion = ret.getRoleVersion();
+ policyVersion =
ret.getPolicyAdmin().getPolicyVersion();
+ roleVersion =
ret.getPolicyAdmin().getRoleVersion();
roles = roleStore.getRoles(serviceName,
roleVersion);
if (roles == null) { // No changes to roles
@@ -82,70 +100,88 @@ public class RangerPolicyAdminCache {
if (policies != null) {
ret = addOrUpdatePolicyAdmin(ret, policies,
roles, options);
- } else {
+
if (ret == null) {
- LOG.error("getPolicyAdmin(" +
serviceName + "): failed to get any policies from service-store");
+ LOG.error("getPolicyAdmin(" +
serviceName + "): failed to build engine from policies from service-store");
} else {
if (isRolesUpdated) {
- ret.setRoles(roles);
+
ret.getPolicyAdmin().setRoles(roles);
}
}
}
} catch (Exception exception) {
LOG.error("g
[ranger] branch master updated: RANGER-3535: A delegate admin user should be able to add another user with all or subset of permissions they have
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 695bedd RANGER-3535: A delegate admin user should be able to add
another user with all or subset of permissions they have
695bedd is described below
commit 695bedd07b4f58aef4f5747393c06d83c8805438
Author: Abhay Kulkarni
AuthorDate: Fri Dec 3 15:01:01 2021 -0800
RANGER-3535: A delegate admin user should be able to add another user with
all or subset of permissions they have
---
.../model/RangerPolicyResourceSignature.java | 4 +-
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 244 +
2 files changed, 205 insertions(+), 43 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
index c84d0bc..77b274e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
@@ -175,10 +175,10 @@ public class RangerPolicyResourceSignature {
}
- static class ResourceSerializer {
+ static public class ResourceSerializer {
final RangerPolicyResource _policyResource;
- ResourceSerializer(RangerPolicyResource policyResource) {
+ public ResourceSerializer(RangerPolicyResource policyResource) {
_policyResource = policyResource;
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 5311a54..6dbc59f 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -27,6 +27,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.PolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
@@ -59,6 +60,7 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.TreeMap;
public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
private static final Log LOG =
LogFactory.getLog(RangerPolicyAdminImpl.class);
@@ -176,22 +178,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
@Override
public boolean isDelegatedAdminAccessAllowedForModify(RangerPolicy policy,
String user, Set userGroups, Set roles, Map
evalContext) {
-boolean ret = isDelegatedAdminAccessAllowed(policy, user, userGroups,
roles, false, evalContext);
-if (ret) {
-// Get old policy from policy-engine
-RangerPolicy oldPolicy = null;
-if (policy.getId() != null) {
-try {
-oldPolicy = serviceDBStore.getPolicy(policy.getId());
-} catch (Exception e) {
-// Ignore
-}
-}
-if (oldPolicy != null) {
-ret = isDelegatedAdminAccessAllowed(oldPolicy, user,
userGroups, roles, false, evalContext);
-}
-}
-return ret;
+return isDelegatedAdminAccessAllowed(policy, user, userGroups, roles,
false, evalContext);
}
boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user,
Set userGroups, Set roles, boolean isRead, Map
evalContext) {
@@ -217,46 +204,104 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
final RangerPolicyRepository matchedRepository =
policyEngine.getRepositoryForMatchedZone(policy);
if (matchedRepository != null) {
-// RANGER-3082
-// Convert policy resources to by substituting macros with
ASTERISK
-Map modifiedPolicyResources =
getPolicyResourcesWithMacrosReplaced(policy.getResources(),
wildcardEvalContext);
-Set accessTypes = getAllAccessTypes(policy,
getServiceDef());
+if (isRead) {
+Set accessTypes = getAllAccessTypes(policy,
getServiceDef());
+ret =
isDelegatedAdminAccessAllowedForPolicy(matchedRepository, policy, user,
userGroups, roles, accessTypes, true, evalContext);
+} else {
+// Get old policy
[ranger] branch master updated: RANGER-3519: Provide an option to optimize space needed by Trie objects - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 5852efd RANGER-3519: Provide an option to optimize space needed by
Trie objects - Part 2
5852efd is described below
commit 5852efde1cba728ad580231ad02145ea72861186
Author: Abhay Kulkarni
AuthorDate: Thu Dec 2 09:23:05 2021 -0800
RANGER-3519: Provide an option to optimize space needed by Trie objects -
Part 2
---
.../RangerFileBasedTagRetriever.java | 9 +
.../service/RangerDefaultRequestProcessor.java | 12 +
.../ranger/plugin/util/RangerCommonConstants.java | 4 +
.../plugin/util/RangerServiceTagsDeltaUtil.java| 58 ++-
.../org/apache/ranger/plugin/util/ServiceTags.java | 48 +++
distro/src/main/assembly/ranger-tools.xml | 12 +
ranger-tools/scripts/create_requests.py| 2 +-
ranger-tools/scripts/gen_service_policies.sh | 475 +
ranger-tools/scripts/gen_service_tags.sh | 30 +-
.../policyengine/RangerPolicyenginePerfTester.java | 1 +
.../src/test/resources/testdata/ranger-config.xml | 4 +
ranger-tools/testdata/ranger-config.xml| 4 +
.../java/org/apache/ranger/biz/TagDBStore.java | 7 +
13 files changed, 649 insertions(+), 17 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
index b858879..ab3b4a7 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
@@ -39,6 +39,7 @@ public class RangerFileBasedTagRetriever extends
RangerTagRetriever {
private URL serviceTagsFileURL;
private String serviceTagsFileName;
private Gson gsonBuilder;
+ private boolean deDupTags;
@Override
public void init(Map options) {
@@ -53,6 +54,7 @@ public class RangerFileBasedTagRetriever extends
RangerTagRetriever {
String serviceTagsFileNameProperty = "serviceTagsFileName";
String serviceTagsDefaultFileName =
"/testdata/test_servicetags_hive.json";
+ String deDupTagsProperty = "deDupTags";
if (StringUtils.isNotBlank(serviceName) && serviceDef != null
&& StringUtils.isNotBlank(appId)) {
InputStream serviceTagsFileStream = null;
@@ -61,6 +63,8 @@ public class RangerFileBasedTagRetriever extends
RangerTagRetriever {
// Open specified file from options- it should contain
service-tags
serviceTagsFileName = options != null?
options.get(serviceTagsFileNameProperty) : null;
+ String deDupTagsVal = options != null?
options.get(deDupTagsProperty) : "false";
+ deDupTags =
Boolean.parseBoolean(deDupTagsVal);
serviceTagsFileName = serviceTagsFileName == null ?
serviceTagsDefaultFileName : serviceTagsFileName;
@@ -137,6 +141,11 @@ public class RangerFileBasedTagRetriever extends
RangerTagRetriever {
if (serviceTags.getTagVersion() <=
lastKnownVersion) {
// No change in serviceTags
serviceTags = null;
+ } else {
+ if (deDupTags) {
+ final int countOfDuplicateTags
= serviceTags.dedupTags();
+ LOG.info("Number of duplicate
tags removed from the received serviceTags:[" + countOfDuplicateTags + "].
Number of tags in the de-duplicated serviceTags :[" +
serviceTags.getTags().size() + "].");
+ }
}
} catch (IOException e) {
LOG.warn("Error processing input file: or no
privilege for reading file " + serviceTagsFileName);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
index facf05d..c2e8ae9 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
@@ -21,6 +21,7 @@ package org.apache.ranger.plugin.service;
import org.apache.commons.collections.C
[ranger] branch master updated: RANGER-3490: Make policy resource signature is unique in a service
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 856571c RANGER-3490: Make policy resource signature is unique in a
service
856571c is described below
commit 856571c4348e31725498c0922338339c76ebba02
Author: Abhay Kulkarni
AuthorDate: Wed Nov 24 07:38:20 2021 -0800
RANGER-3490: Make policy resource signature is unique in a service
---
.../model/RangerPolicyResourceSignature.java | 5
.../model/validation/RangerPolicyValidator.java| 35 ++
.../plugin/model/validation/RangerValidator.java | 21 +
.../model/TestRangerPolicyResourceSignature.java | 18 +++
.../validation/TestRangerPolicyValidator.java | 24 +--
.../model/validation/TestRangerValidator.java | 4 +--
.../java/org/apache/ranger/biz/ServiceDBStore.java | 30 ---
.../org/apache/ranger/biz/TestServiceDBStore.java | 4 +++
8 files changed, 95 insertions(+), 46 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
index 312005e..c84d0bc 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
@@ -121,6 +121,8 @@ public class RangerPolicyResourceSignature {
LOG.debug("isPolicyValidForResourceSignatureComputation: resources collection
on policy was null!");
} else if (_policy.getResources().containsKey(null)) {
LOG.debug("isPolicyValidForResourceSignatureComputation: resources collection
has resource with null name!");
+ } else if (StringUtils.isEmpty(_policy.getGuid())) {
+
LOG.debug("isPolicyValidForResourceSignatureComputation: policy GUID is
empty!");
} else {
valid = true;
}
@@ -163,6 +165,9 @@ public class RangerPolicyResourceSignature {
CustomConditionSerialiser
customConditionSerialiser = new
CustomConditionSerialiser(_policy.getConditions());
resource +=
customConditionSerialiser.toString();
}
+ if (!_policy.getIsEnabled()) {
+ resource += _policy.getGuid();
+ }
String result =
String.format("{version=%d,type=%d,resource=%s}", _SignatureVersion, type,
resource);
return result;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 0ba1fb9..0519227 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -539,25 +539,22 @@ public class RangerPolicyValidator extends
RangerValidator {
}
boolean valid = true;
- if (!Boolean.TRUE.equals(policy.getIsEnabled())) {
- LOG.debug("Policy is disabled. Skipping resource
uniqueness validation.");
- } else {
- RangerPolicyResourceSignature policySignature =
_factory.createPolicyResourceSignature(policy);
- String signature = policySignature.getSignature();
- List policies =
getPoliciesForResourceSignature(policy.getService(), signature);
- if (CollectionUtils.isNotEmpty(policies)) {
- ValidationErrorCode error =
ValidationErrorCode.POLICY_VALIDATION_ERR_DUPLICATE_POLICY_RESOURCE;
- RangerPolicy matchedPolicy =
policies.iterator().next();
- // there shouldn't be a matching policy for
create. During update only match should be to itself
- if (action == Action.CREATE || (action ==
Action.UPDATE && (policies.size() > 1 ||
!matchedPolicy.getId().equals(policy.getId() {
- failures.add(new
ValidationFailureDetailsBuilder()
- .field("resources")
-
.isSemanticallyIncorrect()
-
[ranger] branch master updated: RANGER-3522: Improve Tagsync authentication error reporting
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3f82858 RANGER-3522: Improve Tagsync authentication error reporting
3f82858 is described below
commit 3f82858760e01ed186a2b3055c95b9cdd343db4b
Author: Abhay Kulkarni
AuthorDate: Mon Nov 22 17:44:44 2021 -0800
RANGER-3522: Improve Tagsync authentication error reporting
---
.../ranger/tagsync/process/TagSynchronizer.java| 45 --
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
index c723b0f..9800566 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
@@ -398,34 +398,39 @@ public class TagSynchronizer {
LOG.debug("nameRules=" + nameRules);
}
}
- final boolean isKerberized =
!StringUtils.isEmpty(authenticationType) &&
authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) &&
SecureClientLogin.isKerberosCredentialExists(principal, keytab);
+ final boolean isKerberized =
!StringUtils.isEmpty(authenticationType) &&
authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS);
if (isKerberized) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Trying to get kerberos identitiy");
- }
+ LOG.info("Configured for Kerberos Authentication");
- UserGroupInformation kerberosIdentity;
+ if
(SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+ LOG.error("Invalid Kerberos principal and/or
keytab specified. Failed to initialize Kerberos identity");
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Trying to get kerberos
identity");
+ }
- try {
-
UserGroupInformation.loginUserFromKeytab(principal, keytab);
- kerberosIdentity =
UserGroupInformation.getLoginUser();
- if (kerberosIdentity != null) {
-
props.put(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY,
kerberosIdentity.getUserName());
- if (LOG.isDebugEnabled()) {
- LOG.debug("Got UGI, user:[" +
kerberosIdentity.getUserName() + "]");
+ UserGroupInformation kerberosIdentity;
+
+ try {
+
UserGroupInformation.loginUserFromKeytab(principal, keytab);
+ kerberosIdentity =
UserGroupInformation.getLoginUser();
+ if (kerberosIdentity != null) {
+
props.put(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY,
kerberosIdentity.getUserName());
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Got UGI,
user:[" + kerberosIdentity.getUserName() + "]");
+ }
+ ret = true;
+ } else {
+ LOG.error("KerberosIdentity is
null!");
}
- ret = true;
- } else {
- LOG.error("KerberosIdentity is null!");
+ } catch (IOException exception) {
+ LOG.error("Failed to get UGI from
principal:[" + principal + "], and keytab:[" + keytab + "]", exception);
}
- } catch (IOException exception) {
- LOG.error("Failed to get UGI from principal:["
+ principal + "], and keytab:[" + keytab + "]", exception);
}
} else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Not configured for Kerberos
Authentication");
- }
+ LOG.info("Not configured for Kerberos Authentication");
+
props.remove(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY);
ret = true;
[ranger] branch master updated: RANGER-3519: Provide an option to optimize space needed by Trie objects
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 71888f2 RANGER-3519: Provide an option to optimize space needed by
Trie objects
71888f2 is described below
commit 71888f243d38ae7cff5e0406c7d54a386d269664
Author: Abhay Kulkarni
AuthorDate: Sun Nov 21 09:38:11 2021 -0800
RANGER-3519: Provide an option to optimize space needed by Trie objects
---
.../plugin/contextenricher/RangerTagEnricher.java | 4 +-
.../policyengine/RangerPolicyEngineOptions.java| 32 +++-
.../policyengine/RangerPolicyRepository.java | 22 -
.../plugin/policyengine/RangerResourceTrie.java| 57 +++---
distro/src/main/assembly/ranger-tools.xml | 6 +++
ranger-tools/scripts/create_requests.py| 42
.../ranger/policyengine/PerfTestConfiguration.java | 31
.../apache/ranger/policyengine/PerfTestEngine.java | 7 +++
.../ranger/policyengine/PerfTestOptions.java | 11 +
.../policyengine/RangerPolicyenginePerfTester.java | 27 ++
.../src/test/resources/testdata/ranger-config.xml | 9
.../resources/testdata/test_requests_hive.json | 4 +-
ranger-tools/testdata/ranger-config.xml| 11 -
13 files changed, 227 insertions(+), 36 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index c8346d3..6b0451e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -447,7 +447,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
serviceResourceTrie = new HashMap<>();
for (RangerServiceDef.RangerResourceDef
resourceDef : serviceDef.getResources()) {
-
serviceResourceTrie.put(resourceDef.getName(), new
RangerResourceTrie(resourceDef, resourceMatchers,
getPolicyEngineOptions().optimizeTrieForRetrieval, null));
+
serviceResourceTrie.put(resourceDef.getName(), new
RangerResourceTrie(resourceDef, resourceMatchers,
getPolicyEngineOptions().optimizeTagTrieForRetrieval,
getPolicyEngineOptions().optimizeTagTrieForSpace, null));
}
}
enrichedServiceTags = new
EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie);
@@ -491,7 +491,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
LOG.debug("Added resource-matcher for service-resource:[" + serviceResource +
"]");
}
} else {
- trie = new
RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher));
+ trie = new
RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher),
getPolicyEngineOptions().optimizeTagTrieForRetrieval,
getPolicyEngineOptions().optimizeTagTrieForSpace, null);
serviceResourceTrie.put(resourceDef.getName(), trie);
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index 07d0a39..2afa755 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -37,6 +37,10 @@ public class RangerPolicyEngineOptions {
public boolean disableAccessEvaluationWithPolicyACLSummary = true;
public boolean optimizeTrieForRetrieval = false;
public boolean disableRoleResolution = true;
+ public boolean optimizeTrieForSpace = false;
+ public boolean optimizeTagTrieForRetrieval = false;
+ public boolean optimizeTagTrieForSpace = false;
+
private RangerServiceDefHelper serviceDefHelper;
@@ -56,6 +60,9 @@ public class RangerPolicyEngineOptions {
this.optimizeTrieForRetr
[ranger] branch master updated: RANGER-3481: Incremental policy updates do not work correctly for multiple security zones
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b8f8a3e RANGER-3481: Incremental policy updates do not work correctly
for multiple security zones
b8f8a3e is described below
commit b8f8a3e30781a5e3165debe885cdc21e24e5d500
Author: Abhay Kulkarni
AuthorDate: Wed Oct 13 13:45:20 2021 -0700
RANGER-3481: Incremental policy updates do not work correctly for multiple
security zones
---
.../ranger/plugin/policyengine/PolicyEngine.java | 20 +++-
.../ranger/plugin/util/RangerPolicyDeltaUtil.java| 2 +-
2 files changed, 8 insertions(+), 14 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index eee1b7a..7299387 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -849,22 +849,16 @@ public class PolicyEngine {
Map> zoneDeltasMap = new
HashMap<>();
for (Map.Entry zone :
servicePolicies.getSecurityZones().entrySet()) {
-List deltas =
zone.getValue().getPolicyDeltas();
+String zoneName = zone.getKey();
+List deltas =
zone.getValue().getPolicyDeltas();
+List zoneDeltas = new ArrayList<>();
-for (RangerPolicyDelta delta : deltas) {
-String zoneName = delta.getZoneName();
-
-if (StringUtils.isNotEmpty(zoneName)) {
-List zoneDeltas =
zoneDeltasMap.get(zoneName);
-
-if (zoneDeltas == null) {
-zoneDeltas = new ArrayList<>();
-zoneDeltasMap.put(zoneName, zoneDeltas);
-}
+if (StringUtils.isNotEmpty(zoneName)) {
+zoneDeltasMap.put(zoneName, zoneDeltas);
+for (RangerPolicyDelta delta : deltas) {
+zoneDeltas = zoneDeltasMap.get(zoneName);
zoneDeltas.add(delta);
-} else {
-LOG.warn("policyDelta : [" + delta + "] does not
belong to any zone. Should not have come here.");
}
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
index 8866eed..38c62ed 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
@@ -134,7 +134,7 @@ public class RangerPolicyDeltaUtil {
}
} else {
if (LOG.isDebugEnabled()) {
-LOG.warn("Unexpected : applyDeltas called with deltas=null");
+LOG.debug("applyDeltas called with empty deltas. Will return
policies without change");
}
ret = policies;
}
[ranger] branch master updated: RANGER-3453: Avoid logging sensitive information in UserMgr.java
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4715c3e RANGER-3453: Avoid logging sensitive information in
UserMgr.java
4715c3e is described below
commit 4715c3e81fdf59b3d9bcc9fc0133ec6228799404
Author: Abhishek Kumar
AuthorDate: Wed Oct 6 16:16:02 2021 -0700
RANGER-3453: Avoid logging sensitive information in UserMgr.java
---
.../main/java/org/apache/ranger/biz/UserMgr.java | 151 ++---
.../org/apache/ranger/view/VXPasswordChange.java | 6 +-
2 files changed, 45 insertions(+), 112 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 7046c9b..91144fb 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -198,127 +198,73 @@ public class UserMgr {
* @return
*/
public XXPortalUser updateUser(VXPortalUser userProfile) {
- XXPortalUser gjUser = daoManager.getXXPortalUser().getById(
- userProfile.getId());
+ XXPortalUser gjUser =
daoManager.getXXPortalUser().getById(userProfile.getId());
if (gjUser == null) {
- logger.error("updateUser(). User not found.
userProfile="
- + userProfile);
+ logger.error("updateUser(). User not found.
userProfile=" + userProfile);
return null;
}
checkAccess(gjUser);
-rangerBizUtil.blockAuditorRoleUser();
- boolean updateUser = false;
+ rangerBizUtil.blockAuditorRoleUser();
// Selectively update fields
- // status
- if (userProfile.getStatus() != gjUser.getStatus()) {
- updateUser = true;
- }
-
// Allowing email address update even when its set to empty.
- // emailAddress
String emailAddress = userProfile.getEmailAddress();
if (stringUtil.isEmpty(emailAddress)) {
userProfile.setEmailAddress(null);
- updateUser = true;
} else {
if (stringUtil.validateEmail(emailAddress)) {
- XXPortalUser checkUser =
daoManager.getXXPortalUser()
-
.findByEmailAddress(emailAddress);
+ XXPortalUser checkUser =
daoManager.getXXPortalUser().findByEmailAddress(emailAddress);
if (checkUser != null) {
String loginId =
userProfile.getLoginId();
if (loginId == null) {
throw
restErrorUtil.createRESTException(
- "Invalid user,
please provide valid "
-
+ "username.",
-
MessageEnums.INVALID_INPUT_DATA);
+ "Invalid user,
please provide valid username.", MessageEnums.INVALID_INPUT_DATA);
} else if
(!loginId.equals(checkUser.getLoginId())) {
- throw restErrorUtil
-
.createRESTException(
-
"The email address "
-
+ "you've provided already exists in system.",
-
MessageEnums.INVALID_INPUT_DATA);
+ throw
restErrorUtil.createRESTException(
+ "The email
address you've provided already exists in system.",
MessageEnums.INVALID_INPUT_DATA);
} else {
userProfile.setEmailAddress(emailAddress);
- updateUser = true;
}
} else {
userProfile.setEmailAddress(emailAddress);
- upd
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new c1c22d9 RANGER-3397: Update ACL computation to (optionally) expand
Ranger Roles to users and groups and include chained-plugins in ACL computation
- Part 2
c1c22d9 is described below
commit c1c22d94065e96705f696075d10f6ec41e282a05
Author: Abhay Kulkarni
AuthorDate: Fri Oct 1 12:44:52 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to
users and groups and include chained-plugins in ACL computation - Part 2
---
.../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 739ecd0..9757047 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -138,6 +138,8 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
if(policy != null) {
validityScheduleEvaluators =
createValidityScheduleEvaluators(policy);
+ this.disableRoleResolution =
options.disableRoleResolution;
+
if
(!options.disableAccessEvaluationWithPolicyACLSummary) {
aclSummary = createPolicyACLSummary();
}
[ranger] branch ranger-2.2 updated: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new f5924b3 RANGER-3462: User with delegated admin permission on a
resource cannot fetch policy for the resource
f5924b3 is described below
commit f5924b3476ba3fed6f128e6257ebab9bea5cd769
Author: Abhay Kulkarni
AuthorDate: Tue Oct 5 19:19:37 2021 -0700
RANGER-3462: User with delegated admin permission on a resource cannot
fetch policy for the resource
---
.../org/apache/ranger/biz/RangerPolicyAdmin.java | 7 +++-
.../apache/ranger/biz/RangerPolicyAdminCache.java | 2 +
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 48 +++---
.../java/org/apache/ranger/rest/ServiceREST.java | 15 +--
4 files changed, 63 insertions(+), 9 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
index e2a0884..f1ce602 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
@@ -27,6 +27,7 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerRoles;
@@ -34,7 +35,9 @@ public interface RangerPolicyAdmin {
boolean isDelegatedAdminAccessAllowed(RangerAccessResource resource,
String zoneName, String user, Set userGroups, Set accessTypes);
-boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user,
Set userGroups, Set roles, Map evalContext);
+boolean isDelegatedAdminAccessAllowedForRead(RangerPolicy policy, String
user, Set userGroups, Set roles, Map
evalContext);
+
+boolean isDelegatedAdminAccessAllowedForModify(RangerPolicy policy, String
user, Set userGroups, Set roles, Map
evalContext);
List getExactMatchPolicies(RangerAccessResource resource,
String zoneName, Map evalContext);
@@ -62,4 +65,6 @@ public interface RangerPolicyAdmin {
// This API is used only by test-code
List getAllowedUnzonedPolicies(String user, Set
userGroups, String accessType);
+void setServiceStore(ServiceStore svcStore);
+
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index a6f0a1a..5a69231 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -96,6 +96,8 @@ public class RangerPolicyAdminCache {
}
if (ret == null) {
LOG.error("Policy-engine is not built! Returning null
policy-engine!");
+ } else {
+ ret.setServiceStore(svcStore);
}
return ret;
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 090384b..5311a54 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -42,6 +42,7 @@ import
org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
+import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -70,6 +71,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
@Override
public Object get(Object key) { return
RangerAbstractResourceMatcher.WILDCARD_ASTERISK; }
};
+private ServiceDBStore serviceDBStore;
static {
wildcardEvalContext.put(RangerAbstractResourceMatcher.WILDCARD_ASTERISK,
RangerAbstractResourceMatcher.WILDCARD_ASTERISK);
@@ -104,6 +106,13 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
}
@Override
+public void setServiceStore(ServiceStore svcStore) {
+if (svcStore instanceof ServiceDBStore) {
+this.serviceDBStore = (Serv
[ranger] branch master updated: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d90361d RANGER-3462: User with delegated admin permission on a
resource cannot fetch policy for the resource
d90361d is described below
commit d90361db662de1531eafa4d05853e7bc7e08c2a2
Author: Abhay Kulkarni
AuthorDate: Tue Oct 5 19:19:37 2021 -0700
RANGER-3462: User with delegated admin permission on a resource cannot
fetch policy for the resource
---
.../org/apache/ranger/biz/RangerPolicyAdmin.java | 7 +++-
.../apache/ranger/biz/RangerPolicyAdminCache.java | 2 +
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 48 +++---
.../java/org/apache/ranger/rest/ServiceREST.java | 15 +--
4 files changed, 63 insertions(+), 9 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
index e2a0884..f1ce602 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
@@ -27,6 +27,7 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerRoles;
@@ -34,7 +35,9 @@ public interface RangerPolicyAdmin {
boolean isDelegatedAdminAccessAllowed(RangerAccessResource resource,
String zoneName, String user, Set userGroups, Set accessTypes);
-boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user,
Set userGroups, Set roles, Map evalContext);
+boolean isDelegatedAdminAccessAllowedForRead(RangerPolicy policy, String
user, Set userGroups, Set roles, Map
evalContext);
+
+boolean isDelegatedAdminAccessAllowedForModify(RangerPolicy policy, String
user, Set userGroups, Set roles, Map
evalContext);
List getExactMatchPolicies(RangerAccessResource resource,
String zoneName, Map evalContext);
@@ -62,4 +65,6 @@ public interface RangerPolicyAdmin {
// This API is used only by test-code
List getAllowedUnzonedPolicies(String user, Set
userGroups, String accessType);
+void setServiceStore(ServiceStore svcStore);
+
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index a6f0a1a..5a69231 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -96,6 +96,8 @@ public class RangerPolicyAdminCache {
}
if (ret == null) {
LOG.error("Policy-engine is not built! Returning null
policy-engine!");
+ } else {
+ ret.setServiceStore(svcStore);
}
return ret;
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 090384b..5311a54 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -42,6 +42,7 @@ import
org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
+import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -70,6 +71,7 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
@Override
public Object get(Object key) { return
RangerAbstractResourceMatcher.WILDCARD_ASTERISK; }
};
+private ServiceDBStore serviceDBStore;
static {
wildcardEvalContext.put(RangerAbstractResourceMatcher.WILDCARD_ASTERISK,
RangerAbstractResourceMatcher.WILDCARD_ASTERISK);
@@ -104,6 +106,13 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
}
@Override
+public void setServiceStore(ServiceStore svcStore) {
+if (svcStore instanceof ServiceDBStore) {
+this.serviceDBStore = (Serv
[ranger] branch master updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 1debdbc RANGER-3397: Update ACL computation to (optionally) expand
Ranger Roles to users and groups and include chained-plugins in ACL computation
- Part 2
1debdbc is described below
commit 1debdbcdec23c6688d4589253e75a32a894659c3
Author: Abhay Kulkarni
AuthorDate: Fri Oct 1 12:44:52 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to
users and groups and include chained-plugins in ACL computation - Part 2
---
.../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index d25e306..c80050c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -138,6 +138,8 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
if(policy != null) {
validityScheduleEvaluators =
createValidityScheduleEvaluators(policy);
+ this.disableRoleResolution =
options.disableRoleResolution;
+
if
(!options.disableAccessEvaluationWithPolicyACLSummary) {
aclSummary = createPolicyACLSummary();
}
[ranger] branch ranger-2.2 updated: RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new f47acb5 RANGER-3441:PropertiesUtil (Admin) logging potentially
sensitive data
new 20234c1 Merge branch 'ranger-2.2' of
https://gitbox.apache.org/repos/asf/ranger into ranger-2.2
f47acb5 is described below
commit f47acb52681c0d8378b15637299f8baf51d0d226
Author: Abhishek Kumar
AuthorDate: Tue Sep 28 12:33:35 2021 -0700
RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data
---
.../src/main/java/org/apache/ranger/common/PropertiesUtil.java| 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index 80a2d60..0ad7abb 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -62,8 +62,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
Set keySet = System.getProperties().keySet();
for (Object key : keySet) {
String keyStr = key.toString();
- propertiesMap.put(keyStr, System.getProperties()
- .getProperty(keyStr).trim());
+ propertiesMap.put(keyStr,
System.getProperties().getProperty(keyStr).trim());
}
// Let's add our properties now
@@ -321,8 +320,9 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
keySet = props.keySet();
for (Object key : keySet) {
String keyStr = key.toString();
-logger.debug("PropertiesUtil:[" + keyStr + "][" +
-(keyStr.contains("password") ||
keyStr.contains("keystore.pass") ? "]" : props.get(keyStr)) + "]");
+ if (logger.isDebugEnabled()) {
+ logger.debug("PropertiesUtil:[" + keyStr + "][" +
(keyStr.toLowerCase().contains("pass") ? "]" : props.get(keyStr)) +
"]");
+ }
}
super.processProperties(beanFactory, props);
[ranger] branch master updated: RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new f599c91 RANGER-3441:PropertiesUtil (Admin) logging potentially
sensitive data
new 0ffc660 Merge branch 'master' of
https://gitbox.apache.org/repos/asf/ranger
f599c91 is described below
commit f599c916d84461847613560f856be47438bda884
Author: Abhishek Kumar
AuthorDate: Tue Sep 28 12:33:35 2021 -0700
RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data
---
.../src/main/java/org/apache/ranger/common/PropertiesUtil.java| 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index 80a2d60..0ad7abb 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -62,8 +62,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
Set keySet = System.getProperties().keySet();
for (Object key : keySet) {
String keyStr = key.toString();
- propertiesMap.put(keyStr, System.getProperties()
- .getProperty(keyStr).trim());
+ propertiesMap.put(keyStr,
System.getProperties().getProperty(keyStr).trim());
}
// Let's add our properties now
@@ -321,8 +320,9 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
keySet = props.keySet();
for (Object key : keySet) {
String keyStr = key.toString();
-logger.debug("PropertiesUtil:[" + keyStr + "][" +
-(keyStr.contains("password") ||
keyStr.contains("keystore.pass") ? "]" : props.get(keyStr)) + "]");
+ if (logger.isDebugEnabled()) {
+ logger.debug("PropertiesUtil:[" + keyStr + "][" +
(keyStr.toLowerCase().contains("pass") ? "]" : props.get(keyStr)) +
"]");
+ }
}
super.processProperties(beanFactory, props);
[ranger] branch ranger-2.2 updated: RANGER-3404: user with no permissions can access and edit deligate admin only policies
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 0324e50 RANGER-3404: user with no permissions can access and edit
deligate admin only policies
0324e50 is described below
commit 0324e50c4833555fed6dbdb6166c12bf8ffb18c8
Author: Abhay Kulkarni
AuthorDate: Fri Sep 17 22:31:42 2021 -0700
RANGER-3404: user with no permissions can access and edit deligate admin
only policies
---
.../RangerDefaultPolicyEvaluator.java | 16
.../RangerDefaultPolicyItemEvaluator.java | 2 ++
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 30 +++---
3 files changed, 28 insertions(+), 20 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 8471918..739ecd0 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -382,10 +382,16 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
Set ret = null;
if (isMatch(resources, evalContext)) {
- ret = new HashSet<>();
- for (String accessType : accessTypes) {
- if (isAccessAllowed(user, userGroups, roles,
null, accessType)) {
- ret.add(accessType);
+ if (CollectionUtils.isNotEmpty(accessTypes)) {
+ ret = new HashSet<>();
+ for (String accessType : accessTypes) {
+ if (isAccessAllowed(user, userGroups,
roles, null, accessType)) {
+ ret.add(accessType);
+ }
+ }
+ } else {
+ if (isAccessAllowed(user, userGroups, roles,
null, null)) {
+ ret = new HashSet<>();
}
}
}
@@ -959,7 +965,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
LOG.debug("Using ACL Summary for checking if
access is allowed. PolicyId=[" + getId() +"]");
}
- Integer accessResult = lookupPolicyACLSummary(user,
userGroups, roles, accessType);
+ Integer accessResult = StringUtils.isEmpty(accessType)
? null : lookupPolicyACLSummary(user, userGroups, roles, accessType);
if (accessResult != null &&
accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) {
ret = true;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index 8f2d3f1..2cf9a99 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -212,6 +212,8 @@ public class RangerDefaultPolicyItemEvaluator extends
RangerAbstractPolicyItemEv
break;
}
}
+ } else if (StringUtils.isEmpty(accessType)) {
+ ret = true;
}
}
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 2eef20b..090384b 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -193,24 +193,24 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
LOG.debug("Checking admin-access for the access-types:[" +
accessTypes + "]");
}
-if (CollectionUtils.isEmpty(accessTypes)) {
-LOG.info("access-types to check for admin-access are
empty!! Allowing adm
[ranger] branch master updated: RANGER-3404: user with no permissions can access and edit deligate admin only policies
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 53c9811 RANGER-3404: user with no permissions can access and edit
deligate admin only policies
53c9811 is described below
commit 53c98116850f90810c0bb85d651a64fe01ef865d
Author: Abhay Kulkarni
AuthorDate: Fri Sep 17 22:31:42 2021 -0700
RANGER-3404: user with no permissions can access and edit deligate admin
only policies
---
.../RangerDefaultPolicyEvaluator.java | 16
.../RangerDefaultPolicyItemEvaluator.java | 2 ++
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 30 +++---
3 files changed, 28 insertions(+), 20 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 9f0abf2..d25e306 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -382,10 +382,16 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
Set ret = null;
if (isMatch(resources, evalContext)) {
- ret = new HashSet<>();
- for (String accessType : accessTypes) {
- if (isAccessAllowed(user, userGroups, roles,
null, accessType)) {
- ret.add(accessType);
+ if (CollectionUtils.isNotEmpty(accessTypes)) {
+ ret = new HashSet<>();
+ for (String accessType : accessTypes) {
+ if (isAccessAllowed(user, userGroups,
roles, null, accessType)) {
+ ret.add(accessType);
+ }
+ }
+ } else {
+ if (isAccessAllowed(user, userGroups, roles,
null, null)) {
+ ret = new HashSet<>();
}
}
}
@@ -959,7 +965,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
LOG.debug("Using ACL Summary for checking if
access is allowed. PolicyId=[" + getId() +"]");
}
- Integer accessResult = lookupPolicyACLSummary(user,
userGroups, roles, accessType);
+ Integer accessResult = StringUtils.isEmpty(accessType)
? null : lookupPolicyACLSummary(user, userGroups, roles, accessType);
if (accessResult != null &&
accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) {
ret = true;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index 8f2d3f1..2cf9a99 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -212,6 +212,8 @@ public class RangerDefaultPolicyItemEvaluator extends
RangerAbstractPolicyItemEv
break;
}
}
+ } else if (StringUtils.isEmpty(accessType)) {
+ ret = true;
}
}
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 2eef20b..090384b 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -193,24 +193,24 @@ public class RangerPolicyAdminImpl implements
RangerPolicyAdmin {
LOG.debug("Checking admin-access for the access-types:[" +
accessTypes + "]");
}
-if (CollectionUtils.isEmpty(accessTypes)) {
-LOG.info("access-types to check for admin-access are
empty!! Allowing adm
[ranger] branch ranger-2.2 updated: RANGER-3419:compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 3773072 RANGER-3419:compressDeltas method returns two ranger policy
entries for policy create+update case when provided lastKnownVersion is
previous to create call
3773072 is described below
commit 37730726038082a074f3a2621185c560515d929b
Author: Abhay Kulkarni
AuthorDate: Fri Sep 17 14:53:07 2021 -0700
RANGER-3419:compressDeltas method returns two ranger policy entries for
policy create+update case when provided lastKnownVersion is previous to create
call
---
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java | 1 -
1 file changed, 1 deletion(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index a50a1f6..a3fcbb5 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -3032,7 +3032,6 @@ public class ServiceDBStore extends AbstractServiceStore {
break;
}
}
-
policyDeltasForPolicy.add(policyDeltas.get(index));
index++;
break;
case
RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
[ranger] branch master updated: RANGER-3419:compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new e276af0 RANGER-3419:compressDeltas method returns two ranger policy
entries for policy create+update case when provided lastKnownVersion is
previous to create call
e276af0 is described below
commit e276af0162d4fe7953dd24e9506d572e38b46471
Author: Abhay Kulkarni
AuthorDate: Fri Sep 17 14:53:07 2021 -0700
RANGER-3419:compressDeltas method returns two ranger policy entries for
policy create+update case when provided lastKnownVersion is previous to create
call
---
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java | 1 -
1 file changed, 1 deletion(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index a50a1f6..a3fcbb5 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -3032,7 +3032,6 @@ public class ServiceDBStore extends AbstractServiceStore {
break;
}
}
-
policyDeltasForPolicy.add(policyDeltas.get(index));
index++;
break;
case
RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new b1dcfb4 RANGER-3397: Update ACL computation to (optionally) expand
Ranger Roles to users and groups and include chained-plugins in ACL computation
- Part 3
b1dcfb4 is described below
commit b1dcfb42f942273de17bba58ab4c94cd3990b4f2
Author: Abhay Kulkarni
AuthorDate: Sun Sep 12 09:52:52 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to
users and groups and include chained-plugins in ACL computation - Part 3
---
.../plugin/policyengine/RangerResourceACLs.java| 6 ++--
.../ranger/plugin/service/RangerBasePlugin.java| 36 +++---
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
index eb12543..aa49507 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
@@ -176,7 +176,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry permission :
entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(",
value=").append(permission.getValue()).append("},");
-
sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy().getId()).append("},");
+
sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy() == null
? null : permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -188,7 +188,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry permission :
entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(",
value=").append(permission.getValue()).append("}, ");
- sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy().getId()).append("},");
+ sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy() == null ? null :
permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -200,7 +200,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry permission :
entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(",
value=").append(permission.getValue()).append("}, ");
- sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy().getId()).append("},");
+ sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy() == null ? null :
permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 99c48d0..57a4b4b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -994,6 +994,23 @@ public class RangerBasePlugin {
return ret;
}
+ public static RangerResourceACLs
getMergedResourceACLs(RangerResourceACLs baseACLs, RangerResourceACLs
chainedACLs) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerBasePlugin.getMergedResourceACLs()");
+ LOG.debug("baseACLs:[" + baseACLs + "]");
+ LOG.debug("chainedACLS:[" + chainedACLs + "]");
+ }
+
+ overrideACLs(chainedACLs, baseACLs,
RangerRolesUtil.ROLES_FOR.USER);
+ overrideACLs(chainedACLs, baseACLs,
RangerRolesUtil.ROLES_FOR.GROUP);
+ overrideACLs(chainedACLs, baseAC
[ranger] branch master updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new e5cd204 RANGER-3397: Update ACL computation to (optionally) expand
Ranger Roles to users and groups and include chained-plugins in ACL computation
- Part 3
e5cd204 is described below
commit e5cd204efe69fa62b63cc70bf0960ea71ccc6453
Author: Abhay Kulkarni
AuthorDate: Sun Sep 12 09:52:52 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to
users and groups and include chained-plugins in ACL computation - Part 3
---
.../plugin/policyengine/RangerResourceACLs.java| 6 ++--
.../ranger/plugin/service/RangerBasePlugin.java| 36 +++---
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
index eb12543..aa49507 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
@@ -176,7 +176,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry permission :
entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(",
value=").append(permission.getValue()).append("},");
-
sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy().getId()).append("},");
+
sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy() == null
? null : permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -188,7 +188,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry permission :
entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(",
value=").append(permission.getValue()).append("}, ");
- sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy().getId()).append("},");
+ sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy() == null ? null :
permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -200,7 +200,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry permission :
entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(",
value=").append(permission.getValue()).append("}, ");
- sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy().getId()).append("},");
+ sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy() == null ? null :
permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 99c48d0..57a4b4b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -994,6 +994,23 @@ public class RangerBasePlugin {
return ret;
}
+ public static RangerResourceACLs
getMergedResourceACLs(RangerResourceACLs baseACLs, RangerResourceACLs
chainedACLs) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerBasePlugin.getMergedResourceACLs()");
+ LOG.debug("baseACLs:[" + baseACLs + "]");
+ LOG.debug("chainedACLS:[" + chainedACLs + "]");
+ }
+
+ overrideACLs(chainedACLs, baseACLs,
RangerRolesUtil.ROLES_FOR.USER);
+ overrideACLs(chainedACLs, baseACLs,
RangerRolesUtil.ROLES_FOR.GROUP);
+ overrideACLs(chainedACLs, baseAC
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 7fb90c3 RANGER-3397: Update ACL computation to (optionally) expand
Ranger Roles to users and groups and include chained-plugins in ACL computation
- Part 2
7fb90c3 is described below
commit 7fb90c3941dbb5c381d9be967888b681c6b04fcb
Author: Abhay Kulkarni
AuthorDate: Wed Sep 8 09:35:48 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to
users and groups and include chained-plugins in ACL computation - Part 2
---
.../main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java| 2 ++
1 file changed, 2 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 3ad74e5..99c48d0 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -147,6 +147,8 @@ public class RangerBasePlugin {
public RangerAuthContext getCurrentRangerAuthContext() { return
currentAuthContext; }
+ public List getChainedPlugins() { return
chainedPlugins; }
+
// For backward compatibility
public RangerAuthContext createRangerAuthContext() { return
currentAuthContext; }
[ranger] branch master updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3b0a9c8 RANGER-3397: Update ACL computation to (optionally) expand
Ranger Roles to users and groups and include chained-plugins in ACL computation
- Part 2
3b0a9c8 is described below
commit 3b0a9c8f5273ce7c6d12170b86e7a83a9fdba225
Author: Abhay Kulkarni
AuthorDate: Wed Sep 8 09:35:48 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to
users and groups and include chained-plugins in ACL computation - Part 2
---
.../main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java| 2 ++
1 file changed, 2 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 3ad74e5..99c48d0 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -147,6 +147,8 @@ public class RangerBasePlugin {
public RangerAuthContext getCurrentRangerAuthContext() { return
currentAuthContext; }
+ public List getChainedPlugins() { return
chainedPlugins; }
+
// For backward compatibility
public RangerAuthContext createRangerAuthContext() { return
currentAuthContext; }
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 218c06f RANGER-3397: Update ACL computation to (optionally) expand
Ranger Roles to users and groups and include chained-plugins in ACL computation
218c06f is described below
commit 218c06ff54f389a2ee57d80e156ecbf7364a51ec
Author: Abhay Kulkarni
AuthorDate: Fri Sep 3 16:50:29 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to
users and groups and include chained-plugins in ACL computation
---
.../plugin/policyengine/RangerPolicyEngine.java| 2 +
.../policyengine/RangerPolicyEngineImpl.java | 23 ++--
.../policyengine/RangerPolicyEngineOptions.java| 11 +-
.../RangerDefaultPolicyEvaluator.java | 131 ---
.../policyevaluator/RangerPolicyEvaluator.java | 8 +-
.../ranger/plugin/service/RangerBasePlugin.java| 127 +-
.../ranger/plugin/service/RangerChainedPlugin.java | 7 +
.../apache/ranger/plugin/util/RangerRolesUtil.java | 64 ++
.../ranger/plugin/policyengine/TestPolicyACLs.java | 14 +-
.../policyengine/test_aclprovider_hdfs.json| 131 +++
.../aclprovider/test_aclprovider_default.json | 142 +
11 files changed, 597 insertions(+), 63 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 7a4bb12..7bf8c7c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -70,6 +70,8 @@ public interface RangerPolicyEngine {
RangerResourceACLs getResourceACLs(RangerAccessRequest request);
+ RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer
requestedPolicyType);
+
Set getRolesFromUserAndGroups(String user, Set groups);
RangerRoles getRangerRoles();
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 9e0a89e..c92b550 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -243,8 +243,13 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
@Override
public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
+ return getResourceACLs(request, null);
+ }
+
+ @Override
+ public RangerResourceACLs getResourceACLs(RangerAccessRequest request,
Integer requestedPolicyType) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerPolicyEngineImpl.getResourceACLs(request=" + request + ")");
+ LOG.debug("==>
RangerPolicyEngineImpl.getResourceACLs(request=" + request + ", policyType=" +
requestedPolicyType + ")");
}
RangerResourceACLs ret = new RangerResourceACLs();
@@ -269,7 +274,10 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("zoneName:[" + zoneName + "]");
}
- for (int policyType : RangerPolicy.POLICY_TYPES) {
+ int[] policyTypes = requestedPolicyType == null ?
RangerPolicy.POLICY_TYPES : new int[] { requestedPolicyType };
+
+
+ for (int policyType : policyTypes) {
List allEvaluators
= new ArrayList<>();
MaptagMatchTypeMap
= new HashMap<>();
Set
policyIdForTemporalTags = new HashSet<>();
@@ -331,7 +339,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
RangerPerfTracer.logAlways(perf);
if (LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerPolicyEngineImpl.getResourceACLs(request=" + request + ") : ret=" + ret);
+ LOG.debug("<==
RangerPolicyEngineImpl.getResourceACLs(request=" + request + ", policyType=" +
requestedPolicyType + ") : ret=" + ret);
}
return ret;
@@ -773,7 +781,6 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
[ranger] branch master updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new fe27e0b RANGER-3397: Update ACL computation to (optionally) expand
Ranger Roles to users and groups and include chained-plugins in ACL computation
fe27e0b is described below
commit fe27e0b32d388033d305b6e58b9686566ee40eb1
Author: Abhay Kulkarni
AuthorDate: Fri Sep 3 16:50:29 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to
users and groups and include chained-plugins in ACL computation
---
.../plugin/policyengine/RangerPolicyEngine.java| 2 +
.../policyengine/RangerPolicyEngineImpl.java | 23 ++--
.../policyengine/RangerPolicyEngineOptions.java| 11 +-
.../RangerDefaultPolicyEvaluator.java | 131 ---
.../policyevaluator/RangerPolicyEvaluator.java | 8 +-
.../ranger/plugin/service/RangerBasePlugin.java| 127 +-
.../ranger/plugin/service/RangerChainedPlugin.java | 7 +
.../apache/ranger/plugin/util/RangerRolesUtil.java | 64 ++
.../ranger/plugin/policyengine/TestPolicyACLs.java | 14 +-
.../policyengine/test_aclprovider_hdfs.json| 131 +++
.../aclprovider/test_aclprovider_default.json | 142 +
11 files changed, 597 insertions(+), 63 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 7a4bb12..7bf8c7c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -70,6 +70,8 @@ public interface RangerPolicyEngine {
RangerResourceACLs getResourceACLs(RangerAccessRequest request);
+ RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer
requestedPolicyType);
+
Set getRolesFromUserAndGroups(String user, Set groups);
RangerRoles getRangerRoles();
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 9e0a89e..c92b550 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -243,8 +243,13 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
@Override
public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
+ return getResourceACLs(request, null);
+ }
+
+ @Override
+ public RangerResourceACLs getResourceACLs(RangerAccessRequest request,
Integer requestedPolicyType) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerPolicyEngineImpl.getResourceACLs(request=" + request + ")");
+ LOG.debug("==>
RangerPolicyEngineImpl.getResourceACLs(request=" + request + ", policyType=" +
requestedPolicyType + ")");
}
RangerResourceACLs ret = new RangerResourceACLs();
@@ -269,7 +274,10 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("zoneName:[" + zoneName + "]");
}
- for (int policyType : RangerPolicy.POLICY_TYPES) {
+ int[] policyTypes = requestedPolicyType == null ?
RangerPolicy.POLICY_TYPES : new int[] { requestedPolicyType };
+
+
+ for (int policyType : policyTypes) {
List allEvaluators
= new ArrayList<>();
MaptagMatchTypeMap
= new HashMap<>();
Set
policyIdForTemporalTags = new HashSet<>();
@@ -331,7 +339,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
RangerPerfTracer.logAlways(perf);
if (LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerPolicyEngineImpl.getResourceACLs(request=" + request + ") : ret=" + ret);
+ LOG.debug("<==
RangerPolicyEngineImpl.getResourceACLs(request=" + request + ", policyType=" +
requestedPolicyType + ") : ret=" + ret);
}
return ret;
@@ -773,7 +781,6 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
[ranger] branch ranger-2.2 updated: RANGER-3371: Update algorithm to build Ranger policy-database object from Ranger policy-view object
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 9c69c0b RANGER-3371: Update algorithm to build Ranger policy-database
object from Ranger policy-view object
9c69c0b is described below
commit 9c69c0b25812ef977bb5d351ed312437ca3e53cd
Author: Abhay Kulkarni
AuthorDate: Tue Aug 17 10:51:26 2021 -0700
RANGER-3371: Update algorithm to build Ranger policy-database object from
Ranger policy-view object
---
.../ranger/plugin/util/RangerPolicyDeltaUtil.java | 2 +-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 61 +++---
.../ranger/common/RangerServicePoliciesCache.java | 6 +--
.../RangerTransactionSynchronizationAdapter.java | 27 +++---
.../org/apache/ranger/db/XXPolicyChangeLogDao.java | 15 +++---
.../ranger/service/RangerPolicyServiceBase.java| 28 +++---
6 files changed, 94 insertions(+), 45 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
index f040a66..42143d0 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
@@ -90,7 +90,7 @@ public class RangerPolicyDeltaUtil {
while (iter.hasNext()) {
RangerPolicy policy = iter.next();
-if (policyId.equals(policy.getId())) {
+if (policyId.equals(policy.getId()) && changeType
== RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
deletedPolicies.add(policy);
iter.remove();
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index c5add3a..b9a926b 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1401,7 +1401,7 @@ public class ServiceDBStore extends AbstractServiceStore {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("== ServiceDBStore.getServiceDefByName(" +
name + "): " + ret);
+ LOG.debug("== ServiceDBStore.getServiceDefByName(" +
name + "): " );
}
return ret;
@@ -3139,7 +3139,7 @@ public class ServiceDBStore extends AbstractServiceStore {
boolean isValid;
- resourcePolicyDeltas =
daoMgr.getXXPolicyChangeLog().findLaterThan(policyService, lastKnownVersion,
service.getId());
+ resourcePolicyDeltas =
daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, service.getId());
if (CollectionUtils.isNotEmpty(resourcePolicyDeltas)) {
isValid =
RangerPolicyDeltaUtil.isValidDeltas(resourcePolicyDeltas, componentServiceType);
@@ -3151,7 +3151,7 @@ public class ServiceDBStore extends AbstractServiceStore {
if (isValid && tagService != null) {
Long id =
resourcePolicyDeltas.get(0).getId();
- tagPolicyDeltas =
daoMgr.getXXPolicyChangeLog().findGreaterThan(policyService, id,
tagService.getId());
+ tagPolicyDeltas =
daoMgr.getXXPolicyChangeLog().findGreaterThan(id, tagService.getId());
if
(CollectionUtils.isNotEmpty(tagPolicyDeltas)) {
@@ -3542,46 +3542,53 @@ public class ServiceDBStore extends
AbstractServiceStore {
XXServiceVersionInfo serviceVersionInfoDbObj =
serviceVersionInfoDao.findByServiceId(id);
XXService service = daoMgr.getXXService().getById(id);
- Long nextPolicyVersion = 1L;
+ Long nextVersion = 1L;
Date now = new Date();
if (serviceVersionInfoDbObj != null) {
if (versionType == VERSION_TYPE.POLICY_VERSION) {
- nextPolicyVersion =
getNextVersion(serviceVersionInfoDbObj.getPolicyVersion());
-
-
serviceVersionInfoDbObj.setPolicyVersion(nextPolicyVersion);
+ nextVersion =
getNextVersion(serviceVersionInfoDbObj.getPolicyVersion());
+
serviceVersionInfoDbObj.setPolicyVersion(nextVersion);
[ranger] branch master updated: RANGER-3371: Update algorithm to build Ranger policy-database object from Ranger policy-view object
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 6030613 RANGER-3371: Update algorithm to build Ranger policy-database
object from Ranger policy-view object
6030613 is described below
commit 6030613254ae628b924b2337a59c6ddb1fba1155
Author: Abhay Kulkarni
AuthorDate: Tue Aug 17 10:51:26 2021 -0700
RANGER-3371: Update algorithm to build Ranger policy-database object from
Ranger policy-view object
---
.../ranger/plugin/util/RangerPolicyDeltaUtil.java | 2 +-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 61 +++---
.../ranger/common/RangerServicePoliciesCache.java | 6 +--
.../RangerTransactionSynchronizationAdapter.java | 27 +++---
.../org/apache/ranger/db/XXPolicyChangeLogDao.java | 15 +++---
.../ranger/service/RangerPolicyServiceBase.java| 28 +++---
6 files changed, 94 insertions(+), 45 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
index f040a66..42143d0 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
@@ -90,7 +90,7 @@ public class RangerPolicyDeltaUtil {
while (iter.hasNext()) {
RangerPolicy policy = iter.next();
-if (policyId.equals(policy.getId())) {
+if (policyId.equals(policy.getId()) && changeType
== RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
deletedPolicies.add(policy);
iter.remove();
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index c5add3a..b9a926b 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1401,7 +1401,7 @@ public class ServiceDBStore extends AbstractServiceStore {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("== ServiceDBStore.getServiceDefByName(" +
name + "): " + ret);
+ LOG.debug("== ServiceDBStore.getServiceDefByName(" +
name + "): " );
}
return ret;
@@ -3139,7 +3139,7 @@ public class ServiceDBStore extends AbstractServiceStore {
boolean isValid;
- resourcePolicyDeltas =
daoMgr.getXXPolicyChangeLog().findLaterThan(policyService, lastKnownVersion,
service.getId());
+ resourcePolicyDeltas =
daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, service.getId());
if (CollectionUtils.isNotEmpty(resourcePolicyDeltas)) {
isValid =
RangerPolicyDeltaUtil.isValidDeltas(resourcePolicyDeltas, componentServiceType);
@@ -3151,7 +3151,7 @@ public class ServiceDBStore extends AbstractServiceStore {
if (isValid && tagService != null) {
Long id =
resourcePolicyDeltas.get(0).getId();
- tagPolicyDeltas =
daoMgr.getXXPolicyChangeLog().findGreaterThan(policyService, id,
tagService.getId());
+ tagPolicyDeltas =
daoMgr.getXXPolicyChangeLog().findGreaterThan(id, tagService.getId());
if
(CollectionUtils.isNotEmpty(tagPolicyDeltas)) {
@@ -3542,46 +3542,53 @@ public class ServiceDBStore extends
AbstractServiceStore {
XXServiceVersionInfo serviceVersionInfoDbObj =
serviceVersionInfoDao.findByServiceId(id);
XXService service = daoMgr.getXXService().getById(id);
- Long nextPolicyVersion = 1L;
+ Long nextVersion = 1L;
Date now = new Date();
if (serviceVersionInfoDbObj != null) {
if (versionType == VERSION_TYPE.POLICY_VERSION) {
- nextPolicyVersion =
getNextVersion(serviceVersionInfoDbObj.getPolicyVersion());
-
-
serviceVersionInfoDbObj.setPolicyVersion(nextPolicyVersion);
+ nextVersion =
getNextVersion(serviceVersionInfoDbObj.getPolicyVersion());
+
serviceVersionInfoDbObj.setPolicyVersion(nextVersion);
serviceVersionInfoDbObj.setPolicyUpdateTime(now);
-
[ranger] branch ranger-2.2 updated: RANGER-3360: Best Practice: Use updated policy object after pruning the policy object
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 5a07338 RANGER-3360: Best Practice: Use updated policy object after
pruning the policy object
5a07338 is described below
commit 5a07338439dc9a1de10a3066ebe17aed7de2239c
Author: Abhay Kulkarni
AuthorDate: Tue Aug 3 10:44:01 2021 -0700
RANGER-3360: Best Practice: Use updated policy object after pruning the
policy object
---
.../ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java| 2 +-
.../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 5c6083e..52a30a1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -59,7 +59,7 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
this.leafResourceDef =
ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerAbstractPolicyEvaluator.init(" +
policy + ", " + serviceDef + ")");
+ LOG.debug("<== RangerAbstractPolicyEvaluator.init(" +
this.policy + ", " + serviceDef + ")");
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 831b6d4..b5b859c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -123,6 +123,8 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
super.init(policy, serviceDef, options);
+ policy = getPolicy();
+
preprocessPolicy(policy, serviceDef);
resourceMatcher = new RangerDefaultPolicyResourceMatcher();
[ranger] branch master updated: RANGER-3360: Best Practice: Use updated policy object after pruning the policy object
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new c9003ff RANGER-3360: Best Practice: Use updated policy object after
pruning the policy object
c9003ff is described below
commit c9003ff68a35bb1fa56d00b3cb2505ac00fbeb2e
Author: Abhay Kulkarni
AuthorDate: Tue Aug 3 10:44:01 2021 -0700
RANGER-3360: Best Practice: Use updated policy object after pruning the
policy object
---
.../ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java| 2 +-
.../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 5c6083e..52a30a1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -59,7 +59,7 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
this.leafResourceDef =
ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerAbstractPolicyEvaluator.init(" +
policy + ", " + serviceDef + ")");
+ LOG.debug("<== RangerAbstractPolicyEvaluator.init(" +
this.policy + ", " + serviceDef + ")");
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 831b6d4..b5b859c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -123,6 +123,8 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
super.init(policy, serviceDef, options);
+ policy = getPolicy();
+
preprocessPolicy(policy, serviceDef);
resourceMatcher = new RangerDefaultPolicyResourceMatcher();
[ranger] branch ranger-2.2 updated: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 0f60a40 RANGER-3329: Request for _any access-type is denied only when
on all access-types are denied
0f60a40 is described below
commit 0f60a401ce36737da905f77b8d98fc4851b69aee
Author: Abhay Kulkarni
AuthorDate: Tue Jul 20 08:55:31 2021 -0700
RANGER-3329: Request for _any access-type is denied only when on all
access-types are denied
---
.../policyengine/RangerAccessRequestImpl.java | 18 ++
.../policyengine/RangerPolicyEngineImpl.java | 60 ---
.../RangerDefaultPolicyEvaluator.java | 69 +++---
.../plugin/util/RangerAccessRequestUtil.java | 9 +++
.../ranger/plugin/policyengine/TestPolicyACLs.java | 4 +-
.../test_policyengine_descendant_tags.json | 8 +--
.../policyengine/test_policyengine_hive.json | 2 +-
.../policyengine/test_policyengine_tag_hive.json | 14 +
...t_policyengine_tag_hive_for_show_databases.json | 10 ++--
9 files changed, 114 insertions(+), 80 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 74a7a26..3d0168a 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -78,6 +78,24 @@ public class RangerAccessRequestImpl implements
RangerAccessRequest {
setClusterName(null);
}
+ public RangerAccessRequestImpl(RangerAccessRequest request) {
+ setResource(request.getResource());
+ setAccessType(request.getAccessType());
+ setUser(request.getUser());
+ setUserGroups(request.getUserGroups());
+ setUserRoles(request.getUserRoles());
+ setForwardedAddresses(request.getForwardedAddresses());
+ setAccessTime(request.getAccessTime());
+ setRemoteIPAddress(request.getRemoteIPAddress());
+ setClientType(request.getClientType());
+ setAction(request.getAction());
+ setRequestData(request.getRequestData());
+ setSessionId(request.getSessionId());
+ setContext(request.getContext());
+ setClusterName(request.getClusterName());
+ setResourceMatchingScope(request.getResourceMatchingScope());
+ }
+
@Override
public RangerAccessResource getResource() {
return resource;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 3c0e32c..9e0a89e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -661,11 +661,59 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("==>
RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ")");
}
- final Date accessTime = request.getAccessTime()
!= null ? request.getAccessTime() : new Date();
- final RangerAccessResult ret =
createAccessResult(request, policyType);
+ RangerAccessResult ret = createAccessResult(request,
policyType);
+
+ if (request.isAccessTypeAny()) {
+ RangerAccessResult denyResult = null;
+ RangerAccessResult allowResult = null;
+
+ List
allAccessDefs = getServiceDef().getAccessTypes();
+
+ for (RangerServiceDef.RangerAccessTypeDef accessTypeDef
: allAccessDefs) {
+ RangerAccessRequestImpl requestForOneAccessType
= new RangerAccessRequestImpl(request);
+
RangerAccessRequestUtil.setIsAnyAccessInContext(requestForOneAccessType.getContext(),
Boolean.TRUE);
+
+
requestForOneAccessType.setAccessType(accessTypeDef.getName());
+
+ RangerAccessResult resultForOneAccessType =
evaluatePoliciesForOneAccessTypeNoAudit(requestForOneAccessType, policyType,
zoneName, policyRepository, tagPolicyRepository);
+
+ ret.setAuditResultFrom(resultForOneAccessType);
+
+ if
(r
[ranger] branch master updated: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new db2bd7c RANGER-3329: Request for _any access-type is denied only when
on all access-types are denied
db2bd7c is described below
commit db2bd7c4f50be5987cf272c42a2b8a2565175461
Author: Abhay Kulkarni
AuthorDate: Tue Jul 20 08:55:31 2021 -0700
RANGER-3329: Request for _any access-type is denied only when on all
access-types are denied
---
.../policyengine/RangerAccessRequestImpl.java | 18 ++
.../policyengine/RangerPolicyEngineImpl.java | 60 ---
.../RangerDefaultPolicyEvaluator.java | 69 +++---
.../plugin/util/RangerAccessRequestUtil.java | 9 +++
.../ranger/plugin/policyengine/TestPolicyACLs.java | 4 +-
.../test_policyengine_descendant_tags.json | 8 +--
.../policyengine/test_policyengine_hive.json | 2 +-
.../policyengine/test_policyengine_tag_hive.json | 14 +
...t_policyengine_tag_hive_for_show_databases.json | 10 ++--
9 files changed, 114 insertions(+), 80 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 74a7a26..3d0168a 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -78,6 +78,24 @@ public class RangerAccessRequestImpl implements
RangerAccessRequest {
setClusterName(null);
}
+ public RangerAccessRequestImpl(RangerAccessRequest request) {
+ setResource(request.getResource());
+ setAccessType(request.getAccessType());
+ setUser(request.getUser());
+ setUserGroups(request.getUserGroups());
+ setUserRoles(request.getUserRoles());
+ setForwardedAddresses(request.getForwardedAddresses());
+ setAccessTime(request.getAccessTime());
+ setRemoteIPAddress(request.getRemoteIPAddress());
+ setClientType(request.getClientType());
+ setAction(request.getAction());
+ setRequestData(request.getRequestData());
+ setSessionId(request.getSessionId());
+ setContext(request.getContext());
+ setClusterName(request.getClusterName());
+ setResourceMatchingScope(request.getResourceMatchingScope());
+ }
+
@Override
public RangerAccessResource getResource() {
return resource;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 3c0e32c..9e0a89e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -661,11 +661,59 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("==>
RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ")");
}
- final Date accessTime = request.getAccessTime()
!= null ? request.getAccessTime() : new Date();
- final RangerAccessResult ret =
createAccessResult(request, policyType);
+ RangerAccessResult ret = createAccessResult(request,
policyType);
+
+ if (request.isAccessTypeAny()) {
+ RangerAccessResult denyResult = null;
+ RangerAccessResult allowResult = null;
+
+ List
allAccessDefs = getServiceDef().getAccessTypes();
+
+ for (RangerServiceDef.RangerAccessTypeDef accessTypeDef
: allAccessDefs) {
+ RangerAccessRequestImpl requestForOneAccessType
= new RangerAccessRequestImpl(request);
+
RangerAccessRequestUtil.setIsAnyAccessInContext(requestForOneAccessType.getContext(),
Boolean.TRUE);
+
+
requestForOneAccessType.setAccessType(accessTypeDef.getName());
+
+ RangerAccessResult resultForOneAccessType =
evaluatePoliciesForOneAccessTypeNoAudit(requestForOneAccessType, policyType,
zoneName, policyRepository, tagPolicyRepository);
+
+ ret.setAuditResultFrom(resultForOneAccessType);
+
+ if
(r
[ranger] branch ranger-2.2 updated: RANGER-3343: Ranger policy cache is incorrect in some scenario
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 8cf1668 RANGER-3343: Ranger policy cache is incorrect in some scenario
8cf1668 is described below
commit 8cf1668c165c9a981d47597a4cfc693169debf18
Author: Abhay Kulkarni
AuthorDate: Tue Jul 20 07:14:53 2021 -0700
RANGER-3343: Ranger policy cache is incorrect in some scenario
---
.../RangerAbstractPolicyEvaluator.java | 62 --
.../RangerDefaultPolicyEvaluator.java | 12 -
2 files changed, 59 insertions(+), 15 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 99ae598..5c6083e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -19,8 +19,6 @@
package org.apache.ranger.plugin.policyevaluator;
-
-
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -32,7 +30,9 @@ import
org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.util.ServiceDefUtil;
+import java.util.List;
import java.util.Map;
+import java.util.stream.Collectors;
public abstract class RangerAbstractPolicyEvaluator implements
RangerPolicyEvaluator {
private static final Log LOG =
LogFactory.getLog(RangerAbstractPolicyEvaluator.class);
@@ -54,7 +54,7 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" +
policy + ", " + serviceDef + ")");
}
- this.policy = policy;
+ this.policy = getPrunedPolicy(policy);
this.serviceDef = serviceDef;
this.leafResourceDef =
ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
@@ -105,6 +105,62 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
return policy != null && (policy.getIsDenyAllElse() ||
CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()));
}
+ private RangerPolicy getPrunedPolicy(final RangerPolicy policy) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAbstractPolicyEvaluator.getPrunedPolicy(" + policy + ")");
+ }
+
+ final RangerPolicyret;
+
+ final boolean isPruningNeeded;
+ final List prunedAllowItems;
+ final List prunedDenyItems;
+ final List prunedAllowExceptions;
+ final List prunedDenyExceptions;
+
+ final RangerPluginContext pluginContext = getPluginContext();
+
+ if (pluginContext != null &&
pluginContext.getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) {
+ prunedAllowItems =
policy.getPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedDenyItems =
policy.getDenyPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedAllowExceptions =
policy.getAllowExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedDenyExceptions =
policy.getDenyExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+
+ isPruningNeeded = prunedAllowItems.size() !=
policy.getPolicyItems().size()
+ || prunedDenyItems.size() !=
policy.getDenyPolicyItems().size()
+ || prunedAllowExceptions.size() !=
policy.getAllowExceptions().size()
+ || prunedDenyExceptions.size() !=
policy.getDenyExceptions().size();
+ } else {
+ prunedAllowItems = null;
+ prunedDenyItems = null;
+ prunedAllowExceptions = null;
+ prunedDenyExceptions = null;
+ isPruningNeeded = false;
+ }
+
+ if (!isPruni
[ranger] branch master updated: RANGER-3343: Ranger policy cache is incorrect in some scenario
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 5b075e6 RANGER-3343: Ranger policy cache is incorrect in some scenario
5b075e6 is described below
commit 5b075e6ca77f387b9e094b8f45947f90902e20d5
Author: Abhay Kulkarni
AuthorDate: Tue Jul 20 07:14:53 2021 -0700
RANGER-3343: Ranger policy cache is incorrect in some scenario
---
.../RangerAbstractPolicyEvaluator.java | 62 --
.../RangerDefaultPolicyEvaluator.java | 12 -
2 files changed, 59 insertions(+), 15 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 99ae598..5c6083e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -19,8 +19,6 @@
package org.apache.ranger.plugin.policyevaluator;
-
-
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -32,7 +30,9 @@ import
org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.util.ServiceDefUtil;
+import java.util.List;
import java.util.Map;
+import java.util.stream.Collectors;
public abstract class RangerAbstractPolicyEvaluator implements
RangerPolicyEvaluator {
private static final Log LOG =
LogFactory.getLog(RangerAbstractPolicyEvaluator.class);
@@ -54,7 +54,7 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" +
policy + ", " + serviceDef + ")");
}
- this.policy = policy;
+ this.policy = getPrunedPolicy(policy);
this.serviceDef = serviceDef;
this.leafResourceDef =
ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
@@ -105,6 +105,62 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
return policy != null && (policy.getIsDenyAllElse() ||
CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()));
}
+ private RangerPolicy getPrunedPolicy(final RangerPolicy policy) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAbstractPolicyEvaluator.getPrunedPolicy(" + policy + ")");
+ }
+
+ final RangerPolicyret;
+
+ final boolean isPruningNeeded;
+ final List prunedAllowItems;
+ final List prunedDenyItems;
+ final List prunedAllowExceptions;
+ final List prunedDenyExceptions;
+
+ final RangerPluginContext pluginContext = getPluginContext();
+
+ if (pluginContext != null &&
pluginContext.getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) {
+ prunedAllowItems =
policy.getPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedDenyItems =
policy.getDenyPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedAllowExceptions =
policy.getAllowExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedDenyExceptions =
policy.getDenyExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+
+ isPruningNeeded = prunedAllowItems.size() !=
policy.getPolicyItems().size()
+ || prunedDenyItems.size() !=
policy.getDenyPolicyItems().size()
+ || prunedAllowExceptions.size() !=
policy.getAllowExceptions().size()
+ || prunedDenyExceptions.size() !=
policy.getDenyExceptions().size();
+ } else {
+ prunedAllowItems = null;
+ prunedDenyItems = null;
+ prunedAllowExceptions = null;
+ prunedDenyExceptions = null;
+ isPruningNeeded = false;
+ }
+
+ if (!isPruni
