(ranger) branch master updated: RANGER-4824: Remove ACL-based policy engine unit test code
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new d8a670ce8 RANGER-4824: Remove ACL-based policy engine unit test code d8a670ce8 is described below commit d8a670ce8ecee1d6db66979ce65b5690a5950a4c Author: Abhay Kulkarni AuthorDate: Tue Jun 18 11:01:15 2024 -0700 RANGER-4824: Remove ACL-based policy engine unit test code --- .../policyengine/RangerPolicyEngineOptions.java| 4 +- .../RangerDefaultPolicyEvaluator.java | 412 - .../RangerOptimizedPolicyEvaluator.java| 8 +- .../plugin/policyengine/TestPolicyEngine.java | 44 +-- .../policyengine/TestPolicyEngineForDeltas.java| 49 +-- 5 files changed, 88 insertions(+), 429 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java index f5f412797..f881eaa14 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java @@ -37,6 +37,7 @@ public class RangerPolicyEngineOptions { public boolean evaluateDelegateAdminOnly = false; public boolean enableTagEnricherWithLocalRefresher = false; public boolean enableUserStoreEnricherWithLocalRefresher = false; + @Deprecated public boolean disableAccessEvaluationWithPolicyACLSummary = true; public boolean optimizeTrieForRetrieval = false; public boolean disableRoleResolution = true; @@ -62,7 +63,6 @@ public class RangerPolicyEngineOptions { this.evaluateDelegateAdminOnly = other.evaluateDelegateAdminOnly; this.enableTagEnricherWithLocalRefresher = other.enableTagEnricherWithLocalRefresher; this.enableUserStoreEnricherWithLocalRefresher = other.enableUserStoreEnricherWithLocalRefresher; - this.disableAccessEvaluationWithPolicyACLSummary = other.disableAccessEvaluationWithPolicyACLSummary; this.optimizeTrieForRetrieval = other.optimizeTrieForRetrieval; this.disableRoleResolution = other.disableRoleResolution; this.serviceDefHelper = null; @@ -95,7 +95,6 @@ public class RangerPolicyEngineOptions { evaluateDelegateAdminOnly = false; enableTagEnricherWithLocalRefresher = false; enableUserStoreEnricherWithLocalRefresher = false; - disableAccessEvaluationWithPolicyACLSummary = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.access.evaluation.with.policy.acl.summary", true); optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.retrieval", false); disableRoleResolution = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.role.resolution", true); optimizeTrieForSpace = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.space", false); @@ -118,7 +117,6 @@ public class RangerPolicyEngineOptions { evaluateDelegateAdminOnly = false; enableTagEnricherWithLocalRefresher = false; enableUserStoreEnricherWithLocalRefresher = false; - disableAccessEvaluationWithPolicyACLSummary = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.access.evaluation.with.policy.acl.summary", true); optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.retrieval", false); disableRoleResolution = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.role.resolution", true); } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 33d56ec57..be6cd5584 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -78,7 +78,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator private List conditionEvaluators; private String perfTag; private PolicyACLSummary aclSummary = null; - private boolean useAclSummaryForEvaluation = false; private boolean disableRoleResolution = true; List getAllowEvaluators() { return allowEva
(ranger) branch master updated: RANGER-4823: Incorrect processing of downloaded policies in plugin when policy-deltas are enabled
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 5ca434217 RANGER-4823: Incorrect processing of downloaded policies in plugin when policy-deltas are enabled 5ca434217 is described below commit 5ca434217909adb2c55322b4ab733248344d42ac Author: Abhay Kulkarni AuthorDate: Mon Jun 17 21:12:12 2024 -0700 RANGER-4823: Incorrect processing of downloaded policies in plugin when policy-deltas are enabled --- .../src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java| 2 ++ 1 file changed, 2 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java index dd64a6767..0cb1f23c7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java @@ -58,6 +58,7 @@ public class ServicePolicies implements java.io.Serializable { private String auditMode = RangerPolicyEngine.AUDIT_DEFAULT; private TagPoliciestagPolicies; private Map securityZones; + @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) private List policyDeltas; private Map serviceConfig; @@ -362,6 +363,7 @@ public class ServicePolicies implements java.io.Serializable { private String zoneName; private List>> resources; private List policies; + @JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) private List policyDeltas; private Boolean containsAssociatedTagService;
(ranger) branch master updated: RANGER-4820: Support authorization of multiple accesses grouped by access groups in one policy engine call
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 16c60270e RANGER-4820: Support authorization of multiple accesses grouped by access groups in one policy engine call 16c60270e is described below commit 16c60270eafb9fda7ac8f784e43f6a96110c40e6 Author: Abhay Kulkarni AuthorDate: Mon Jun 17 16:00:34 2024 -0700 RANGER-4820: Support authorization of multiple accesses grouped by access groups in one policy engine call --- .../policyengine/RangerPolicyEngineImpl.java | 22 +- .../plugin/policyengine/gds/GdsPolicyEngine.java | 7 +- .../RangerDefaultPolicyEvaluator.java | 288 - .../plugin/util/RangerAccessRequestUtil.java | 140 +++--- .../plugin/policyengine/TestPolicyEngine.java | 32 ++- .../policyengine/gds/TestGdsPolicyEngine.java | 20 +- .../plugin/service/TestRangerBasePlugin.java | 20 +- .../test_policyengine_hdfs_multiple_accesses.json | 11 +- .../authorization/hadoop/RangerHdfsAuthorizer.java | 35 ++- 9 files changed, 410 insertions(+), 165 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index b0dc7a461..232ef90da 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -678,7 +678,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { String requestedAccess = accessTypeDef.getName(); allRequestedAccesses.add(requestedAccess); } - RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), allRequestedAccesses, Boolean.TRUE); + RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), allRequestedAccesses); + RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(), Boolean.TRUE); } ret = evaluatePoliciesForOneAccessTypeNoAudit(request, policyType, zoneName, policyRepository, tagPolicyRepository); @@ -768,22 +769,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } - if (!request.isAccessTypeAny()) { - Set allRequestedAccesses = RangerAccessRequestUtil.getAllRequestedAccessTypes(request); - if (CollectionUtils.size(allRequestedAccesses) > 1 && !RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) { - Map accessTypeResults = RangerAccessRequestUtil.getAccessTypeResults(request.getContext()); - if (accessTypeResults != null) { - if (accessTypeResults.keySet().containsAll(allRequestedAccesses)) { - // Allow - RangerAccessResult result = accessTypeResults.values().iterator().next(); // Pick one result randomly - ret.setAccessResultFrom(result); - ret.setIsAccessDetermined(true); - } - RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null); - } - } - } - if (!ret.getIsAccessDetermined()) { if (isDeniedByTags) { ret.setIsAllowed(false); @@ -801,6 +786,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (ret.getIsAllowed()) { ret.setIsAccessDetermined(true); } + RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null); + RangerAccessRequestUtil.setAccessTypeACLResults(request.getContext(), null); + RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(), null); if (findAuditByResource && !foundInCache) { policyRepository.storeAuditEnabledInCache(request, ret); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsPolicyEngine.java
(ranger) branch master updated: RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple authorization calls
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 3e383969d RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple authorization calls 3e383969d is described below commit 3e383969d759897112d114f6c03f5bd597c9b1f4 Author: Abhay Kulkarni AuthorDate: Mon Jun 10 16:13:48 2024 -0700 RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple authorization calls --- .../ranger/plugin/service/RangerBasePlugin.java| 2 +- .../plugin/util/RangerAccessRequestUtil.java | 10 + .../authorization/hadoop/RangerHdfsAuthorizer.java | 501 ++--- .../authorization/hadoop/RangerHdfsAuthorizer.java | 72 +-- 4 files changed, 453 insertions(+), 132 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 6a614bf2d..8db08c598 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -533,7 +533,7 @@ public class RangerBasePlugin { ret = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null); } - if (ret != null) { + if (ret != null && !RangerAccessRequestUtil.getIsSkipChainedPlugins(request.getContext())) { for (RangerChainedPlugin chainedPlugin : chainedPlugins) { if (LOG.isDebugEnabled()) { LOG.debug("BasePlugin.isAccessAllowed result=[" + ret + "]"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index a56ecb268..df0352ca9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -53,6 +53,7 @@ public class RangerAccessRequestUtil { public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED = "ISREQUESTPREPROCESSED"; public static final String KEY_CONTEXT_RESOURCE_ZONE_NAMES = "RESOURCE_ZONE_NAMES"; public static final String KEY_CONTEXT_ACCESS_TYPE_RESULTS = "_ACCESS_TYPE_RESULTS"; + public static final String KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS = "_IS_SKIP_CHAINED_PLUGINS"; public static void setRequestTagsInContext(Map context, Set tags) { if(CollectionUtils.isEmpty(tags)) { @@ -361,4 +362,13 @@ public class RangerAccessRequestUtil { results.putIfAbsent(accessType, result); } } + + public static void setIsSkipChainedPlugins(Map context, Boolean value) { + context.put(KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS, value); + } + + public static boolean getIsSkipChainedPlugins(Map context) { + Boolean value = (Boolean)context.get(KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS); + return value != null && value; + } } diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index b11ee62a3..c892bced3 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -29,9 +29,16 @@ import static org.apache.ranger.authorization.hadoop.constants.RangerHadoopConst import static org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants.ALL_PERM; import static org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants.ACCESS_TYPE_MONITOR_HEALTH; + import java.net.InetAddress; import java.security.SecureRandom; -import java.util.*; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import java.util.Stack; +import java.util.Objects; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.ArrayUtils; @@ -72,20 +79,38 @@ import com.google.common.collect.Sets; import org.apache.ranger.plugin.util.RangerAccessRequestUtil; public class RangerHdfsAuthorizer extends INodeAttributeProvider { - public static final String KEY_FILENAME = "FILENAME"; - public static final String KEY_BASE_FILENAME = "BASE_FILENAME"; - public static
(ranger) branch master updated: RANGER-4786: Ranger override policy is not working
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 967276241 RANGER-4786: Ranger override policy is not working 967276241 is described below commit 967276241ff593b7611576c21fb724b6839de8a2 Author: Abhay Kulkarni AuthorDate: Mon Apr 29 17:59:17 2024 -0700 RANGER-4786: Ranger override policy is not working --- .../RangerDefaultPolicyEvaluator.java | 18 ++- .../test_policyengine_hdfs_multiple_accesses.json | 58 ++ 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index ded8d0993..9745dc64f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -832,14 +832,23 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!result.getIsAllowed()) { // if access is not yet allowed by another policy if (matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) { RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(), result.getServiceName(), result.getServiceDef(), result.getAccessRequest()); - oneResult.setIsAllowed(true); oneResult.setPolicyPriority(getPolicyPriority()); oneResult.setPolicyId(getPolicyId()); oneResult.setPolicyVersion(getPolicy().getVersion()); + if (!oneResult.getIsAuditedDetermined()) { + oneResult.setAuditResultFrom(result); + } RangerAccessRequestUtil.setAccessTypeResult(request.getContext(), accessType, oneResult); } } + Map savedAccessResults = RangerAccessRequestUtil.getAccessTypeResults(request.getContext()); + int allowedAccessesCount = savedAccessResults == null ? 0 : savedAccessResults.size(); + if (allRequestedAccesses.size() == allowedAccessesCount) { + RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null); + result.setIsAllowed(true); + break; + } } } } @@ -909,6 +918,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator break; } else if (oneResult.getIsAllowed()) { RangerAccessRequestUtil.setAccessTypeResult(request.getContext(), accessType, oneResult); + + // Check if all access requests are satisfied, if so, access is allowed + if (allRequestedAccesses.size() == RangerAccessRequestUtil.getAccessTypeResults(request.getContext()).size()) { + allowResult = oneResult; + RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null); + break
(ranger) branch master updated: RANGER-4745: Enhance handling of subAccess authorization in Ranger HDFS plugin
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 4abb99350 RANGER-4745: Enhance handling of subAccess authorization in Ranger HDFS plugin 4abb99350 is described below commit 4abb993500274ad06a148f4258a7ea71622ebc88 Author: Abhay Kulkarni AuthorDate: Thu Apr 4 15:25:58 2024 -0700 RANGER-4745: Enhance handling of subAccess authorization in Ranger HDFS plugin --- .../hadoop/constants/RangerHadoopConstants.java| 4 + .../authorization/hadoop/RangerHdfsAuthorizer.java | 91 -- 2 files changed, 90 insertions(+), 5 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java index a29390fd0..fcd9ebd4d 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java @@ -24,6 +24,10 @@ public class RangerHadoopConstants { public static final String RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP = "ranger.optimize-subaccess-authorization" ; public static final boolean RANGER_ADD_HDFS_PERMISSION_DEFAULT = false; public static final boolean RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_DEFAULT = false ; + + public static final String RANGER_USE_LEGACY_SUBACCESS_AUTHORIZATION_PROP = "ranger.plugin.hdfs.use.legacy.subaccess.authorization"; + public static final boolean RANGER_USE_LEGACY_SUBACCESS_AUTHORIZATION_DEFAULT = true; + public static final String READ_ACCCESS_TYPE = "read"; public static final String WRITE_ACCCESS_TYPE = "write"; public static final String EXECUTE_ACCCESS_TYPE = "execute"; diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index 9b410a185..b11ee62a3 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -116,6 +116,8 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { LOG.info(RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP + " is enabled"); } + LOG.info("Legacy way of authorizing sub-access requests will " + (plugin.isUseLegacySubAccessAuthorization() ? "" : "not ") + "be used"); + access2ActionListMapper.put(FsAction.NONE, new HashSet()); access2ActionListMapper.put(FsAction.ALL, Sets.newHashSet(READ_ACCCESS_TYPE, WRITE_ACCCESS_TYPE, EXECUTE_ACCCESS_TYPE)); access2ActionListMapper.put(FsAction.READ, Sets.newHashSet(READ_ACCCESS_TYPE)); @@ -219,10 +221,14 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { class SubAccessData { final INodeDirectorydir; final StringresourcePath; + final INode[] inodes; + final INodeAttributes[] iNodeAttributes; - SubAccessData(INodeDirectory dir, String resourcePath) { + SubAccessData(INodeDirectory dir, String resourcePath, INode[] inodes, INodeAttributes[] iNodeAttributes) { this.dir= dir; this.resourcePath = resourcePath; + this.iNodeAttributes = iNodeAttributes; + this.inodes = inodes; } } @@ -429,7 +435,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if(authzStatus == AuthzStatus.ALLOW && subAccess != null && inode != null && inode.isDirectory()) { Stack directories = new Stack<>(); - for(directories.push(new SubAccessData(inode.asDirectory(), resourcePath)); !directories.isEmpty(); ) { + for(directories.push(new SubAccessData(inode.asDirectory(), resourcePath, inodes, inodeAttrs)); !directories.isEmpty(); ) { SubAccessData data = directories.pop();
(ranger) branch master updated: RANGER-4767: Deleted policies are still taking effect if all policies for a security zone are deleted
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 2d875da32 RANGER-4767: Deleted policies are still taking effect if all policies for a security zone are deleted 2d875da32 is described below commit 2d875da32aa142151c976aea925a6cc9bd4e20dd Author: Abhay Kulkarni AuthorDate: Thu Apr 4 09:31:16 2024 -0700 RANGER-4767: Deleted policies are still taking effect if all policies for a security zone are deleted --- .../java/org/apache/ranger/plugin/service/RangerBasePlugin.java| 7 +++ 1 file changed, 7 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 6a3d59dae..97da473a8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -383,6 +383,13 @@ public class RangerBasePlugin { if (policies.getPolicies() == null) { policies.setPolicies(new ArrayList<>()); } + if (MapUtils.isNotEmpty(policies.getSecurityZones())) { + for (ServicePolicies.SecurityZoneInfo element : policies.getSecurityZones().values()) { + if (element.getPolicies() == null) { + element.setPolicies(new ArrayList<>()); + } + } + } } } }
(ranger) branch master updated: RANGER-4762:Prevent duplicate values for a resource while validating a policy
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new ffda77536 RANGER-4762:Prevent duplicate values for a resource while validating a policy ffda77536 is described below commit ffda775366ac8ac8a6869991dbab5e12d307a423 Author: Fateh Singh AuthorDate: Tue Apr 2 11:13:57 2024 -0700 RANGER-4762:Prevent duplicate values for a resource while validating a policy --- .../ranger/plugin/errors/ValidationErrorCode.java | 1 + .../model/validation/RangerPolicyValidator.java| 68 +++--- .../validation/TestRangerPolicyValidator.java | 18 ++ 3 files changed, 65 insertions(+), 22 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java index bf119773b..00855458d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -107,6 +107,7 @@ public enum ValidationErrorCode { POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_USER(3053, "policy items user was null"), POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_GROUP(3054, "policy items group was null"), POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ROLE(3055, "policy items role was null"), +POLICY_VALIDATION_ERR_DUPLICATE_VALUES_FOR_RESOURCE(3056, "Values for the resource={0} contained a duplicate value={1}. Ensure all values for a resource are unique"), POLICY_VALIDATION_ERR_INVALID_SERVICE_TYPE(4009," Invalid service type [{0}] provided for service [{1}]"), // SECURITY_ZONE Validations diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index 76e9dee8c..cdfc2628c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -883,15 +883,7 @@ public class RangerPolicyValidator extends RangerValidator { String name = entry.getKey(); RangerPolicyResource policyResource = entry.getValue(); if(policyResource != null) { - if(CollectionUtils.isNotEmpty(policyResource.getValues())) { - Set resources = new HashSet<>(policyResource.getValues()); - for (String aValue : resources) { - if (StringUtils.isBlank(aValue)) { - policyResource.getValues().remove(aValue); - } - } - } - + policyResource.getValues().removeIf(StringUtils::isBlank); if(CollectionUtils.isEmpty(policyResource.getValues())){ ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST; if(LOG.isDebugEnabled()) { @@ -906,23 +898,40 @@ public class RangerPolicyValidator extends RangerValidator { .build()); valid=false; } - - if (validationRegExMap.containsKey(name) && CollectionUtils.isNotEmpty(policyResource.getValues())) { - String regEx = validationRegExMap.get(name); - for (String aValue : policyResource.getValues()) { - if (!aValue.matches(regEx)) { - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("Resource failed regex check: value[%s], resource-name[%s], regEx[%s], service-def-name[%s]", aValue, name, regEx, serviceDef.getName())); - } - ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX; - failures.add(new ValidationFailureDetailsBuilder() + else{ +
(ranger) branch master updated: RANGER-4722: HDFS authorization logic for directory hierarchy rooted at '/' is incorrect
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new c4f6cc395 RANGER-4722: HDFS authorization logic for directory hierarchy rooted at '/' is incorrect c4f6cc395 is described below commit c4f6cc3951f979c4ae5859fbeaf1be5fe945b12d Author: Abhay Kulkarni AuthorDate: Tue Feb 20 14:36:09 2024 -0800 RANGER-4722: HDFS authorization logic for directory hierarchy rooted at '/' is incorrect --- .../apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java| 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index 9b1279bcb..9b410a185 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -453,7 +453,11 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (subDirAuthStatus != AuthzStatus.ALLOW) { for(INode child : cList) { if (child.isDirectory()) { - directories.push(new SubAccessData(child.asDirectory(), resourcePath + Path.SEPARATOR_CHAR + child.getLocalName())); + if (data.resourcePath.endsWith(Path.SEPARATOR)) { + directories.push(new SubAccessData(child.asDirectory(), data.resourcePath + child.getLocalName())); + } else { + directories.push(new SubAccessData(child.asDirectory(), data.resourcePath + Path.SEPARATOR_CHAR + child.getLocalName())); + } } } }
(ranger) branch master updated: RANGER-4655: Execute and read permissions granted to a user in different HDFS policies does not take effect
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new a664de553 RANGER-4655: Execute and read permissions granted to a user in different HDFS policies does not take effect a664de553 is described below commit a664de553120f165d927e962e3677fe1abd0d722 Author: Abhay Kulkarni AuthorDate: Mon Jan 15 17:02:43 2024 -0800 RANGER-4655: Execute and read permissions granted to a user in different HDFS policies does not take effect --- .../policyengine/RangerPolicyEngineImpl.java | 16 .../RangerDefaultPolicyEvaluator.java | 35 +--- .../plugin/util/RangerAccessRequestUtil.java | 39 + .../plugin/policyengine/TestPolicyEngine.java | 7 ++ .../test_policyengine_hdfs_multiple_accesses.json | 92 ++ 5 files changed, 179 insertions(+), 10 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 252482c8e..df39467ba 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -763,6 +763,22 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } + if (!request.isAccessTypeAny()) { + Set allRequestedAccesses = RangerAccessRequestUtil.getAllRequestedAccessTypes(request); + if (CollectionUtils.size(allRequestedAccesses) > 1 && !RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) { + Map accessTypeResults = RangerAccessRequestUtil.getAccessTypeResults(request.getContext()); + if (accessTypeResults != null) { + if (accessTypeResults.keySet().containsAll(allRequestedAccesses)) { + // Allow + RangerAccessResult result = accessTypeResults.values().iterator().next(); // Pick one result randomly + ret.setAccessResultFrom(result); + ret.setIsAccessDetermined(true); + } + RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null); + } + } + } + if (!ret.getIsAccessDetermined()) { if (isDeniedByTags) { ret.setIsAllowed(false); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 7fe2a2eb3..ded8d0993 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -818,11 +818,29 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } else { Set allRequestedAccesses = RangerAccessRequestUtil.getAllRequestedAccessTypes(request); - if (CollectionUtils.isNotEmpty(allRequestedAccesses)) { + if (CollectionUtils.size(allRequestedAccesses) > 1) { for (String accessType : allRequestedAccesses) { - accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), accessType); - if (accessResult == null) { - break; + Integer oneAccessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), accessType); + if (oneAccessResult != null) { + if (oneAccessResult.equals(RangerPolicyEvaluator.ACCESS_DENIED)) { + accessResult = o
(ranger) branch master updated: RANGER-4639: Provide an option to bypass evaluation of chained plugin if the parent plugin has applicable policy
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 96da0c834 RANGER-4639: Provide an option to bypass evaluation of chained plugin if the parent plugin has applicable policy 96da0c834 is described below commit 96da0c834e6ded11f66583dbf27cdd0405a8ac13 Author: Abhay Kulkarni AuthorDate: Mon Jan 8 10:42:24 2024 -0800 RANGER-4639: Provide an option to bypass evaluation of chained plugin if the parent plugin has applicable policy --- .../java/org/apache/ranger/plugin/service/RangerBasePlugin.java | 8 +++- .../org/apache/ranger/plugin/service/RangerChainedPlugin.java | 4 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 5d6c3d97c..9bf01b982 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -502,7 +502,13 @@ public class RangerBasePlugin { LOG.debug("BasePlugin.isAccessAllowed result=[" + ret + "]"); LOG.debug("Calling chainedPlugin.isAccessAllowed for service:[" + chainedPlugin.plugin.pluginConfig.getServiceName() + "]"); } - RangerAccessResult chainedResult = chainedPlugin.isAccessAllowed(request); + RangerAccessResult chainedResult; + + if (ret.getIsAccessDetermined() && chainedPlugin.skipAccessCheckIfAlreadyDetermined) { + chainedResult = null; + } else { + chainedResult = chainedPlugin.isAccessAllowed(request); + } if (chainedResult != null) { if (LOG.isDebugEnabled()) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java index b969fb687..5e52ce30c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java @@ -19,6 +19,7 @@ package org.apache.ranger.plugin.service; +import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerResourceACLs; @@ -34,6 +35,7 @@ public abstract class RangerChainedPlugin { protected final String serviceType; protected final String serviceName; protected final RangerBasePlugin plugin; +protected final boolean skipAccessCheckIfAlreadyDetermined; protected RangerChainedPlugin(RangerBasePlugin rootPlugin, String serviceType, String serviceName) { LOG.info("RangerChainedPlugin(" + serviceType + ", " + serviceName + ")"); @@ -42,6 +44,8 @@ public abstract class RangerChainedPlugin { this.serviceType = serviceType; this.serviceName = serviceName; this.plugin = buildChainedPlugin(serviceType, serviceName, rootPlugin.getAppId()); +RangerPluginConfig rootPluginConfig = rootPlugin.getPluginContext().getConfig(); +skipAccessCheckIfAlreadyDetermined = rootPluginConfig.getBoolean(rootPluginConfig.getPropertyPrefix() + ".bypass.chained.plugin.evaluation.if.access.is.determined", false); } public void init() {
(ranger) branch master updated: RANGER-4609:Support in File-based Tag Retriever to provide tag-deltas
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 4ecb2f854 RANGER-4609:Support in File-based Tag Retriever to provide tag-deltas 4ecb2f854 is described below commit 4ecb2f854497a7379654685f8c3049d13a1f39a9 Author: Abhay Kulkarni AuthorDate: Thu Dec 14 12:00:44 2023 -0800 RANGER-4609:Support in File-based Tag Retriever to provide tag-deltas --- .../RangerFileBasedTagRetriever.java | 199 ++--- 1 file changed, 133 insertions(+), 66 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java index 448c665fc..df2c7ccf1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java @@ -29,7 +29,7 @@ import org.slf4j.LoggerFactory; import java.io.*; import java.net.MalformedURLException; import java.net.URL; -import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.util.Map; public class RangerFileBasedTagRetriever extends RangerTagRetriever { @@ -40,7 +40,9 @@ public class RangerFileBasedTagRetriever extends RangerTagRetriever { private String serviceTagsFileName; private Gson gsonBuilder; private boolean deDupTags; - + inttagFilesCount = 0; + intcurrentTagFileIndex = 0; + booleanisInitial = true; @Override public void init(Map options) { @@ -55,11 +57,9 @@ public class RangerFileBasedTagRetriever extends RangerTagRetriever { String serviceTagsFileNameProperty = "serviceTagsFileName"; String serviceTagsDefaultFileName = "/testdata/test_servicetags_hive.json"; String deDupTagsProperty = "deDupTags"; + String tagFilesCountProperty = "tagFileCount"; if (StringUtils.isNotBlank(serviceName) && serviceDef != null && StringUtils.isNotBlank(appId)) { - InputStream serviceTagsFileStream = null; - - // Open specified file from options- it should contain service-tags serviceTagsFileName = options != null? options.get(serviceTagsFileNameProperty) : null; @@ -67,51 +67,22 @@ public class RangerFileBasedTagRetriever extends RangerTagRetriever { deDupTags = Boolean.parseBoolean(deDupTagsVal); serviceTagsFileName = serviceTagsFileName == null ? serviceTagsDefaultFileName : serviceTagsFileName; - - File f = new File(serviceTagsFileName); - - if (f.exists() && f.isFile() && f.canRead()) { - try { - serviceTagsFileStream = new FileInputStream(f); - serviceTagsFileURL = f.toURI().toURL(); - } catch (FileNotFoundException exception) { - LOG.error("Error processing input file:" + serviceTagsFileName + " or no privilege for reading file " + serviceTagsFileName, exception); - } catch (MalformedURLException malformedException) { - LOG.error("Error processing input file:" + serviceTagsFileName + " cannot be converted to URL " + serviceTagsFileName, malformedException); - } - } else { - URL fileURL = getClass().getResource(serviceTagsFileName); - if (fileURL == null && !serviceTagsFileName.startsWith("/")) { - fileURL = getClass().getResource("/" + serviceTagsFileName); - } - - if (fileURL == null) { - fileURL = ClassLoader.getSystemClassLoader().getResource(serviceTagsFileName); - if (fileURL == null && !serviceTagsFileName.startsWith("/")) { - fileURL = ClassLoader.getSystemClassLoader().getResource("/" + serviceTagsFileName); - } - } - - if (fileURL != null) { + if (options != null) { +
(ranger) branch master updated: RANGER-4565: Enhance Ranger's performance tracing module to optionally collect statistical information
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 04c93b3df RANGER-4565: Enhance Ranger's performance tracing module to optionally collect statistical information 04c93b3df is described below commit 04c93b3df9577c7f6e4f91f573a87c046311e15c Author: Abhay Kulkarni AuthorDate: Tue Nov 28 09:47:03 2023 -0800 RANGER-4565: Enhance Ranger's performance tracing module to optionally collect statistical information --- .../ranger/plugin/service/RangerBasePlugin.java| 6 ++ .../ranger/plugin/util/PerfDataRecorder.java | 77 +- .../plugin/util/RangerPerfCollectorTracer.java | 2 +- .../ranger/plugin/util/RangerPerfTracer.java | 4 +- 4 files changed, 71 insertions(+), 18 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 2f4af9763..5d6c3d97c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -86,6 +86,12 @@ public class RangerBasePlugin { this.pluginConfig = pluginConfig; this.pluginContext = new RangerPluginContext(pluginConfig); + boolean usePerfDataRecorder = pluginConfig.getBoolean("ranger.perf.aggregate.data", false); + int perfDataDumpInterval = pluginConfig.getInt("ranger.perf.aggregate.data.dump.interval", 0); + boolean usePerfDataLock = pluginConfig.getBoolean("ranger.perf.aggregate.data.lock.enabled", false); + + PerfDataRecorder.initialize(usePerfDataRecorder, perfDataDumpInterval, usePerfDataLock, null); + Set superUsers = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".super.users")); Set superGroups= toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".super.groups")); Set auditExcludeUsers = toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".audit.exclude.users")); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java index dce60b0ba..a1df53fac 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java @@ -37,13 +37,27 @@ public class PerfDataRecorder { private static final Logger PERF = RangerPerfTracer.getPerfLogger(PerfDataRecorder.class); private static volatile PerfDataRecorder instance; - private Map perfStatistics = new HashMap<>(); + final private Map perfStatistics = Collections.synchronizedMap(new HashMap<>()); + private RangerReadWriteLock lock = null; public static void initialize(List names) { - if (instance == null) { - synchronized (PerfDataRecorder.class) { - if (instance == null) { - instance = new PerfDataRecorder(names); + initialize(true, 0, false, names); + } + + public static void initialize(final boolean useRecorder, final int collectionIntervalInSeconds, final boolean usePerfDataLock, List names) { + if (useRecorder) { + if (instance == null) { + synchronized (PerfDataRecorder.class) { + if (instance == null) { + instance = new PerfDataRecorder(names); + instance.lock = new RangerReadWriteLock(usePerfDataLock); + if (collectionIntervalInSeconds > 0) { + Thread statDumper = new StatisticsDumper(collectionIntervalInSeconds); + statDumper.setName("Perf-Statistics-Dumper"); + statDumper.setDaemon(true); + statDumper.start(); + } + } } } } @@ -61,7 +75,9 @@ public class PerfDataRecorder { public static void clearStatistics() { if (instance != null) { - instance.clear(); +
(ranger) branch master updated: RANGER-4515: Enhance perf-tracer to get CPU time when possible
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 279f41f5b RANGER-4515: Enhance perf-tracer to get CPU time when possible 279f41f5b is described below commit 279f41f5bf058dfe7d44175932741e4da1414d33 Author: Abhay Kulkarni AuthorDate: Tue Nov 7 11:21:41 2023 -0800 RANGER-4515: Enhance perf-tracer to get CPU time when possible --- .../ranger/plugin/util/PerfDataRecorder.java | 49 ++ .../plugin/util/RangerPerfCollectorTracer.java | 26 +--- .../ranger/plugin/util/RangerPerfTracer.java | 41 ++ .../plugin/util/RangerPerfTracerFactory.java | 42 +-- 4 files changed, 124 insertions(+), 34 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java index 7e2c46fde..dce60b0ba 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java @@ -65,9 +65,9 @@ public class PerfDataRecorder { } } - public static void recordStatistic(String tag, long elapsedTime) { + public static void recordStatistic(String tag, long cpuTime, long elapsedTime) { if (instance != null) { - instance.record(tag, elapsedTime); + instance.record(tag, cpuTime, elapsedTime); } } @@ -79,14 +79,23 @@ public class PerfDataRecorder { for (String tag : tags) { PerfStatistic perfStatistic = perfStatistics.get(tag); + long averageTimeSpentCpu = 0L; long averageTimeSpent = 0L; + if (perfStatistic.numberOfInvocations.get() != 0L) { + averageTimeSpentCpu = perfStatistic.microSecondsSpentCpu.get()/perfStatistic.numberOfInvocations.get(); + } + if (perfStatistic.numberOfInvocations.get() != 0L) { averageTimeSpent = perfStatistic.microSecondsSpent.get()/perfStatistic.numberOfInvocations.get(); } String logMsg = "[" + tag + "]" + " execCount: " + perfStatistic.numberOfInvocations.get() + + ", totalTimeTakenCpu: " + perfStatistic.microSecondsSpentCpu.get() + " μs" + + ", maxTimeTakenCpu: " + perfStatistic.maxTimeSpentCpu.get() + " μs" + + ", minTimeTakenCpu: " + perfStatistic.minTimeSpentCpu.get() + " μs" + + ", avgTimeTakenCpu: " + averageTimeSpentCpu + " μs" + ", totalTimeTaken: " + perfStatistic.microSecondsSpent.get() + " μs" + ", maxTimeTaken: " + perfStatistic.maxTimeSpent.get() + " μs" + ", minTimeTaken: " + perfStatistic.minTimeSpent.get() + " μs" + @@ -101,7 +110,7 @@ public class PerfDataRecorder { perfStatistics.clear(); } - private void record(String tag, long elapsedTime) { + private void record(String tag, long cpuTime, long elapsedTime) { PerfStatistic perfStatistic = perfStatistics.get(tag); if (perfStatistic == null) { @@ -115,7 +124,7 @@ public class PerfDataRecorder { } } - perfStatistic.addPerfDataItem(elapsedTime); + perfStatistic.addPerfDataItem(cpuTime, elapsedTime); } private PerfDataRecorder(List names) { @@ -136,20 +145,34 @@ public class PerfDataRecorder { public static class PerfStatistic { private AtomicLong numberOfInvocations = new AtomicLong(0L); + + private AtomicLong microSecondsSpentCpu = new AtomicLong(0L); + private AtomicLong minTimeSpentCpu = new AtomicLong(Long.MAX_VALUE); + private AtomicLong maxTimeSpentCpu = new AtomicLong(Long.MIN_VALUE); + private AtomicLong microSecondsSpent = new AtomicLong(0L); private AtomicLong minTimeSpent = new AtomicLong(Long.MAX_VALUE); private AtomicLong maxTimeSpent = new AtomicLong(Long.MIN_VALUE); - void addPerfDataItem(final long timeTaken) { + void addPerfDataItem
(ranger) branch master updated: RANGER-4478: Incorrect trie updates when processing deltas - Part 3
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 3f78f9fae RANGER-4478: Incorrect trie updates when processing deltas - Part 3 3f78f9fae is described below commit 3f78f9fae635b4dc1febdd1aad99e485cde412d6 Author: Abhay Kulkarni AuthorDate: Sat Nov 4 13:16:35 2023 -0700 RANGER-4478: Incorrect trie updates when processing deltas - Part 3 --- .../plugin/policyengine/RangerResourceTrie.java| 41 +++--- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java index d95da7c50..773a02609 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java @@ -576,7 +576,7 @@ public class RangerResourceTrie { } -private String getNonWildcardPrefix(String str) { +private int getNonWildcardPrefixLength(String str) { int minIndex = str.length(); for (int i = 0; i < wildcardChars.length(); i++) { @@ -587,9 +587,17 @@ public class RangerResourceTrie { } } -return str.substring(0, minIndex); +return minIndex; +} + +private String getNonWildcardPrefix(String str) { +int prefixLen = getNonWildcardPrefixLength(str); + +return (prefixLen < str.length()) ? str.substring(0, prefixLen) : str; } + + private Set getEvaluatorsForResource(String resource, ResourceElementMatchingScope scope) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerResourceTrie.getEvaluatorsForResource(" + resource + ", " + scope + ")"); @@ -718,7 +726,7 @@ public class RangerResourceTrie { } TrieNode curr = root; -final int len = resource.length(); +final int len = getNonWildcardPrefixLength(resource); int i= 0; while (i < len) { @@ -738,6 +746,8 @@ public class RangerResourceTrie { i+= childStr.length(); } +curr = (i == len) ? curr : null; + RangerPerfTracer.logAlways(perf); if(LOG.isDebugEnabled()) { @@ -1128,11 +1138,21 @@ public class RangerResourceTrie { } void removeSelfFromTrie() { -if (evaluators == null && wildcardEvaluators == null && children.size() == 0) { +if (LOG.isDebugEnabled()) { +LOG.debug("==> removeSelfFromTrie(" + this + ")"); +} +if (evaluators == null && children.size() == 0) { TrieNode parent = getParent(); if (parent != null) { parent.children.remove(str.charAt(0)); } +} else { +if (LOG.isDebugEnabled()) { +LOG.debug("removeSelfFromTrie(" + this + ") could not remove self from Trie"); +} +} +if (LOG.isDebugEnabled()) { +LOG.debug("<== removeSelfFromTrie(" + this + ")"); } } @@ -1298,12 +1318,25 @@ public class RangerResourceTrie { } private void removeEvaluatorFromSubtree(U evaluator) { +if (LOG.isDebugEnabled()) { +LOG.debug("==> removeEvaluatorFromSubtree(" + evaluator.getId() + ")"); +} if (CollectionUtils.isNotEmpty(wildcardEvaluators) && wildcardEvaluators.contains(evaluator)) { removeWildcardEvaluator(evaluator); } else { removeEvaluator(evaluator); } removeSelfFromTrie(); +if (LOG.isDebugEnabled()) { +LOG.debug("<== removeEvaluatorFromSubtree(" + evaluator.getId() + ")"); +} +} + +@Override +public String toString() { +StringBuilder sb = new StringBuilder(); +toString(sb); +return sb.toString(); } void toString(StringBuilder sb) {
[ranger] branch master updated: RANGER-4478: Incorrect trie updates when processing deltas - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 36ce62eab RANGER-4478: Incorrect trie updates when processing deltas - Part 2 36ce62eab is described below commit 36ce62eabbcc38112b15e376411fb053ef8d2ed9 Author: Abhay Kulkarni AuthorDate: Mon Oct 23 13:18:12 2023 -0700 RANGER-4478: Incorrect trie updates when processing deltas - Part 2 --- .../java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java index 61b6a4357..d95da7c50 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java @@ -553,7 +553,6 @@ public class RangerResourceTrie { builderThreads.get(index).add(resource, isRecursive, evaluator); } else { -currentRoot.undoSetup(); currentRoot.addWildcardEvaluator(evaluator); } @@ -570,7 +569,6 @@ public class RangerResourceTrie { } if(isWildcard || isRecursive) { -curr.undoSetup(); curr.addWildcardEvaluator(evaluator); } else { curr.addEvaluator(evaluator); @@ -1301,7 +1299,6 @@ public class RangerResourceTrie { private void removeEvaluatorFromSubtree(U evaluator) { if (CollectionUtils.isNotEmpty(wildcardEvaluators) && wildcardEvaluators.contains(evaluator)) { -undoSetup(); removeWildcardEvaluator(evaluator); } else { removeEvaluator(evaluator);
[ranger] branch master updated: RANGER-4478: Incorrect trie updates when processing deltas
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 0e7d63022 RANGER-4478: Incorrect trie updates when processing deltas 0e7d63022 is described below commit 0e7d63022252dc3c74478aa32bffac3ea755fee9 Author: Abhay Kulkarni AuthorDate: Tue Oct 17 13:00:22 2023 -0700 RANGER-4478: Incorrect trie updates when processing deltas --- .../plugin/policyengine/RangerResourceTrie.java| 71 -- .../RangerPolicyResourceMatcher.java | 1 - 2 files changed, 39 insertions(+), 33 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java index 2f725036d..61b6a4357 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java @@ -94,6 +94,13 @@ public class RangerResourceTrie { wrapUpUpdate(); +if (!isOptimizedForRetrieval) { +if (LOG.isDebugEnabled()) { +LOG.debug("Trie for " + this.resourceDef.getName() + " is not optimized for retrieval. Resetting isSetup flag by calling undoSetup() on the root"); +} +root.undoSetup(); +} + RangerPerfTracer.logAlways(perf); if (PERF_TRIE_INIT_LOG.isDebugEnabled()) { @@ -109,7 +116,7 @@ public class RangerResourceTrie { this(resourceDef, evaluators, isOptimizedForRetrieval, false, pluginContext); } -public RangerResourceTrie(RangerResourceDef resourceDef, List evaluators, boolean isOptimizedForRetrieval, boolean isOptimizedForSpace, RangerPluginContext pluginContext) { +public RangerResourceTrie(RangerResourceDef resourceDef, List evaluators, boolean isOptimizedForRetrieval, boolean isOptimizedForSpace, RangerPluginContext pluginContext) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerResourceTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ", isOptimizedForRetrieval=" + isOptimizedForRetrieval + ", isOptimizedForSpace=" + isOptimizedForSpace + ")"); } @@ -158,9 +165,9 @@ public class RangerResourceTrie { this.isOptimizedForRetrieval = !isOptimizedForSpace && isOptimizedForRetrieval; // isOptimizedForSpace takes precedence this.separatorChar = ServiceDefUtil.getCharOption(matcherOptions, OPTION_PATH_SEPARATOR, DEFAULT_PATH_SEPARATOR_CHAR); -final TrieNode tmpRoot = buildTrie(resourceDef, evaluators, builderThreadCount); +final TrieNode tmpRoot = buildTrie(resourceDef, evaluators, builderThreadCount); -if (builderThreadCount > 1 && tmpRoot == null) { // if multi-threaded trie-creation failed, build using a single thread +if (builderThreadCount > 1 && tmpRoot == null) { // if multithreaded trie-creation failed, build using a single thread this.root = buildTrie(resourceDef, evaluators, 1); } else { this.root = tmpRoot; @@ -179,7 +186,7 @@ public class RangerResourceTrie { } if(LOG.isDebugEnabled()) { -LOG.debug("<== RangerResourceTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ", isOptimizedForRetrieval=" + this.isOptimizedForRetrieval + ", isOptimizedForSpace=" + this.isOptimizedForSpace + "): " + toString()); +LOG.debug("<== RangerResourceTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ", isOptimizedForRetrieval=" + this.isOptimizedForRetrieval + ", isOptimizedForSpace=" + this.isOptimizedForSpace + "): " + this); } } @@ -191,16 +198,16 @@ public class RangerResourceTrie { return getEvaluatorsForResource(resource, ResourceElementMatchingScope.SELF); } +@SuppressWarnings("unchecked") public Set getEvaluatorsForResource(Object resource, ResourceElementMatchingScope scope) { if (resource instanceof String) { return getEvaluatorsForResource((String) resource, scope); } else if (resource instanceof Collection) { -if (CollectionUtils.isEmpty((Collection) resource)) { // treat empty collection same as empty-string +Collection resources = (Collection) resource; + +if (CollectionUtils.isEmpty(resources)) { // treat empty collection same as empty-string return getEvaluatorsForResource("", scope); } el
[ranger] branch master updated: RANGER-4378: Expand implied grants in the policy-items for being able to compare policy-cache dumps from server and client
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 696d4340b RANGER-4378: Expand implied grants in the policy-items for being able to compare policy-cache dumps from server and client 696d4340b is described below commit 696d4340bfdf6c38f7cb4f53fc31b14e1ffaa0e7 Author: Abhay Kulkarni AuthorDate: Mon Sep 25 09:01:33 2023 -0700 RANGER-4378: Expand implied grants in the policy-items for being able to compare policy-cache dumps from server and client --- .../apache/ranger/plugin/model/RangerPolicy.java | 4 + .../ranger/plugin/policyengine/PolicyEngine.java | 44 + .../RangerAbstractPolicyItemEvaluator.java | 59 .../RangerAuditPolicyEvaluator.java| 2 +- .../RangerDefaultPolicyEvaluator.java | 51 -- .../RangerDefaultPolicyItemEvaluator.java | 107 - .../RangerOptimizedPolicyEvaluator.java| 106 ++-- .../policyevaluator/RangerPolicyEvaluator.java | 43 +++-- .../policyevaluator/RangerPolicyItemEvaluator.java | 1 + 9 files changed, 298 insertions(+), 119 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index 9e5a94b1a..ec0618421 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -959,6 +959,10 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria this(null, null, null, null, null, null); } +public RangerPolicyItem(RangerPolicyItem other) { +this(other.accesses, other.users, other.groups, other.roles, other.conditions, other.delegateAdmin); +} + public RangerPolicyItem(List accessTypes, List users, List groups, List roles, List conditions, Boolean delegateAdmin) { setAccesses(accessTypes); setUsers(users); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index 1e99b5824..4a5406301 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -71,6 +71,13 @@ public class PolicyEngine { private final RangerReadWriteLock lock; +static private Map>> impliedAccessGrants = null; + +static public Map> getImpliedAccessGrants(RangerServiceDef serviceDef) { +return impliedAccessGrants == null ? null : impliedAccessGrants.get(serviceDef.getName()); +} + + public RangerReadWriteLock.RangerLock getReadLock() { return lock.getReadLock(); } @@ -197,6 +204,8 @@ public class PolicyEngine { PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory); } +buildImpliedAccessGrants(servicePolicies); + this.pluginContext = pluginContext; this.lock = new RangerReadWriteLock(isUseReadWriteLock); @@ -471,6 +480,41 @@ public class PolicyEngine { } } +synchronized static private void buildImpliedAccessGrants(ServicePolicies servicePolicies) { +buildImpliedAccessGrants(servicePolicies.getServiceDef()); +if (servicePolicies.getTagPolicies() != null) { + buildImpliedAccessGrants(servicePolicies.getTagPolicies().getServiceDef()); +} +} + +static private void buildImpliedAccessGrants(RangerServiceDef serviceDef) { +Map> ret = null; + +if (serviceDef != null && !CollectionUtils.isEmpty(serviceDef.getAccessTypes())) { +for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) { +if (!CollectionUtils.isEmpty(accessTypeDef.getImpliedGrants())) { +if (ret == null) { +ret = new HashMap<>(); +} + +Collection impliedGrants = ret.get(accessTypeDef.getName()); + +if (impliedGrants == null) { +impliedGrants = new HashSet<>(); + +ret.put(accessTypeDef.getName(), impliedGrants); +} + +impliedGrants.addAll(accessTypeDef.getImpliedGrants()); +} +} + +if (impliedAccessGrants == null) { +
[ranger] branch master updated: RANGER-4379: Assorted debugging help : save policy-cache at Ranger-admin and policy-cache as well as downloaded policy-deltas on plugin side
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new e76101d28 RANGER-4379: Assorted debugging help : save policy-cache at Ranger-admin and policy-cache as well as downloaded policy-deltas on plugin side e76101d28 is described below commit e76101d28b001217f81ffcbd0647714a07fe68c3 Author: Abhay Kulkarni AuthorDate: Mon Sep 25 07:59:44 2023 -0700 RANGER-4379: Assorted debugging help : save policy-cache at Ranger-admin and policy-cache as well as downloaded policy-deltas on plugin side --- .../plugin/policyengine/RangerResourceTrie.java| 12 ++-- .../ranger/plugin/service/RangerBasePlugin.java| 7 ++- .../apache/ranger/plugin/util/PolicyRefresher.java | 66 +++--- .../ranger/common/RangerServicePoliciesCache.java | 44 +++ 4 files changed, 116 insertions(+), 13 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java index 647059203..2f725036d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java @@ -1305,14 +1305,14 @@ public class RangerResourceTrie { void toString(StringBuilder sb) { String nodeValue = this.str; -sb.append("nodeValue=").append(nodeValue); +sb.append("nodeValue=").append(nodeValue == null ? "ROOT" : nodeValue); sb.append("; isSetup=").append(isSetup); sb.append("; isSharingParentWildcardEvaluators=").append(isSharingParentWildcardEvaluators); sb.append("; childCount=").append(children.size()); -sb.append("; evaluators=[ "); +sb.append("; evaluators=["); if (evaluators != null) { for (U evaluator : evaluators) { -sb.append(evaluator.getId()).append(" "); +sb.append(evaluator.getId()).append(","); } } sb.append("]"); @@ -1320,7 +1320,7 @@ public class RangerResourceTrie { sb.append("; wildcardEvaluators=[ "); if (wildcardEvaluators != null) { for (U evaluator : wildcardEvaluators) { -sb.append(evaluator.getId()).append(" "); +sb.append(evaluator.getId()).append(","); } } sb.append("]"); @@ -1329,6 +1329,10 @@ public class RangerResourceTrie { void toString(String prefix, StringBuilder sb) { String nodeValue = prefix + (str != null ? str : ""); +if (!nodeValue.equals(prefix)) { +prefix = prefix + "|"; +} + sb.append(prefix); toString(sb); sb.append("]\n"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index f1eb08e4e..2f4af9763 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -410,7 +410,9 @@ public class RangerBasePlugin { newPolicyEngine.setTrustedProxyAddresses(pluginConfig.getTrustedProxyAddresses()); } + LOG.info("Switching policy engine from [" + getPolicyVersion() + "]"); this.policyEngine = newPolicyEngine; + LOG.info("Switched policy engine to [" + getPolicyVersion() + "]"); this.currentAuthContext = pluginContext.getAuthContext(); pluginContext.notifyAuthContextChanged(); @@ -516,7 +518,6 @@ public class RangerBasePlugin { if (resultProcessor != null) { resultProcessor.processResult(ret); } - return ret; } @@ -1327,4 +1328,8 @@ public class RangerBasePlugin { return ret; } + + public Long getPolicyVersion() { + return this.policyEngine == null ? -1L : this.policyEngine.getPolicyVersion(); + } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.j
[ranger] branch master updated: RANGER-4291: If a ROW_FILTER type policy resources match, then an audit log record with Result=Denied is created
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 0e80fc804 RANGER-4291: If a ROW_FILTER type policy resources match, then an audit log record with Result=Denied is created 0e80fc804 is described below commit 0e80fc804f1a3e6d746e6334382fedb91dbf072d Author: Abhay Kulkarni AuthorDate: Fri Jun 16 10:52:05 2023 -0700 RANGER-4291: If a ROW_FILTER type policy resources match, then an audit log record with Result=Denied is created --- .../authorization/hive/authorizer/RangerHiveAuditHandler.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index af991962f..b8de775e5 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -151,9 +151,9 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { int policyType = result.getPolicyType(); if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK && result.isMaskEnabled()) { - ret = createAuditEvent(result, result.getMaskType(), resourcePath); -} else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) { -ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath); + ret = createAuditEvent(result, result.getMaskType(), resourcePath); + } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER && result.isRowFilterEnabled()) { + ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath ); } else if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) { String accessType = null;
[ranger] branch master updated: RANGER-4284: Additional logging messages to help with debugging when policy deltas are enabled
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 04f5f639a RANGER-4284: Additional logging messages to help with debugging when policy deltas are enabled 04f5f639a is described below commit 04f5f639aab36135c18652ab183350080c37ecd4 Author: Abhay Kulkarni AuthorDate: Fri Jun 16 09:41:10 2023 -0700 RANGER-4284: Additional logging messages to help with debugging when policy deltas are enabled --- .../ranger/plugin/policyengine/PolicyEngine.java | 4 +- .../plugin/policyengine/RangerResourceTrie.java| 4 +- .../ranger/plugin/service/RangerBasePlugin.java| 12 +- .../apache/ranger/plugin/store/ServiceStore.java | 2 +- .../apache/ranger/plugin/util/PolicyRefresher.java | 36 +- .../java/org/apache/ranger/biz/ServiceDBStore.java | 23 ++-- .../ranger/common/RangerServicePoliciesCache.java | 131 - .../org/apache/ranger/db/XXPolicyChangeLogDao.java | 6 +- .../main/resources/META-INF/jpa_named_queries.xml | 11 +- 9 files changed, 174 insertions(+), 55 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index f1dc03944..1e99b5824 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -680,8 +680,10 @@ public class PolicyEngine { LOG.debug("Built matchers for all Zones"); } +RangerPolicyEngineOptions options = pluginContext.getConfig().getPolicyEngineOptions(); + for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { -resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers)); +resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers, options.optimizeTrieForSpace, options.optimizeTrieForRetrieval, pluginContext)); } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java index 07eb5815c..647059203 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java @@ -87,11 +87,13 @@ public class RangerResourceTrie { this.optWildcard = other.optWildcard; this.wildcardChars = other.wildcardChars; this.isOptimizedForSpace = other.isOptimizedForSpace; -this.isOptimizedForRetrieval = false; +this.isOptimizedForRetrieval = other.isOptimizedForRetrieval; this.separatorChar = other.separatorChar; this.inheritedEvaluators = other.inheritedEvaluators != null ? new HashSet<>(other.inheritedEvaluators) : null; this.root= copyTrieSubtree(other.root, null); +wrapUpUpdate(); + RangerPerfTracer.logAlways(perf); if (PERF_TRIE_INIT_LOG.isDebugEnabled()) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index b1e2ecbcc..9249b3295 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -421,7 +421,17 @@ public class RangerBasePlugin { } if (this.refresher != null) { - this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies); + boolean doPreserveDeltas = pluginConfig.getBoolean (pluginConfig.getPropertyPrefix() + ".preserve.deltas", false); + if (!doPreserveDeltas) { + this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies); + } else { + // Save both deltas and all policies to cache for verification + this.refresher.saveToCache(policies); + + if (usePolicyDeltas) { + this
[ranger] branch master updated: RANGER-4219: Grant permission in Impala engine not working with {user} in ranger policy
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new b6049ce73 RANGER-4219: Grant permission in Impala engine not working with {user} in ranger policy b6049ce73 is described below commit b6049ce73660a72ab54fd1d5b2ee9ca163ed69e2 Author: Abhay Kulkarni AuthorDate: Wed May 17 10:23:31 2023 -0700 RANGER-4219: Grant permission in Impala engine not working with {user} in ranger policy --- .../RangerDefaultPolicyEvaluator.java | 30 +- .../main/java/org/apache/ranger/biz/XUserMgr.java | 1 - 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 96e232b43..eee1e1f1b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -210,7 +210,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator @Override public void evaluate(RangerAccessRequest request, RangerAccessResult result) { if (LOG.isDebugEnabled()) { -LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicy().getId() + ", " + request + ", " + result + ")"); +LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicyId() + ", " + request + ", " + result + ")"); } RangerPerfTracer perf = null; @@ -256,7 +256,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!result.getIsAuditedDetermined()) { if (isAuditEnabled()) { result.setIsAudited(true); - result.setAuditPolicyId(getPolicy().getId()); + result.setAuditPolicyId(getPolicyId()); } } if (!result.getIsAccessDetermined()) { @@ -273,14 +273,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerPerfTracer.log(perf); if(LOG.isDebugEnabled()) { -LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicy().getId() + ", " + request + ", " + result + ")"); +LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicyId() + ", " + request + ", " + result + ")"); } } @Override public boolean isMatch(RangerAccessResource resource, Map evalContext) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + resource + ", " + evalContext + ")"); + LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(policy-id=" + getPolicyId() + ", " + resource + ", " + evalContext + ")"); } boolean ret = false; @@ -304,7 +304,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerPerfTracer.log(perf); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + resource + ", " + evalContext + "): " + ret); + LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(policy-id=" + getPolicyId() + ", " + resource + ", " + evalContext + ") : " + ret); } return ret; @@ -374,22 +374,28 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator @Override public Set getAllowedAccesses(RangerAccessResource resource, String user, Set userGroups, Set roles, Set accessTypes) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.getAllowedAccesses(" + resource + ", " + user + ", " + userGroups + ", " + roles + ", " + acc
[ranger] branch master updated: RANGER-4130: Improve performance of event processing in agsync by optimizing number of commits to Kafka broker
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new e8a6125ba RANGER-4130: Improve performance of event processing in agsync by optimizing number of commits to Kafka broker e8a6125ba is described below commit e8a6125ba99b5ca4f62923552ddb251ee476cfdd Author: Abhay Kulkarni AuthorDate: Tue Apr 18 18:07:32 2023 -0700 RANGER-4130: Improve performance of event processing in agsync by optimizing number of commits to Kafka broker --- .../tagsync/source/atlas/AtlasTagSource.java | 68 ++ 1 file changed, 32 insertions(+), 36 deletions(-) diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java index a618cc986..34a39f73c 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java @@ -52,9 +52,9 @@ public class AtlasTagSource extends AbstractTagSource { public static final String TAGSYNC_ATLAS_PROPERTIES_FILE_NAME = "atlas-application.properties"; - public static final String TAGSYNC_ATLAS_KAFKA_ENDPOINTS = "atlas.kafka.bootstrap.servers"; - public static final String TAGSYNC_ATLAS_ZOOKEEPER_ENDPOINT = "atlas.kafka.zookeeper.connect"; - public static final String TAGSYNC_ATLAS_CONSUMER_GROUP = "atlas.kafka.entities.group.id"; + public static final String TAGSYNC_ATLAS_KAFKA_ENDPOINTS = "atlas.kafka.bootstrap.servers"; + public static final String TAGSYNC_ATLAS_ZOOKEEPER_ENDPOINT = "atlas.kafka.zookeeper.connect"; + public static final String TAGSYNC_ATLAS_CONSUMER_GROUP = "atlas.kafka.entities.group.id"; public static final intMAX_WAIT_TIME_IN_MILLIS = 1000; @@ -168,11 +168,10 @@ public class AtlasTagSource extends AbstractTagSource { private final List atlasEntitiesWithTags = new ArrayList<>(); private final List> messages = new ArrayList<>(); + private AtlasKafkaMessage lastUnhandledMessage = null; - private longoffsetOfLastMessageDeliveredToRanger = -1L; private longoffsetOfLastMessageCommittedToKafka = -1L; - - private boolean isHandlingDeleteOps = false; + private boolean isHandlingDeleteOps = false; private ConsumerRunnable(NotificationConsumer consumer) { this.consumer = consumer; @@ -222,10 +221,11 @@ public class AtlasTagSource extends AbstractTagSource { } atlasEntitiesWithTags.add(new RangerAtlasEntityWithTags(notificationWrapper)); + messages.add(message); } else { AtlasNotificationMapper.logUnhandledEntityNotification(notificationWrapper); + lastUnhandledMessage = message; } - messages.add(message); } } else { LOG.error("Null entityNotification received from Kafka!! Ignoring.."); @@ -235,6 +235,10 @@ public class AtlasTagSource extends AbstractTagSource { buildAndUploadServiceTags(); } } + if (lastUnhandledMessage != null) { + commitToKafka(lastUnhandledMessage); + lastUnhandledMessage = null; + } } catch (Exception exception) { LOG.error("Caught exception..: ", exception); @@ -255,9 +259,7 @@ public class AtlasTagSource extends AbstractTagSource { LOG.debug("==> buildAndUploadServiceT
[ranger] branch master updated: RANGER-4185: Improve debugging messages when policy-deltas are enabled
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 774d159e2 RANGER-4185: Improve debugging messages when policy-deltas are enabled 774d159e2 is described below commit 774d159e2a2967132e8a1eda7f5ddeed08b37a55 Author: Abhay Kulkarni AuthorDate: Tue Apr 18 17:15:15 2023 -0700 RANGER-4185: Improve debugging messages when policy-deltas are enabled --- .../ranger/plugin/model/RangerPolicyDelta.java | 2 +- .../ranger/plugin/policyengine/PolicyEngine.java | 10 +++- .../ranger/plugin/util/RangerPolicyDeltaUtil.java | 2 +- .../java/org/apache/ranger/biz/ServiceDBStore.java | 29 +++--- .../java/org/apache/ranger/biz/TagDBStore.java | 3 +++ .../ranger/common/RangerServicePoliciesCache.java | 2 +- .../RangerTransactionSynchronizationAdapter.java | 15 +-- 7 files changed, 53 insertions(+), 10 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java index 33183727c..e4d9b3a40 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java @@ -87,7 +87,7 @@ public class RangerPolicyDelta implements java.io.Serializable { public void setId(Long id) { this.id = id;} -private void setChangeType(Integer changeType) { this.changeType = changeType; } +public void setChangeType(Integer changeType) { this.changeType = changeType; } private void setPoliciesVersion(Long policiesVersion) { this.policiesVersion = policiesVersion; } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index 3864f30d2..86b6cd376 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -200,7 +200,15 @@ public class PolicyEngine { this.pluginContext = pluginContext; this.lock = new RangerReadWriteLock(isUseReadWriteLock); -LOG.info("Policy engine will" + (isUseReadWriteLock ? " " : " not ") + "perform in place update while processing policy-deltas."); +Boolean hasPolicyDeltas = RangerPolicyDeltaUtil.hasPolicyDeltas(servicePolicies); + +if (hasPolicyDeltas != null) { +if (hasPolicyDeltas.equals(Boolean.TRUE)) { +LOG.info("Policy engine will" + (isUseReadWriteLock ? " " : " not ") + "perform in place update while processing policy-deltas."); +} else { +LOG.info("Policy engine will" + (isUseReadWriteLock ? " " : " not ") + "perform in place update while processing policies."); +} +} this.pluginContext.setAuthContext(new RangerAuthContext(null, roles)); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java index 86b18aace..b47888e9a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java @@ -42,7 +42,7 @@ public class RangerPolicyDeltaUtil { public static List applyDeltas(List policies, List deltas, String serviceType) { if (LOG.isDebugEnabled()) { -LOG.debug("==> applyDeltas(serviceType=" + serviceType + ")"); +LOG.debug("==> applyDeltas(serviceType=" + serviceType + ", deltas=" + deltas + ")"); } List ret; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index e52a92e04..60903cc97 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -393,6 +393,12 @@ public class ServiceDBStore extends AbstractServiceStore { isRolesDownloadedByService = config.getBoolean("ranger.support.for.service.specific.role.download", false); SUPPORTS_IN_PLACE_POLICY_UPDATES= SUPPORTS_POLICY_DELTAS && config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_
[ranger] branch master updated: RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new a378f285a RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type a378f285a is described below commit a378f285a540dcee5f71069c613e198e024d0872 Author: Abhay Kulkarni AuthorDate: Tue Apr 18 15:41:46 2023 -0700 RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type --- .../RangerDefaultDataMaskPolicyItemEvaluator.java | 6 -- .../policyevaluator/RangerDefaultPolicyEvaluator.java | 4 +++- .../RangerDefaultRowFilterPolicyItemEvaluator.java| 19 --- 3 files changed, 11 insertions(+), 18 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java index d979e97e1..6bf768bf1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java @@ -80,12 +80,6 @@ public class RangerDefaultDataMaskPolicyItemEvaluator extends RangerDefaultPolic result.setMaskCondition(dataMaskInfo.getConditionExpr()); } - result.setIsAccessDetermined(true); - result.setPolicyPriority(policyEvaluator.getPolicyPriority()); - result.setPolicyId(policyEvaluator.getPolicyId()); - result.setReason(getComments()); - result.setPolicyVersion(policyEvaluator.getPolicy().getVersion()); - policyEvaluator.updateAccessResult(result, matchType, true, getComments()); } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 2f9c1b019..96e232b43 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -887,7 +887,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } if (allowResult != null) { - result.setAccessResultFrom(allowResult); + if (!result.getIsAllowed() || result.getPolicyPriority() < allowResult.getPolicyPriority()) { + result.setAccessResultFrom(allowResult); + } } else if (denyResult != null) { result.setAccessResultFrom(denyResult); } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java index 63b3be964..d2b3e746b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java @@ -34,7 +34,7 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli final private RangerRequestExprResolver exprResolver; public RangerDefaultRowFilterPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerRowFilterPolicyItem policyItem, int policyItemIndex, RangerPolicyEngineOptions options) { - super(serviceDef, policy, policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK, policyItemIndex, options); + super(serviceDef, policy, policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER, policyItemIndex, options); rowFilterPolicyItem = policyItem; @@ -60,17 +60,14 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli @Override public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { - if (result.getFilterExpr() == null) { - if (exprResolver != null) { - result.setFilterE
[ranger] branch master updated: RANGER-4193: ServiceTagsProcessor fails to handle update of an existing Service-Resource
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 42b8c973e RANGER-4193: ServiceTagsProcessor fails to handle update of an existing Service-Resource 42b8c973e is described below commit 42b8c973eb120f0dbf983d410d6ee888daa63ab8 Author: Abhay Kulkarni AuthorDate: Tue Apr 18 15:36:47 2023 -0700 RANGER-4193: ServiceTagsProcessor fails to handle update of an existing Service-Resource --- .../src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java| 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java index fcbc31a99..f29304036 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java @@ -154,7 +154,9 @@ public class ServiceTagsProcessor { } existing = tagStore.getServiceResourceByGuid(resource.getGuid()); RangerPerfTracer.logAlways(perf); - } else { + } + + if (existing == null) { if(MapUtils.isNotEmpty(resource.getResourceElements())) { if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.search_service_resource_by_signature(" + resourceId + ")");
[ranger] branch master updated: RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new fb63f21cf RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher - Part 2 fb63f21cf is described below commit fb63f21cf6f5007f178eef8f11f68cf2c9a57279 Author: Abhay Kulkarni AuthorDate: Mon Apr 17 09:50:42 2023 -0700 RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher - Part 2 --- .../plugin/contextenricher/RangerTagEnricher.java | 64 +++--- .../org/apache/ranger/plugin/util/ServiceTags.java | 3 + 2 files changed, 47 insertions(+), 20 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index 198d24d97..e0a86c398 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -385,6 +385,9 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { this.tagRefresher = null; if (tagRefresher != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("Trying to clean up RangerTagRefresher(" + tagRefresher.getName() + ")"); + } tagRefresher.cleanup(); } @@ -473,20 +476,16 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { List changedServiceResources = deltas.getServiceResources(); for (RangerServiceResource serviceResource : changedServiceResources) { - final boolean removedOldServiceResource = MapUtils.isEmpty(serviceResource.getResourceElements()) || removeOldServiceResource(serviceResource, resourceMatchers, serviceResourceTrie); - if (removedOldServiceResource) { + if (removedOldServiceResource) { if (!StringUtils.isEmpty(serviceResource.getResourceSignature())) { - RangerServiceResourceMatcher resourceMatcher = createRangerServiceResourceMatcher(serviceResource, serviceDefHelper, hierarchies); if (resourceMatcher != null) { for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { - - RangerPolicy.RangerPolicyResource policyResource = serviceResource.getResourceElements().get(resourceDef.getName()); - - RangerResourceTrie trie = serviceResourceTrie.get(resourceDef.getName()); + RangerPolicy.RangerPolicyResourcepolicyResource = serviceResource.getResourceElements().get(resourceDef.getName()); + RangerResourceTrie trie = serviceResourceTrie.get(resourceDef.getName()); if (LOG.isDebugEnabled()) { LOG.debug("Trying to add resource-matcher to " + (trie == null ? "new" : "existing") + " trie for " + resourceDef.getName()); @@ -495,6 +494,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { if (trie != null) { trie.add(policyResource, resourceMatcher); trie.wrapUpUpdate(); + if (LOG.isDebugEnabled()) { LOG.debug("Added resource-matcher for policy-resource:[" + policyResource + "]"); } @@ -521,6 +521,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { break; } } + if (isInError) { LOG.error("Error in processing tag-deltas. Will continue to use old tags"); deltas.setTagVersion(-1L); @@ -530,44 +531,61 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { } enrichedServiceTags = new EnrichedServiceTags(allServiceTags, resou
[ranger] branch master updated: RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 2e224cf9d RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher 2e224cf9d is described below commit 2e224cf9d4d28f3e23b5f8462a92024993a104bc Author: Abhay Kulkarni AuthorDate: Wed Mar 22 11:28:51 2023 -0700 RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher --- .../plugin/contextenricher/RangerTagEnricher.java | 19 ++- .../plugin/policyengine/RangerAccessRequestImpl.java | 10 +- .../plugin/service/RangerDefaultRequestProcessor.java | 19 ++- .../util/RangerResourceEvaluatorsRetriever.java | 2 +- 4 files changed, 42 insertions(+), 8 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index efb885a74..198d24d97 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -78,9 +78,8 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { private static final Logger PERF_SET_SERVICETAGS_LOG = RangerPerfTracer.getPerfLogger("tagenricher.setservicetags"); private static final Logger PERF_SERVICETAGS_RETRIEVAL_LOG = RangerPerfTracer.getPerfLogger("tagenricher.tags.retrieval"); - private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION = "tagRefresherPollingInterval"; - public static final String TAG_RETRIEVER_CLASSNAME_OPTION = "tagRetrieverClassName"; + public static final String TAG_RETRIEVER_CLASSNAME_OPTION= "tagRetrieverClassName"; private static final String TAG_DISABLE_TRIE_PREFILTER_OPTION= "disableTrieLookupPrefilter"; private RangerTagRefresher tagRefresher; @@ -485,12 +484,19 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { if (resourceMatcher != null) { for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { + RangerPolicy.RangerPolicyResource policyResource = serviceResource.getResourceElements().get(resourceDef.getName()); + RangerResourceTrie trie = serviceResourceTrie.get(resourceDef.getName()); + if (LOG.isDebugEnabled()) { + LOG.debug("Trying to add resource-matcher to " + (trie == null ? "new" : "existing") + " trie for " + resourceDef.getName()); + } + if (trie != null) { - trie.add(serviceResource.getResourceElements().get(resourceDef.getName()), resourceMatcher); + trie.add(policyResource, resourceMatcher); + trie.wrapUpUpdate(); if (LOG.isDebugEnabled()) { - LOG.debug("Added resource-matcher for service-resource:[" + serviceResource + "]"); + LOG.debug("Added resource-matcher for policy-resource:[" + policyResource + "]"); } } else { trie = new RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher), getPolicyEngineOptions().optimizeTagTrieForRetrieval, getPolicyEngineOptions().optimizeTagTrieForSpace, null); @@ -541,7 +547,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl(); for (Map.Entry entry : serviceResource.getResourceElements().entrySet()) { - accessResource.setValue(entry.getKey(), entry.getValue()); + accessResource.setValue(entry.getKey(), entry.getValue().getValues
[ranger] branch master updated: RANGER-4129: ArrayIndexOutOfBounds exception may be thrown while processing events
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new fe33f69ae RANGER-4129: ArrayIndexOutOfBounds exception may be thrown while processing events fe33f69ae is described below commit fe33f69ae5d4ac4f2aa9788523d0bb7313c150f2 Author: Abhay Kulkarni AuthorDate: Tue Mar 14 07:59:00 2023 -0700 RANGER-4129: ArrayIndexOutOfBounds exception may be thrown while processing events --- .../source/atlas/AtlasNotificationMapper.java | 52 - .../tagsync/source/atlas/AtlasTagSource.java | 67 +++--- 2 files changed, 35 insertions(+), 84 deletions(-) diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java index a7c456b3d..5d5ab8a7d 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java @@ -75,29 +75,6 @@ public class AtlasNotificationMapper { } } -public static ServiceTags processEntityNotification(EntityNotificationWrapper entityNotification) { - -ServiceTags ret = null; - -if (isNotificationHandled(entityNotification)) { -try { -RangerAtlasEntityWithTags entityWithTags = new RangerAtlasEntityWithTags(entityNotification); - -if (entityNotification.getIsEntityDeleteOp()) { -ret = buildServiceTagsForEntityDeleteNotification(entityWithTags); -} else { -ret = buildServiceTags(entityWithTags, null); -} - -} catch (Exception exception) { -LOG.error("createServiceTags() failed!! ", exception); -} -} else { -logUnhandledEntityNotification(entityNotification); -} -return ret; -} - public static Map processAtlasEntities(List atlasEntities) { Map ret = null; @@ -159,35 +136,6 @@ public class AtlasNotificationMapper { return ret; } -@SuppressWarnings("unchecked") -static ServiceTags buildServiceTagsForEntityDeleteNotification(RangerAtlasEntityWithTags entityWithTags) { -final ServiceTags ret; - -RangerAtlasEntity entity = entityWithTags.getEntity(); -String guid = entity.getGuid(); - -if (StringUtils.isNotBlank(guid)) { -ret = new ServiceTags(); -RangerServiceResource serviceResource = new RangerServiceResource(); -serviceResource.setGuid(guid); -ret.getServiceResources().add(serviceResource); -} else { -ret = buildServiceTags(entityWithTags, null); -if (ret != null) { -// tag-definitions should NOT be deleted as part of service-resource delete -ret.setTagDefinitions(MapUtils.EMPTY_MAP); -// Ranger deletes tags associated with deleted service-resource -ret.setTags(MapUtils.EMPTY_MAP); -} -} - -if (ret != null) { -ret.setOp(ServiceTags.OP_DELETE); -} - -return ret; -} - static private Map buildServiceTags(List entitiesWithTags) { Map ret = new HashMap<>(); diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java index 1a3ddecb5..a618cc986 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java @@ -87,7 +87,7 @@ public class AtlasTagSource extends AbstractTagSource { try { inputStream.close(); } catch (IOException ioException) { - LOG.error("Cannot close Atlas application properties file, file-name:\" + TAGSYNC_ATLAS_PROPERTIES_FILE_NAME", ioException); + LOG.error("Cannot close Atlas application properties file, file-name:" + TAGSYNC_ATLAS_PROPERTIES_FILE_NAME, ioException); } } } else { @@ -214,18 +214,17 @@ public class AtlasTagSource extends AbstractTagSource { if (AtlasNotificat
[ranger] branch master updated: RANGER-4115: Tags containing attributes not processed correctly by tagsync
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 48a635c30 RANGER-4115: Tags containing attributes not processed correctly by tagsync 48a635c30 is described below commit 48a635c30ac2afe4492f06d132cc517431933dd8 Author: Abhay Kulkarni AuthorDate: Thu Mar 2 17:16:21 2023 -0800 RANGER-4115: Tags containing attributes not processed correctly by tagsync --- .../ranger/tagsync/source/atlas/AtlasNotificationMapper.java | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java index dadc76a54..a7c456b3d 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java @@ -351,9 +351,14 @@ public class AtlasNotificationMapper { RangerTagDef tagDef = new RangerTagDef(tag.getName(), "Atlas"); if (MapUtils.isNotEmpty(tag.getAttributes())) { +List attributeDefs = tagDef.getAttributeDefs(); +if (attributeDefs == null) { +attributeDefs = new ArrayList<>(); +} for (String attributeName : tag.getAttributes().keySet()) { -tagDef.getAttributeDefs().add(new RangerTagAttributeDef(attributeName, entityWithTags.getTagAttributeType(tag.getName(), attributeName))); +attributeDefs.add(new RangerTagAttributeDef(attributeName, entityWithTags.getTagAttributeType(tag.getName(), attributeName))); } +tagDef.setAttributeDefs(attributeDefs); } ret.add(tagDef); }
[ranger] branch master updated: RANGER-4100: Efficient computation of the smallest set of evaluators returned by search of multiple Trie trees
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 85f5483ed RANGER-4100: Efficient computation of the smallest set of evaluators returned by search of multiple Trie trees 85f5483ed is described below commit 85f5483ed444bf40caa588ec5b788a51532c3095 Author: Abhay Kulkarni AuthorDate: Mon Feb 20 14:11:05 2023 -0800 RANGER-4100: Efficient computation of the smallest set of evaluators returned by search of multiple Trie trees --- .../plugin/contextenricher/RangerTagEnricher.java | 75 +- .../validation/RangerSecurityZoneValidator.java| 65 + .../ranger/plugin/policyengine/PolicyEngine.java | 111 --- .../util/RangerResourceEvaluatorsRetriever.java| 158 + .../plugin/policyengine/TestPolicyEngine.java | 3 +- 5 files changed, 195 insertions(+), 217 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index bbea4cec6..8f2ecaa1d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -44,6 +44,7 @@ import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.RangerCommonConstants; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.RangerReadWriteLock; +import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever; import org.apache.ranger.plugin.util.RangerServiceNotFoundException; import org.apache.ranger.plugin.util.RangerServiceTagsDeltaUtil; import org.apache.ranger.plugin.util.ServiceTags; @@ -549,7 +550,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { RangerAccessRequestImpl request = new RangerAccessRequestImpl(); request.setResource(accessResource); - List oldMatchers = getEvaluators(request, enrichedServiceTags); + Collection oldMatchers = getEvaluators(request, enrichedServiceTags); if (LOG.isDebugEnabled()) { LOG.debug("Found [" + oldMatchers.size() + "] matchers for service-resource[" + serviceResource + "]"); @@ -676,7 +677,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { ret = enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess(); } else { - final List serviceResourceMatchers = getEvaluators(request, enrichedServiceTags); + final Collection serviceResourceMatchers = getEvaluators(request, enrichedServiceTags); if (CollectionUtils.isNotEmpty(serviceResourceMatchers)) { @@ -724,11 +725,11 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { return ret; } - private List getEvaluators(RangerAccessRequest request, EnrichedServiceTags enrichedServiceTags) { + private Collection getEvaluators(RangerAccessRequest request, EnrichedServiceTags enrichedServiceTags) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerTagEnricher.getEvaluators(request=" + request + ")"); } - List ret= Collections.EMPTY_LIST; + Collection ret; RangerAccessResourceresource = request.getResource(); @@ -743,71 +744,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { perf = RangerPerfTracer.getPerfTracer(PERF_TRIE_OP_LOG, "RangerTagEnricher.getEvaluators(resource=" + resource.getAsString() + ")"); } - ListresourceKeys = serviceDefHelper.getOrderedResourceNames(resource.getKeys()); - Set smallestList = null; - - if (CollectionUtils.isNotEmpty(resourceKeys)) { - - for (String resourceName : resourceKeys) { - RangerResourceTrie trie = serviceResourceTrie.get(resourceName); - - if (trie == null) { // if no trie exists for this resource level, ignore and continue to next level - continue; - } - - Set serviceResourceMatchersForResource = trie.getEvaluatorsForRe
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 4b941b2f0 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3 4b941b2f0 is described below commit 4b941b2f0d7a8390155c61fa0960c42aa8a37b69 Author: Abhay Kulkarni AuthorDate: Thu Feb 16 10:20:13 2023 -0800 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3 --- .../RangerDefaultPolicyEvaluator.java | 2 +- .../plugin/util/RangerAccessRequestUtil.java | 2 +- .../plugin/policyengine/TestPolicyEngine.java | 8 ++ .../policyengine/test_policyengine_hive.json | 32 ++ 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 9a0df550c..2f9c1b019 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -242,7 +242,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator final boolean isMatched; - if (request.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) { + if (request.isAccessTypeAny()) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index a51f2322a..b505f495b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -222,7 +222,7 @@ public class RangerAccessRequestUtil { public static void setAllRequestedAccessTypes(Map context, Set accessTypes, Boolean isAny) { context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes); -context.put(KEY_CONTEXT_IS_ANY_ACCESS, isAny); + setIsAnyAccessInContext(context, isAny); } public static Set getAllRequestedAccessTypes(RangerAccessRequest request) { diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index eb3d0ff46..89e678bf9 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -69,6 +69,7 @@ import java.io.OutputStreamWriter; import java.lang.reflect.Type; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import java.util.Date; import java.util.HashSet; import java.util.List; @@ -923,6 +924,13 @@ public class TestPolicyEngine { if (ret.getAccessTime() == null) { ret.setAccessTime(new Date()); } + Map reqContext = ret.getContext(); + Object accessTypes = reqContext.get("ACCESSTYPES"); + if (accessTypes != null) { + Collection accessTypesCollection = (Collection) accessTypes; + Set requestedAccesses = new HashSet<>(accessTypesCollection); + ret.getContext().put("ACCESSTYPES", requestedAccesses); + } return ret; } diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json index 0544feb14..8e34aa174 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json @@ -123,10 +123,42 @@ "policyItems":[ {"accesses":[{"type":"read","isAllowed":true},{&q
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 7a7215f67 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2 7a7215f67 is described below commit 7a7215f67e7db807ee0401f2b41d7bb871a248f5 Author: Abhay Kulkarni AuthorDate: Mon Feb 13 14:23:02 2023 -0800 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2 --- .../ranger/plugin/policyengine/RangerPolicyEngineImpl.java | 3 +-- .../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 9 - .../org/apache/ranger/plugin/util/RangerAccessRequestUtil.java | 5 + 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 4f65d3da2..e75bb722c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -703,8 +703,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { String requestedAccess = accessTypeDef.getName(); allRequestedAccesses.add(requestedAccess); } - RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(), Boolean.TRUE); - request.getContext().put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES, allRequestedAccesses); + RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), allRequestedAccesses, Boolean.TRUE); } ret = evaluatePoliciesForOneAccessTypeNoAudit(request, policyType, zoneName, policyRepository, tagPolicyRepository); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 55752e79c..9a0df550c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -833,6 +833,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator for (String accessType : allRequestedAccesses) { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking for accessType:[" + accessType + "]"); + } RangerAccessRequestWrapper oneRequest = new RangerAccessRequestWrapper(request, accessType); RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(), result.getServiceName(), result.getServiceDef(), oneRequest); @@ -846,7 +849,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator updateAccessResult(oneResult, matchType, false, "matched deny-all-else policy"); } - if (request.isAccessTypeAny()) { + if (request.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) { // Implement OR logic if (oneResult.getIsAllowed()) { allowResult = oneResult; @@ -879,6 +882,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } + if (LOG.isDebugEnabled()) { + LOG.debug("allowResult:[" + allowResult + "], denyResult:[" + denyResult + "], noResult:[" + noResult + "]"); + } + if (allowResult != null) { result.setAccessResultFrom(allowResult); } else if (denyResult != null) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index 0ebb9cba5..a51f2322a 1
[ranger] branch master updated: RANGER-4070: Provide mechanism to manage potentially multiple enrichment of an access request
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new df0a778cb RANGER-4070: Provide mechanism to manage potentially multiple enrichment of an access request df0a778cb is described below commit df0a778cb7d14e896c7cc88a4b720645d89668c5 Author: Abhay Kulkarni AuthorDate: Sat Feb 4 22:09:42 2023 -0800 RANGER-4070: Provide mechanism to manage potentially multiple enrichment of an access request --- .../plugin/service/RangerDefaultRequestProcessor.java | 5 + .../ranger/plugin/util/RangerAccessRequestUtil.java | 19 --- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java index 636d09038..80d27e8e8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java @@ -48,6 +48,11 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess @Override public void preProcess(RangerAccessRequest request) { +if (RangerAccessRequestUtil.getIsRequestPreprocessed(request.getContext())) { +return; +} +RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(), Boolean.TRUE); + setResourceServiceDef(request); RangerAccessRequestImpl reqImpl = null; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index 05d9a6007..0ebb9cba5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -47,6 +47,7 @@ public class RangerAccessRequestUtil { public static final String KEY_CONTEXT_ACCESSTYPES = "ACCESSTYPES"; public static final String KEY_CONTEXT_IS_ANY_ACCESS = "ISANYACCESS"; public static final String KEY_CONTEXT_REQUEST = "_REQUEST"; + public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED = "ISREQUESTPREPROCESSED"; public static void setRequestTagsInContext(Map context, Set tags) { if(CollectionUtils.isEmpty(tags)) { @@ -131,6 +132,9 @@ public class RangerAccessRequestUtil { ret.remove(KEY_CONTEXT_TAG_OBJECT); ret.remove(KEY_CONTEXT_RESOURCE); ret.remove(KEY_CONTEXT_REQUEST); + ret.remove(KEY_CONTEXT_ACCESSTYPES); + ret.remove(KEY_CONTEXT_IS_ANY_ACCESS); + ret.remove(KEY_CONTEXT_IS_REQUEST_PREPROCESSED); // don't remove REQUESTED_RESOURCES } @@ -198,9 +202,18 @@ public class RangerAccessRequestUtil { context.put(KEY_CONTEXT_IS_ANY_ACCESS, value); } - public static Boolean getIsAnyAccessInContext(Map context) { - Boolean ret = (Boolean)context.get(KEY_CONTEXT_IS_ANY_ACCESS); - return ret == null ? Boolean.FALSE : ret; + public static boolean getIsAnyAccessInContext(Map context) { + Boolean value = (Boolean)context.get(KEY_CONTEXT_IS_ANY_ACCESS); + return value != null && value; + } + + public static void setIsRequestPreprocessed(Map context, Boolean value) { + context.put(KEY_CONTEXT_IS_REQUEST_PREPROCESSED, value); + } + + public static boolean getIsRequestPreprocessed(Map context) { + Boolean value = (Boolean)context.get(KEY_CONTEXT_IS_REQUEST_PREPROCESSED); + return value != null && value; } public static void setAllRequestedAccessTypes(Map context, Set accessTypes) {
[ranger] branch master updated: RANGER-4069: Add performance tracing instrumentation to Tag Enricher
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f9bfc90fb RANGER-4069: Add performance tracing instrumentation to Tag Enricher f9bfc90fb is described below commit f9bfc90fb53f06a752f4190e20be337ed70ec657 Author: Abhay Kulkarni AuthorDate: Sat Feb 4 11:25:16 2023 -0800 RANGER-4069: Add performance tracing instrumentation to Tag Enricher --- .../apache/ranger/plugin/contextenricher/RangerTagEnricher.java | 9 + 1 file changed, 9 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index da06e4161..bbea4cec6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -75,6 +75,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { private static final Logger PERF_CONTEXTENRICHER_INIT_LOG = RangerPerfTracer.getPerfLogger("contextenricher.init"); private static final Logger PERF_TRIE_OP_LOG = RangerPerfTracer.getPerfLogger("resourcetrie.retrieval"); private static final Logger PERF_SET_SERVICETAGS_LOG = RangerPerfTracer.getPerfLogger("tagenricher.setservicetags"); + private static final Logger PERF_SERVICETAGS_RETRIEVAL_LOG = RangerPerfTracer.getPerfLogger("tagenricher.tags.retrieval"); private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION = "tagRefresherPollingInterval"; @@ -665,6 +666,12 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { RangerAccessResource resource = request.getResource(); + RangerPerfTracer perf = null; + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_SERVICETAGS_RETRIEVAL_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_SERVICETAGS_RETRIEVAL_LOG, "RangerTagEnricher.findMatchingTags=" + resource.getAsString() + ")"); + } + if ((resource == null || resource.getKeys() == null || resource.getKeys().isEmpty()) && request.isAccessTypeAny()) { ret = enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess(); } else { @@ -698,6 +705,8 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { } } + RangerPerfTracer.logAlways(perf); + if (CollectionUtils.isEmpty(ret)) { if (LOG.isDebugEnabled()) { LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - No tags Found ");
[ranger] branch master updated: RANGER-4009:Open read access to some Policy Engine objects and metrics
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 245de9179 RANGER-4009:Open read access to some Policy Engine objects and metrics 245de9179 is described below commit 245de9179b0a3270adcbc20f9cb128ea7dd79e49 Author: Abhay Kulkarni AuthorDate: Fri Dec 9 11:15:17 2022 -0800 RANGER-4009:Open read access to some Policy Engine objects and metrics --- .../plugin/policyengine/RangerPolicyEngineImpl.java | 6 +- .../plugin/policyengine/RangerPolicyRepository.java | 16 .../apache/ranger/plugin/service/RangerBasePlugin.java | 4 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 8d80ad6a3..4f65d3da2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -599,10 +599,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return ret; } - PolicyEngine getPolicyEngine() { + public PolicyEngine getPolicyEngine() { return policyEngine; } + public RangerAccessRequestProcessor getRequestProcessor() { + return requestProcessor; + } + private RangerPolicyEngineImpl(final PolicyEngine policyEngine, RangerPolicyEngineImpl other) { this.policyEngine = policyEngine; this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 85a3afd01..297f5e635 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -566,6 +566,22 @@ public class RangerPolicyRepository { return policyEvaluators; } +public int getPolicyEvaluatorCount() { +return policyEvaluators.size(); +} + +public int getDataMaskPolicyEvaluatorCount() { +return dataMaskPolicyEvaluators.size(); +} + +public int getRowFilterPolicyEvaluatorCount() { +return rowFilterPolicyEvaluators.size(); +} + +public int getAuditPolicyEvaluatorCount() { +return auditPolicyEvaluators.size(); +} + List getDataMaskPolicyEvaluators() { return dataMaskPolicyEvaluators; } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index ba1467828..b1e2ecbcc 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -1137,6 +1137,10 @@ public class RangerBasePlugin { return baseACLs; } + protected RangerPolicyEngine getPolicyEngine() { + return policyEngine; + } + private RangerAdminClient getAdminClient() throws Exception { PolicyRefresher refresher = this.refresher; RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient();
[ranger] branch master updated: RANGER-4007: HDFS Authorizer changes to take advantage of support for multiple access-types in the Ranger Access Request
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new fdc527b54 RANGER-4007: HDFS Authorizer changes to take advantage of support for multiple access-types in the Ranger Access Request fdc527b54 is described below commit fdc527b542bab6f101f530b39bf688a11e16b352 Author: Abhay Kulkarni AuthorDate: Thu Dec 8 19:07:57 2022 -0800 RANGER-4007: HDFS Authorizer changes to take advantage of support for multiple access-types in the Ranger Access Request --- .../authorization/hadoop/RangerHdfsAuthorizer.java | 43 +- 1 file changed, 18 insertions(+), 25 deletions(-) diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index ef6f4f865..9b1279bcb 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -199,7 +199,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { return rangerPlugin.getConfig(); } - private enum AuthzStatus { ALLOW, DENY, NOT_DETERMINED }; + private enum AuthzStatus { ALLOW, DENY, NOT_DETERMINED } class RangerAccessControlEnforcer implements AccessControlEnforcer { private INodeAttributeProvider.AccessControlEnforcer defaultEnforcer = null; @@ -716,11 +716,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { accessTypes = access2ActionListMapper.get(FsAction.NONE); } - for(String accessType : accessTypes) { - RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, accessType, context.operationName, context.user, context.userGroups); + if (accessTypes.size() > 0) { + RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, accessTypes.iterator().next(), context.operationName, context.user, context.userGroups); - Map requestContext = request.getContext(); - requestContext.put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES, accessTypes); + if (accessTypes.size() > 1) { + RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), accessTypes); + } RangerAccessResult result = context.plugin.isAccessAllowed(request, context.auditHandler); @@ -728,14 +729,10 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (result == null || !result.getIsAccessDetermined()) { ret = AuthzStatus.NOT_DETERMINED; - // don't break yet; subsequent accessType could be denied - } else if(! result.getIsAllowed()) { // explicit deny + } else if (!result.getIsAllowed()) { // explicit deny ret = AuthzStatus.DENY; - break; } else { // allowed - if(!AuthzStatus.NOT_DETERMINED.equals(ret)) { // set to ALLOW only if there was no NOT_DETERMINED earlier - ret = AuthzStatus.ALLOW; - } + ret = AuthzStatus.ALLOW; } } @@ -782,11 +779,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { } subDirPath = subDirPath + rangerPlugin.getRandomizedWildcardPathName(); - for (String accessType : accessTypes) { - RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(null, subDirPath, pathOwner, access, accessType, context.operationName, context.user, context.userGroups); + if (accessTypes.size() > 0) { + RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(null, subDirPath, pathOwner, access, accessTypes.iterator().next(), context.operationName, context.user, context.userGroups); - Map requestContext = request.getContext(); - requestCo
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 56d5bf917 RANGER-3999: Implement more efficient way to handle _any access authorization 56d5bf917 is described below commit 56d5bf9173dc2c6d04692a07e67eace5e5d98ed4 Author: Abhay Kulkarni AuthorDate: Tue Dec 6 14:25:10 2022 -0800 RANGER-3999: Implement more efficient way to handle _any access authorization --- .../policyengine/RangerAccessRequestWrapper.java | 105 + .../policyengine/RangerPolicyEngineImpl.java | 37 ++-- .../RangerDefaultPolicyEvaluator.java | 95 +-- .../RangerOptimizedPolicyEvaluator.java| 6 ++ .../plugin/util/RangerAccessRequestUtil.java | 13 ++- 5 files changed, 218 insertions(+), 38 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java new file mode 100644 index 0..6aec330d7 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import org.apache.commons.lang.StringUtils; + +import java.util.Date; +import java.util.List; +import java.util.Map; +import java.util.Set; + +public class RangerAccessRequestWrapper implements RangerAccessRequest { + +private final RangerAccessRequest request; +private final String accessType; +private final boolean isAccessTypeAny; +private final boolean isAccessTypeDelegatedAdmin; + + +public RangerAccessRequestWrapper(RangerAccessRequest request, String accessType) { +this.request= request; +this.accessType = accessType; +this.isAccessTypeAny= StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); +this.isAccessTypeDelegatedAdmin = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS); +} + +@Override +public RangerAccessResource getResource() { return request.getResource(); } + +@Override +public String getAccessType() { return accessType; } + +@Override +public boolean isAccessTypeAny() { return isAccessTypeAny; } + +@Override +public boolean isAccessTypeDelegatedAdmin() { return isAccessTypeDelegatedAdmin; } + +@Override +public String getUser() { return request.getUser(); } + +@Override +public Set getUserGroups() { return request.getUserGroups(); } + +@Override +public Set getUserRoles() {return request.getUserRoles(); } + +@Override +public Date getAccessTime() { return request.getAccessTime(); } + +@Override +public String getClientIPAddress() { return request.getClientIPAddress(); } + +@Override +public String getRemoteIPAddress() { return request.getRemoteIPAddress(); } + +@Override +public List getForwardedAddresses() { return request.getForwardedAddresses(); } + +@Override +public String getClientType() { return request.getClientType(); } + +@Override +public String getAction() { return request.getAction(); } + +@Override +public String getRequestData() { return request.getRequestData(); } + +@Override +public String getSessionId() { return request.getSessionId(); } + +@Override +public String getClusterName() { return request.getClusterName(); } + +@Override +public String getClusterType() { return request.getClusterType(); } + +@Override +public Map getContext() { return request.getContext(); } + +@Override +public RangerAccessRequest getReadOnlyCopy() { return request.getReadOnlyCopy(); } + +@Override +public ResourceMatchingScope getResourceMatchingScope() { return request.getResourceMatchingScope(); } + +} + diff --git a/agents-common/src/
[ranger] branch master updated: RANGER-3995: Policy update request fails if isDenyAllElse flag is set true in request json when using /policy/apply API
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 64d106579 RANGER-3995: Policy update request fails if isDenyAllElse flag is set true in request json when using /policy/apply API 64d106579 is described below commit 64d1065795f63111dd75ce50d5dde677025aad3c Author: Abhay Kulkarni AuthorDate: Tue Dec 6 10:01:06 2022 -0800 RANGER-3995: Policy update request fails if isDenyAllElse flag is set true in request json when using /policy/apply API --- .../java/org/apache/ranger/rest/ServiceREST.java | 4 + .../org/apache/ranger/rest/ServiceRESTUtil.java| 154 + 2 files changed, 100 insertions(+), 58 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 99eedfe7d..e17494fa9 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -1752,6 +1752,10 @@ public class ServiceREST { } if(mergeIfExists) { + if (!existingPolicy.getIsDenyAllElse() && policy.getIsDenyAllElse()) { + LOG.error("Attempt to change the isDenyAllElse flag from false to true! Not supported!!"); + throw new Exception("Merging existing policy(isDenyAllElse=false) with another policy(isDenyAllElse=true) is not allowed!"); + } ServiceRESTUtil.processApplyPolicy(existingPolicy, policy); policy = existingPolicy; } else { diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java index b56fd3966..60e34c0c7 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java @@ -219,9 +219,7 @@ public class ServiceRESTUtil { if (ServiceRESTUtil.containsRangerCondition(existingPolicy) || ServiceRESTUtil.containsRangerCondition(appliedPolicy)) { LOG.info("Applied policy [" + appliedPolicy + "] or existing policy [" + existingPolicy + "] contains condition(s). Combining two policies."); combinePolicy(existingPolicy, appliedPolicy); - } else { - processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); @@ -234,33 +232,52 @@ public class ServiceRESTUtil { } static private void combinePolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { + combinePolicyItems(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); + combinePolicyItems(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); + combinePolicyItems(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); + combinePolicyItems(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS); + } + static private void combinePolicyItems(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE polityItemType) { + List existingPolicyItems; List appliedPolicyItems; - // Combine allow policy-items - appliedPolicyItems = appliedPolicy.getPolicyItems(); - if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { - existingPolicy.getPolicyItems().addAll(appliedPolicyItems); - } - - // Combine deny policy-items - appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); - if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { - existingPolicy.getDenyPolicyItems().addAll(appliedPolicyItems); - } - - // Combine allow-exception policy-items - appliedPolicyItems = appliedPolicy.getAllowExceptions(); - if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { - existingPolicy.getAllowExceptions().addAll(appliedPolicyItems); + sw
[ranger] branch master updated: RANGER-3913: Reduce number of calls to FilenameUtils.wildcardMatch() when evaluating resource matching
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 32a4b1a76 RANGER-3913: Reduce number of calls to FilenameUtils.wildcardMatch() when evaluating resource matching 32a4b1a76 is described below commit 32a4b1a76c06b0306a59b4d8df3f1521243d3a2b Author: Abhay Kulkarni AuthorDate: Thu Sep 29 07:13:21 2022 -0700 RANGER-3913: Reduce number of calls to FilenameUtils.wildcardMatch() when evaluating resource matching --- .../resourcematcher/RangerPathResourceMatcher.java | 62 ++ 1 file changed, 52 insertions(+), 10 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java index a95b1f73f..5fa5b68d4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java @@ -142,7 +142,7 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher { return ret; } - static boolean isRecursiveWildCardMatch(String pathToCheck, String wildcardPath, Character pathSeparatorChar, IOCase caseSensitivity) { + static boolean isRecursiveWildCardMatch(String pathToCheck, String wildcardPath, Character pathSeparatorChar, IOCase caseSensitivity, String[] wildcardPathElements) { boolean ret = false; @@ -156,16 +156,42 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher { sb.append(pathSeparatorChar); // preserve the initial pathSeparatorChar } - for(String p : pathElements) { + int pathElementIndex = 0; + boolean useStringMatching= true; + + for (String p : pathElements) { sb.append(p); - ret = FilenameUtils.wildcardMatch(sb.toString(), wildcardPath, caseSensitivity); + if (useStringMatching) { + if (wildcardPathElements.length > pathElementIndex) { + String wp = wildcardPathElements[pathElementIndex]; + + if (!(StringUtils.contains(wp, '*') || StringUtils.contains(wp, '?'))) { + boolean isMatch = caseSensitivity.isCaseSensitive() ? StringUtils.equals(p, wp) : StringUtils.equalsIgnoreCase(p, wp); + if (!isMatch) { + useStringMatching = false; + break; + } + } else { + useStringMatching = false; + } + } else { + useStringMatching = false; + } + } - if (ret) { - break; + if (!useStringMatching) { + ret = FilenameUtils.wildcardMatch(sb.toString(), wildcardPath, caseSensitivity); + if (ret) { + break; + } } sb.append(pathSeparatorChar); + pathElementIndex++; + } + if (useStringMatching && pathElements.length == wildcardPathElements.length) { // Loop finished normally and all sub-paths string-matched.. + ret = true; } sb = null; @@ -261,6 +287,10 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher { R apply(T t, U u, V v, W w); } + interface QuintFunction { + R apply(
[ranger] branch master updated: RANGER-3858: On dev-support, service creation and ranger-kafka-plugin setup are failed
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new e7cd999f0 RANGER-3858: On dev-support, service creation and ranger-kafka-plugin setup are failed e7cd999f0 is described below commit e7cd999f09139c8bb973e138b7cae487f5d33327 Author: Yubo Li AuthorDate: Wed Aug 24 16:45:12 2022 -0700 RANGER-3858: On dev-support, service creation and ranger-kafka-plugin setup are failed --- dev-support/ranger-docker/scripts/create-ranger-services.py | 4 +++- dev-support/ranger-docker/scripts/ranger-kafka-setup.sh | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/dev-support/ranger-docker/scripts/create-ranger-services.py b/dev-support/ranger-docker/scripts/create-ranger-services.py index 7ce541d66..f329d1f29 100644 --- a/dev-support/ranger-docker/scripts/create-ranger-services.py +++ b/dev-support/ranger-docker/scripts/create-ranger-services.py @@ -7,7 +7,9 @@ ranger_client = RangerClient('http://ranger:6080', ('admin', 'rangerR0cks!')) def service_not_exists(service): try: -ranger_client.get_service(service.name) +res = ranger_client.get_service(service.name) +if res is None: +return 1 except JSONDecodeError: return 1 return 0 diff --git a/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh b/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh index c6edce6b9..51c91195f 100755 --- a/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh +++ b/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh @@ -29,4 +29,5 @@ cd ${RANGER_HOME}/ranger-kafka-plugin sed -i 's/localhost:2181/ranger-zk.example.com:2181/' ${KAFKA_HOME}/config/server.properties +echo >> ${KAFKA_HOME}/config/server.properties echo "authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer" >> ${KAFKA_HOME}/config/server.properties
[ranger] branch master updated: RANGER-3864: Spurious creation of service-resource objects in Ranger
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new dc609a2e2 RANGER-3864: Spurious creation of service-resource objects in Ranger dc609a2e2 is described below commit dc609a2e24fee741616e9d6fb7a77290e5b180b4 Author: Abhay Kulkarni AuthorDate: Tue Aug 23 21:55:47 2022 -0700 RANGER-3864: Spurious creation of service-resource objects in Ranger --- .../apache/ranger/rest/ServiceTagsProcessor.java | 5 .../source/atlas/AtlasNotificationMapper.java | 4 ++-- .../tagsync/source/atlas/AtlasTagSource.java | 28 ++ 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java index b256e2838..1d6c48a4e 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java @@ -396,6 +396,11 @@ public class ServiceTagsProcessor { } tagStore.refreshServiceResource(resourceInStore.getId()); RangerPerfTracer.logAlways(perf); + } else { + if (CollectionUtils.isEmpty(tagIds)) { + // No tags associated with the resource - delete the resource too + tagStore.deleteServiceResource(resourceInStore.getId()); + } } } } diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java index 1b81bafae..dadc76a54 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasNotificationMapper.java @@ -44,7 +44,7 @@ public class AtlasNotificationMapper { private static finalLogger LOG = LoggerFactory.getLogger(AtlasNotificationMapper.class); private static Map unhandledEventTypes = new HashMap<>(); -private static void logUnhandledEntityNotification(EntityNotificationWrapper entityNotification) { +public static void logUnhandledEntityNotification(EntityNotificationWrapper entityNotification) { boolean skipLogging = entityNotification.getIsEntityCreateOp() && entityNotification.getIsEmptyClassifications(); @@ -110,7 +110,7 @@ public class AtlasNotificationMapper { return ret; } -static private boolean isNotificationHandled(EntityNotificationWrapper entityNotification) { +public static boolean isNotificationHandled(EntityNotificationWrapper entityNotification) { boolean ret = false; EntityNotificationWrapper.NotificationOpType opType = entityNotification.getOpType(); diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java index 2f93ebd31..1a3ddecb5 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java @@ -212,14 +212,20 @@ public class AtlasTagSource extends AbstractTagSource { LOG.debug("Message-offset=" + message.getOffset() + ", Notification=" + getPrintableEntityNotification(notificationWrapper)); } - RangerAtlasEntityWithTags entityWithTags = new RangerAtlasEntityWithTags(notificationWrapper); + if (AtlasNotificationMapper.isNotificationHandled(notificationWrapper)) { - if ((notificationWrapper.getIsEntityDeleteOp() && !isHandlingDeleteOps) || (!notificationWrapper.getIsEntityDeleteOp() && isHandlingDeleteOps)) { - buildAndUploadServiceTags(); - isHandlingDeleteOps = !isHandlingDeleteOps; +
[ranger] branch master updated: RANGER-3861: Allow service creator user to create users/groups/roles in default policies
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 9e11e9ec9 RANGER-3861: Allow service creator user to create users/groups/roles in default policies 9e11e9ec9 is described below commit 9e11e9ec9d042fdbed9d14f278304517f31ec728 Author: Abhay Kulkarni AuthorDate: Tue Aug 23 13:34:21 2022 -0700 RANGER-3861: Allow service creator user to create users/groups/roles in default policies --- .../apache/ranger/plugin/store/ServiceStore.java | 2 + .../org/apache/ranger/biz/PolicyRefUpdater.java| 6 +-- .../java/org/apache/ranger/biz/RoleRefUpdater.java | 2 +- .../java/org/apache/ranger/biz/ServiceDBStore.java | 60 +++--- .../main/java/org/apache/ranger/biz/XUserMgr.java | 22 +++- .../PatchForKafkaServiceDefUpdate_J10025.java | 32 +++- .../PatchForKafkaServiceDefUpdate_J10033.java | 34 ++-- ...atchForMigratingOldRegimePolicyJson_J10046.java | 16 +- .../patch/PatchForUpdatingPolicyJson_J10019.java | 16 +- .../org/apache/ranger/biz/TestServiceDBStore.java | 2 +- 10 files changed, 150 insertions(+), 42 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java index 6283e02f2..aecde05fb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java @@ -71,6 +71,8 @@ public interface ServiceStore { RangerPolicy createPolicy(RangerPolicy policy) throws Exception; + RangerPolicy createDefaultPolicy(RangerPolicy policy) throws Exception; + RangerPolicy updatePolicy(RangerPolicy policy) throws Exception; void deletePolicy(RangerPolicy policy, RangerService service) throws Exception; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java index 6c99df4e9..6cc3509d8 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java @@ -97,7 +97,7 @@ public class PolicyRefUpdater { @Autowired RESTErrorUtil restErrorUtil; - public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception { + public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef, boolean isDefaultPolicy) throws Exception { if(policy == null) { return; } @@ -168,7 +168,7 @@ public class PolicyRefUpdater { } daoMgr.getXXPolicyRefResource().batchCreate(xPolResources); - final boolean isAdmin = rangerBizUtil.checkAdminAccess(); + final boolean isAdmin = rangerBizUtil.checkAdminAccess() || isDefaultPolicy; List xPolRoles = new ArrayList<>(); for (String role : roleNames) { @@ -397,7 +397,7 @@ public class PolicyRefUpdater { ret = xUser.getId(); } } else { - LOG.error("serviceConfigUser:[" + name + "] creation failed"); + LOG.warn("serviceConfigUser:[" + name + "] creation failed. This may be a transient/spurious condition that may correct itself when transaction is committed"); } } break; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java index 66adac2b5..56f7ec4c8 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java @@ -296,7 +296,7 @@ public class RoleRefUpdater { ret = xUser.getId(); } } else { - LOG.error("serviceConfigUser:[" + name + "] creation failed"); + LOG.warn("serviceConfigUser:[" + name + "] creation failed. This may be a transient/spurious condition that may correct itself when transaction is committed");
[ranger] branch ranger-2.3 updated: RANGER-3606: Addendum to: 'remove unnecessary static members from plugin class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.3 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.3 by this push: new e194002e3 RANGER-3606: Addendum to: 'remove unnecessary static members from plugin class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11 e194002e3 is described below commit e194002e3f235802a3a512fa75854ed19e4e4266 Author: Abhay Kulkarni AuthorDate: Thu Jun 2 21:48:32 2022 -0700 RANGER-3606: Addendum to: 'remove unnecessary static members from plugin class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11 --- .../ranger/plugin/util/ScriptEngineUtil.java | 12 -- .../classloader/RangerPluginClassLoader.java | 47 -- 2 files changed, 35 insertions(+), 24 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java index 79a702a8f..580ebd0da 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java @@ -36,6 +36,9 @@ public class ScriptEngineUtil { public static ScriptEngine createScriptEngine(String engineName, String serviceType) { +if (LOG.isDebugEnabled()) { +LOG.debug("==> ScriptEngineUtil.createScriptEngine(engineName=" + engineName + ", serviceType=" + serviceType + ")"); +} ScriptEngine ret = null; try { @@ -58,9 +61,10 @@ public class ScriptEngineUtil { LOG.error("RangerScriptConditionEvaluator.init() failed", exp); } +LOG.debug((ret == null ? " Failed to create " : " Created ") + "Script Engine '" + engineName + "' in a default manner."); + if (ret == null) { -LOG.warn("failed to initialize script engine '" + engineName + "' in a default manner." + - " Will try to get script-engine from plugin-class-loader"); +LOG.warn("Will try to get script-engine from plugin-class-loader for service-type:[" + serviceType + "]"); RangerPluginClassLoader pluginClassLoader; @@ -76,7 +80,9 @@ public class ScriptEngineUtil { LOG.error("RangerScriptConditionEvaluator.init() failed", exp); } } - +if (LOG.isDebugEnabled()) { +LOG.debug("<== ScriptEngineUtil.createScriptEngine(engineName=" + engineName + ", serviceType=" + serviceType + ") : ret=" + ret); +} return ret; } } diff --git a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java index 7ed776ecb..a2c744711 100644 --- a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java +++ b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java @@ -19,7 +19,6 @@ package org.apache.ranger.plugin.classloader; -import java.io.IOException; import java.net.URL; import java.net.URLClassLoader; import java.security.AccessController; @@ -43,6 +42,8 @@ import javax.script.ScriptEngineManager; public class RangerPluginClassLoader extends URLClassLoader { private static final Logger LOG = LoggerFactory.getLogger(RangerPluginClassLoader.class); +private static final String TAG_SERVICE_TYPE = "tag"; + private static final Map pluginClassLoaders = new HashMap<>(); private final MyClassLoadercomponentClassLoader; @@ -52,12 +53,8 @@ public class RangerPluginClassLoader extends URLClassLoader { super(RangerPluginClassLoaderUtil.getInstance().getPluginFilesForServiceTypeAndPluginclass(pluginType, pluginClass), null); componentClassLoader = AccessController.doPrivileged( -new PrivilegedAction() { -public MyClassLoader run() { -return new MyClassLoader(Thread.currentThread().getContextClassLoader()); -} -} -); +(PrivilegedAction) () -> new MyClassLoader(Thread.currentThread().getContextClassLoader()) +); } public static RangerPluginClassLoader getInstance(final String pluginType, final Class pluginClass ) throws Exception { @@ -70,12 +67,8 @@ public clas
[ranger] branch master updated: RANGER-3606: Addendum to: 'remove unnecessary static members from plugin class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new d0a6d3018 RANGER-3606: Addendum to: 'remove unnecessary static members from plugin class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11 d0a6d3018 is described below commit d0a6d30182fe76f66c559539c0734b9e28c8c5c4 Author: Abhay Kulkarni AuthorDate: Thu Jun 2 21:48:32 2022 -0700 RANGER-3606: Addendum to: 'remove unnecessary static members from plugin class loaders' - Cannot find plugin-class-loader for TAG service-type in JDK11 --- .../ranger/plugin/util/ScriptEngineUtil.java | 12 -- .../classloader/RangerPluginClassLoader.java | 47 -- 2 files changed, 35 insertions(+), 24 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java index 79a702a8f..580ebd0da 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java @@ -36,6 +36,9 @@ public class ScriptEngineUtil { public static ScriptEngine createScriptEngine(String engineName, String serviceType) { +if (LOG.isDebugEnabled()) { +LOG.debug("==> ScriptEngineUtil.createScriptEngine(engineName=" + engineName + ", serviceType=" + serviceType + ")"); +} ScriptEngine ret = null; try { @@ -58,9 +61,10 @@ public class ScriptEngineUtil { LOG.error("RangerScriptConditionEvaluator.init() failed", exp); } +LOG.debug((ret == null ? " Failed to create " : " Created ") + "Script Engine '" + engineName + "' in a default manner."); + if (ret == null) { -LOG.warn("failed to initialize script engine '" + engineName + "' in a default manner." + - " Will try to get script-engine from plugin-class-loader"); +LOG.warn("Will try to get script-engine from plugin-class-loader for service-type:[" + serviceType + "]"); RangerPluginClassLoader pluginClassLoader; @@ -76,7 +80,9 @@ public class ScriptEngineUtil { LOG.error("RangerScriptConditionEvaluator.init() failed", exp); } } - +if (LOG.isDebugEnabled()) { +LOG.debug("<== ScriptEngineUtil.createScriptEngine(engineName=" + engineName + ", serviceType=" + serviceType + ") : ret=" + ret); +} return ret; } } diff --git a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java index 7ed776ecb..a2c744711 100644 --- a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java +++ b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java @@ -19,7 +19,6 @@ package org.apache.ranger.plugin.classloader; -import java.io.IOException; import java.net.URL; import java.net.URLClassLoader; import java.security.AccessController; @@ -43,6 +42,8 @@ import javax.script.ScriptEngineManager; public class RangerPluginClassLoader extends URLClassLoader { private static final Logger LOG = LoggerFactory.getLogger(RangerPluginClassLoader.class); +private static final String TAG_SERVICE_TYPE = "tag"; + private static final Map pluginClassLoaders = new HashMap<>(); private final MyClassLoadercomponentClassLoader; @@ -52,12 +53,8 @@ public class RangerPluginClassLoader extends URLClassLoader { super(RangerPluginClassLoaderUtil.getInstance().getPluginFilesForServiceTypeAndPluginclass(pluginType, pluginClass), null); componentClassLoader = AccessController.doPrivileged( -new PrivilegedAction() { -public MyClassLoader run() { -return new MyClassLoader(Thread.currentThread().getContextClassLoader()); -} -} -); +(PrivilegedAction) () -> new MyClassLoader(Thread.currentThread().getContextClassLoader()) +); } public static RangerPluginClassLoader getInstance(final String pluginType, final Class pluginClass ) throws Exception { @@ -70,12 +67,8 @@ public clas
[ranger] branch master updated: RANGER-3670: Avoid unnecessary entries in transaction log table during policy updates
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 20f021c1e RANGER-3670: Avoid unnecessary entries in transaction log table during policy updates 20f021c1e is described below commit 20f021c1e642e74f99da8ebee594be21088e7fc3 Author: Abhishek Kumar AuthorDate: Tue May 31 09:00:31 2022 -0700 RANGER-3670: Avoid unnecessary entries in transaction log table during policy updates --- .../apache/ranger/service/RangerPolicyService.java | 299 - 1 file changed, 117 insertions(+), 182 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java index a7a0d6f0d..92aaaebdc 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java @@ -42,8 +42,6 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; import org.apache.ranger.plugin.model.RangerValiditySchedule; import org.apache.ranger.plugin.util.JsonUtilsV2; -import org.codehaus.jackson.JsonParseException; -import org.codehaus.jackson.map.JsonMappingException; import org.codehaus.jackson.map.ObjectMapper; import org.codehaus.jackson.type.TypeReference; import org.slf4j.Logger; @@ -60,23 +58,23 @@ public class RangerPolicyService extends RangerPolicyServiceBase trxLogAttrs = new HashMap(); String actionCreate; @@ -86,23 +84,23 @@ public class RangerPolicyService extends RangerPolicyServiceBase xDataMaskDef = daoMgr.getXXDataMaskTypeDef().getAll(); - if(CollectionUtils.isNotEmpty(xDataMaskDef) && xDataMaskDef != null ) { + if(CollectionUtils.isNotEmpty(xDataMaskDef)) { for (XXDataMaskTypeDef xxDataMaskTypeDef : xDataMaskDef) { if(xxDataMaskTypeDef.getName().equalsIgnoreCase(policyItem.getDataMaskInfo().getDataMaskType())) { String label = xxDataMaskTypeDef.getLabel(); @@ -285,8 +275,7 @@ public class RangerPolicyService extends RangerPolicyServiceBase xDataMaskDef = daoMgr.getXXDataMaskTypeDef().getAll(); - if(CollectionUtils.isNotEmpty(xDataMaskDef) && xDataMaskDef != null ) { + if(CollectionUtils.isNotEmpty(xDataMaskDef)) { for (XXDataMaskTypeDef xxDataMaskTypeDef : xDataMaskDef) { if(xxDataMaskTypeDef.getName().equalsIgnoreCase(oldPolicyItem.getDataMaskInfo().getDataMaskType())) { String oldLabel = xxDataMaskTypeDef.getLabel(); @@ -379,7 +368,7 @@ public class RangerPolicyService extends RangerPolicyServiceBase obj = mapper.readValue(value, new TypeReference>() { -}); -List oldObj = mapper.readValue(oldValue, new TypeReference>() { -}); -int oldListSize = oldObj.size(); -int listSize = obj.size(); -if (oldListSize != listSize) { -return false; -} -for (String polItem : obj) { -if (!oldObj.contains(polItem)) { -return false; -} -} -return true; -} catch (JsonParseException e) { -throw restErrorUtil.createRESTException("Invalid input data: " + e.getMessage(), -MessageEnums.INVALID_INPUT_DATA); -} catch (JsonMappingException e) { -throw restErrorUtil.createRESTException("Invalid input data: " + e.getMessage(), -MessageEnums.INVALID_INPUT_DATA); -} catch (IOException e) { -throw restErrorUtil.createRESTException("Invalid input data: " + e.getMessage(), -MessageEnums.INVALID_INPUT_DATA); -
[ranger] branch master updated: RANGER:3777 Execute permissions required in init scripts to run containers
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 9181c20c2 RANGER:3777 Execute permissions required in init scripts to run containers 9181c20c2 is described below commit 9181c20c2b461ab413bad0c485d99b518352d107 Author: Abhishek Kumar AuthorDate: Tue May 31 08:57:39 2022 -0700 RANGER:3777 Execute permissions required in init scripts to run containers --- dev-support/ranger-docker/Dockerfile.ranger| 2 +- dev-support/ranger-docker/Dockerfile.ranger-hadoop | 4 ++- dev-support/ranger-docker/Dockerfile.ranger-hbase | 3 +- dev-support/ranger-docker/Dockerfile.ranger-hive | 3 +- dev-support/ranger-docker/Dockerfile.ranger-kafka | 3 +- dev-support/ranger-docker/Dockerfile.ranger-knox | 3 +- .../ranger-docker/Dockerfile.ranger-tagsync| 3 +- .../ranger-docker/Dockerfile.ranger-usersync | 3 +- dev-support/ranger-docker/README.md| 34 +++--- 9 files changed, 39 insertions(+), 19 deletions(-) diff --git a/dev-support/ranger-docker/Dockerfile.ranger b/dev-support/ranger-docker/Dockerfile.ranger index f5a1ed93f..b050b13c4 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger +++ b/dev-support/ranger-docker/Dockerfile.ranger @@ -33,7 +33,7 @@ RUNtar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --direct && cp -f ${RANGER_SCRIPTS}/ranger-admin-install.properties ${RANGER_HOME}/admin/install.properties \ && mkdir -p /var/run/ranger \ && mkdir -p /var/log/ranger \ -&& chown -R ranger:ranger ${RANGER_HOME}/admin/ /var/run/ranger/ /var/log/ranger/ \ +&& chown -R ranger:ranger ${RANGER_HOME}/admin/ ${RANGER_SCRIPTS}/ /var/run/ranger/ /var/log/ranger/ \ && mkdir -p /usr/share/java/ FROM ranger AS ranger_postgres diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hadoop b/dev-support/ranger-docker/Dockerfile.ranger-hadoop index f25bc0d8d..9970c7cb3 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-hadoop +++ b/dev-support/ranger-docker/Dockerfile.ranger-hadoop @@ -41,7 +41,9 @@ RUN tar xvfz /home/ranger/dist/hadoop-${HADOOP_VERSION}.tar.gz --directory=/opt/ tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-yarn-plugin.tar.gz --directory=/opt/ranger && \ ln -s /opt/ranger/ranger-${RANGER_VERSION}-yarn-plugin /opt/ranger/ranger-yarn-plugin && \ rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-yarn-plugin.tar.gz && \ -cp -f /home/ranger/scripts/ranger-yarn-plugin-install.properties /opt/ranger/ranger-yarn-plugin/install.properties +cp -f /home/ranger/scripts/ranger-yarn-plugin-install.properties /opt/ranger/ranger-yarn-plugin/install.properties && \ +chmod 744 ${RANGER_SCRIPTS}/ranger-hadoop-setup.sh ${RANGER_SCRIPTS}/ranger-hadoop.sh ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh && \ +chown hdfs:hadoop ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh ENV HADOOP_HOME/opt/hadoop ENV HADOOP_CONF_DIR/opt/hadoop/etc/hadoop diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hbase b/dev-support/ranger-docker/Dockerfile.ranger-hbase index 5a2f056a9..1a2eea461 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-hbase +++ b/dev-support/ranger-docker/Dockerfile.ranger-hbase @@ -35,7 +35,8 @@ RUN tar xvfz /home/ranger/dist/hbase-${HBASE_VERSION}-bin.tar.gz --directory=/op tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-hbase-plugin.tar.gz --directory=/opt/ranger && \ ln -s /opt/ranger/ranger-${RANGER_VERSION}-hbase-plugin /opt/ranger/ranger-hbase-plugin && \ rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-hbase-plugin.tar.gz && \ -cp -f /home/ranger/scripts/ranger-hbase-plugin-install.properties /opt/ranger/ranger-hbase-plugin/install.properties +cp -f /home/ranger/scripts/ranger-hbase-plugin-install.properties /opt/ranger/ranger-hbase-plugin/install.properties && \ +chmod 744 ${RANGER_SCRIPTS}/ranger-hbase-setup.sh ${RANGER_SCRIPTS}/ranger-hbase.sh ENV HBASE_HOME /opt/hbase ENV PATH /usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/hbase/bin diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hive b/dev-support/ranger-docker/Dockerfile.ranger-hive index 9ef89b59a..fc09fdc38 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-hive +++ b/dev-support/ranger-docker/Dockerfile.ranger-hive @@ -43,7 +43,8 @@ RUN tar xvfz /home/ranger/dist/apache-hive-${HIVE_VERSION}-bin.tar.gz --director tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-hive-plugin.tar.gz --directory=/opt/ranger && \ ln -s /opt/ranger/ranger-${RANGER_VERSION}-hive-plugin /opt/ranger/ranger-hive-plugin && \ rm -f /home/ranger/dist/ra
[ranger] branch ranger-2.3 updated: RANGER-3769: Removing a tag-service association from a service does not update policy engine
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.3 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.3 by this push: new 57a01c74e RANGER-3769: Removing a tag-service association from a service does not update policy engine 57a01c74e is described below commit 57a01c74e1d7c58377eb28c5ccea17f5e06490fe Author: Abhay Kulkarni AuthorDate: Wed May 18 20:07:19 2022 -0700 RANGER-3769: Removing a tag-service association from a service does not update policy engine --- .../apache/ranger/plugin/util/RangerPolicyDeltaUtil.java | 14 -- .../java/org/apache/ranger/biz/RangerPolicyAdminCache.java | 4 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java index 43a494093..e9223fe69 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java @@ -228,9 +228,19 @@ public class RangerPolicyDeltaUtil { LOG.warn("Downloaded ServicePolicies are [" + servicePolicies + "]"); ret = null; } else if (!isPoliciesExist && !isPolicyDeltasExist) { -LOG.warn("ServicePolicies do not contain any policies or policy-deltas!! There are no material changes in the policies."); +LOG.warn("ServicePolicies do not contain any policies or policy-deltas!!"); LOG.warn("Downloaded ServicePolicies are [" + servicePolicies + "]"); -ret = null; +if (servicePolicies.getPolicyDeltas() == null) { +if (LOG.isDebugEnabled()) { +LOG.debug("Complete set of servicePolicies is received. There may be a change to service. Forcing to create a new policy engine!"); +} +ret = false;// Force new policy engine creation from servicePolicies +} else { +if (LOG.isDebugEnabled()) { +LOG.debug("servicePolicy deltas are received. There are no material changes in the policies."); +} +ret = null; +} } else { ret = isPolicyDeltasExist; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java index 053a41064..a52e07b9f 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java @@ -19,6 +19,7 @@ package org.apache.ranger.biz; +import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -161,6 +162,9 @@ public class RangerPolicyAdminCache { LOG.error("Old policy engine is null! Cannot apply deltas without old policy engine!"); } } else { + if (policies.getPolicies() == null) { + policies.setPolicies(new ArrayList<>()); + } policyAdmin = addPolicyAdmin(policies, roles, options); } } else {
[ranger] branch master updated: RANGER-3769: Removing a tag-service association from a service does not update policy engine
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 48c0551b4 RANGER-3769: Removing a tag-service association from a service does not update policy engine 48c0551b4 is described below commit 48c0551b47c41d0b9688fd3cdbf6d2c894bac82c Author: Abhay Kulkarni AuthorDate: Wed May 18 20:07:19 2022 -0700 RANGER-3769: Removing a tag-service association from a service does not update policy engine --- .../apache/ranger/plugin/util/RangerPolicyDeltaUtil.java | 14 -- .../java/org/apache/ranger/biz/RangerPolicyAdminCache.java | 4 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java index 43a494093..e9223fe69 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java @@ -228,9 +228,19 @@ public class RangerPolicyDeltaUtil { LOG.warn("Downloaded ServicePolicies are [" + servicePolicies + "]"); ret = null; } else if (!isPoliciesExist && !isPolicyDeltasExist) { -LOG.warn("ServicePolicies do not contain any policies or policy-deltas!! There are no material changes in the policies."); +LOG.warn("ServicePolicies do not contain any policies or policy-deltas!!"); LOG.warn("Downloaded ServicePolicies are [" + servicePolicies + "]"); -ret = null; +if (servicePolicies.getPolicyDeltas() == null) { +if (LOG.isDebugEnabled()) { +LOG.debug("Complete set of servicePolicies is received. There may be a change to service. Forcing to create a new policy engine!"); +} +ret = false;// Force new policy engine creation from servicePolicies +} else { +if (LOG.isDebugEnabled()) { +LOG.debug("servicePolicy deltas are received. There are no material changes in the policies."); +} +ret = null; +} } else { ret = isPolicyDeltasExist; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java index 1ca4415ae..a64e427c5 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java @@ -19,6 +19,7 @@ package org.apache.ranger.biz; +import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -159,6 +160,9 @@ public class RangerPolicyAdminCache { LOG.error("Old policy engine is null! Cannot apply deltas without old policy engine!"); } } else { + if (policies.getPolicies() == null) { + policies.setPolicies(new ArrayList<>()); + } policyAdmin = addPolicyAdmin(policies, roles, options); } } else {
[ranger] branch master updated: RANGER-3754: Chained plugins access evaluation result is not considered in some cases
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f375e3606 RANGER-3754: Chained plugins access evaluation result is not considered in some cases f375e3606 is described below commit f375e3606226e00677a95f9260e2a6e5cbc09983 Author: Abhay Kulkarni AuthorDate: Thu May 12 10:41:09 2022 -0700 RANGER-3754: Chained plugins access evaluation result is not considered in some cases --- .../java/org/apache/ranger/plugin/service/RangerBasePlugin.java | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index f157475bf..b474de31c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -1156,12 +1156,12 @@ public class RangerBasePlugin { int policyType = result.getPolicyType(); if (chainedResult.getIsAccessDetermined()) { // only if chained-result is definitive - // override if result is not definitive or chained-result is by a higher priority policy - overrideResult = !result.getIsAccessDetermined() || chainedResult.getPolicyPriority() > result.getPolicyPriority(); + // override if chained-result is by a higher priority policy or result is not definitive or the result is not-allowed and no matching Ranger policy found + overrideResult = chainedResult.getPolicyPriority() > result.getPolicyPriority() || !result.getIsAccessDetermined() || (!result.getIsAllowed() && result.getPolicyId() == -1L); if (!overrideResult) { - // override if chained-result is from the same policy priority, and if denies access - if (chainedResult.getPolicyPriority() == result.getPolicyPriority() && !chainedResult.getIsAllowed()) { + // override if chained-result is from the same policy priority, and if denies access with a specific policy id + if (chainedResult.getPolicyPriority() == result.getPolicyPriority() && (!chainedResult.getIsAllowed() && chainedResult.getPolicyId() != -1L)) { // let's not override if result is already denied if (result.getIsAllowed()) { overrideResult = true;
[ranger] branch master updated: Revert "README.txt changes - to be rolled back"
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 2d8e8fd2b Revert "README.txt changes - to be rolled back" 2d8e8fd2b is described below commit 2d8e8fd2bf7688920ea418d69afc3fadaeab533f Author: Abhay Kulkarni AuthorDate: Wed May 11 12:13:43 2022 -0700 Revert "README.txt changes - to be rolled back" This reverts commit f27d16b483a58d16d4fe70cfb72712c366868e01. --- README.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.txt b/README.txt index 7c27b3b63..fce972ab1 100644 --- a/README.txt +++ b/README.txt @@ -102,4 +102,4 @@ Installation Process If the install.sh file does not exists, Execute ./enable--plugin.sh -6. Some comment +
[ranger] branch master updated: README.txt changes - to be rolled back
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f27d16b48 README.txt changes - to be rolled back f27d16b48 is described below commit f27d16b483a58d16d4fe70cfb72712c366868e01 Author: Abhay Kulkarni AuthorDate: Wed May 11 12:13:02 2022 -0700 README.txt changes - to be rolled back --- README.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.txt b/README.txt index fce972ab1..7c27b3b63 100644 --- a/README.txt +++ b/README.txt @@ -102,4 +102,4 @@ Installation Process If the install.sh file does not exists, Execute ./enable--plugin.sh - +6. Some comment
[ranger] branch master updated: RANGER-3718: Installation scripts in docker require use of exit codes during setup
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 87a1dc459 RANGER-3718: Installation scripts in docker require use of exit codes during setup 87a1dc459 is described below commit 87a1dc45944e10717f4d715eb3a8527ee4571d4f Author: Abhishek Kumar AuthorDate: Mon May 9 14:38:40 2022 -0700 RANGER-3718: Installation scripts in docker require use of exit codes during setup --- dev-support/ranger-docker/scripts/ranger-hadoop.sh | 20 +++- dev-support/ranger-docker/scripts/ranger-hbase.sh| 15 --- dev-support/ranger-docker/scripts/ranger-hive.sh | 8 ++-- dev-support/ranger-docker/scripts/ranger-kafka.sh| 8 ++-- dev-support/ranger-docker/scripts/ranger-knox.sh | 15 --- dev-support/ranger-docker/scripts/ranger-tagsync.sh | 17 + dev-support/ranger-docker/scripts/ranger-usersync.sh | 17 + dev-support/ranger-docker/scripts/ranger.sh | 17 + 8 files changed, 90 insertions(+), 27 deletions(-) diff --git a/dev-support/ranger-docker/scripts/ranger-hadoop.sh b/dev-support/ranger-docker/scripts/ranger-hadoop.sh index 98eb51bf1..fca9b6f3e 100755 --- a/dev-support/ranger-docker/scripts/ranger-hadoop.sh +++ b/dev-support/ranger-docker/scripts/ranger-hadoop.sh @@ -32,12 +32,17 @@ then echo "ssh" > /etc/pdsh/rcmd_default - ${RANGER_SCRIPTS}/ranger-hadoop-setup.sh - su -c "${HADOOP_HOME}/bin/hdfs namenode -format" hdfs + if "${RANGER_SCRIPTS}"/ranger-hadoop-setup.sh; + then +su -c "${HADOOP_HOME}/bin/hdfs namenode -format" hdfs - CREATE_HDFS_DIR=true - touch ${HADOOP_HOME}/.setupDone +CREATE_HDFS_DIR=true + +touch "${HADOOP_HOME}"/.setupDone + else +echo "Ranger Hadoop Setup Script didn't complete proper execution." + fi fi su -c "${HADOOP_HOME}/sbin/start-dfs.sh" hdfs @@ -51,4 +56,9 @@ fi NAMENODE_PID=`ps -ef | grep -v grep | grep -i "org.apache.hadoop.hdfs.server.namenode.NameNode" | awk '{print $2}'` # prevent the container from exiting -tail --pid=$NAMENODE_PID -f /dev/null +if [ -z "$NAMENODE_PID" ] +then + echo "The NameNode process probably exited, no process id found!" +else + tail --pid=$NAMENODE_PID -f /dev/null +fi \ No newline at end of file diff --git a/dev-support/ranger-docker/scripts/ranger-hbase.sh b/dev-support/ranger-docker/scripts/ranger-hbase.sh index 2092b24a9..ff27735dc 100755 --- a/dev-support/ranger-docker/scripts/ranger-hbase.sh +++ b/dev-support/ranger-docker/scripts/ranger-hbase.sh @@ -26,9 +26,13 @@ then echo "ssh" > /etc/pdsh/rcmd_default - ${RANGER_SCRIPTS}/ranger-hbase-setup.sh - touch ${HBASE_HOME}/.setupDone + if "${RANGER_SCRIPTS}"/ranger-hbase-setup.sh; + then +touch "${HBASE_HOME}"/.setupDone + else +echo "Ranger Hbase Setup Script didn't complete proper execution." + fi fi su -c "${HBASE_HOME}/bin/start-hbase.sh" hbase @@ -36,4 +40,9 @@ su -c "${HBASE_HOME}/bin/start-hbase.sh" hbase HBASE_MASTER_PID=`ps -ef | grep -v grep | grep -i "org.apache.hadoop.hbase.master.HMaster" | awk '{print $2}'` # prevent the container from exiting -tail --pid=$HBASE_MASTER_PID -f /dev/null +if [ -z "$HBASE_MASTER_PID" ] +then + echo "The HBase process probably exited, no process id found!" +else + tail --pid=$HBASE_MASTER_PID -f /dev/null +fi diff --git a/dev-support/ranger-docker/scripts/ranger-hive.sh b/dev-support/ranger-docker/scripts/ranger-hive.sh index d696ddfa7..403eac9fb 100755 --- a/dev-support/ranger-docker/scripts/ranger-hive.sh +++ b/dev-support/ranger-docker/scripts/ranger-hive.sh @@ -30,9 +30,13 @@ then echo "ssh" > /etc/pdsh/rcmd_default - ${RANGER_SCRIPTS}/ranger-hive-setup.sh - touch ${HIVE_HOME}/.setupDone + if "${RANGER_SCRIPTS}"/ranger-hive-setup.sh; + then +touch "${HIVE_HOME}"/.setupDone + else +echo "Ranger Hive Setup Script didn't complete proper execution." + fi fi cd "${HIVE_HOME}" || exit diff --git a/dev-support/ranger-docker/scripts/ranger-kafka.sh b/dev-support/ranger-docker/scripts/ranger-kafka.sh index 8be501c91..0f505eb4c 100755 --- a/dev-support/ranger-docker/scripts/ranger-kafka.sh +++ b/dev-support/ranger-docker/scripts/ranger-kafka.sh @@ -26,9 +26,13 @@ then echo "ssh" > /etc/pdsh/rcmd_default - ${RANGER_SCRIPTS}/ranger-kafka-setup.sh - touch ${KAFKA_HOME}/.setupDone + if "${RANGER_SCRIPTS}"/ranger-kafka-setup.sh; + then +touch "${KAFKA_HOME}"/.setupDone + else +echo "Ranger Kafka Setup Script didn't complete proper exec
[ranger] branch master updated: RANGER-3622: Docker - Enable Hive MetaStore in ranger-hive image
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 118f61079 RANGER-3622: Docker - Enable Hive MetaStore in ranger-hive image 118f61079 is described below commit 118f6107975599b7263cbddeb9974b9b22ee792e Author: Abhishek Kumar AuthorDate: Mon May 9 12:44:52 2022 -0700 RANGER-3622: Docker - Enable Hive MetaStore in ranger-hive image --- dev-support/ranger-docker/Dockerfile.ranger-hive | 1 + dev-support/ranger-docker/scripts/ranger-hive.sh | 19 --- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hive b/dev-support/ranger-docker/Dockerfile.ranger-hive index 31afe33d9..9ef89b59a 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-hive +++ b/dev-support/ranger-docker/Dockerfile.ranger-hive @@ -49,4 +49,5 @@ ENV HIVE_HOME /opt/hive ENV HADOOP_HOME /opt/hadoop ENV PATH /usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/hive/bin:/opt/hadoop/bin + ENTRYPOINT [ "/home/ranger/scripts/ranger-hive.sh" ] diff --git a/dev-support/ranger-docker/scripts/ranger-hive.sh b/dev-support/ranger-docker/scripts/ranger-hive.sh index 0602ce2c5..d696ddfa7 100755 --- a/dev-support/ranger-docker/scripts/ranger-hive.sh +++ b/dev-support/ranger-docker/scripts/ranger-hive.sh @@ -35,9 +35,22 @@ then touch ${HIVE_HOME}/.setupDone fi -su -c "${HIVE_HOME}/bin/hiveserver2" hive +cd "${HIVE_HOME}" || exit -HIVESERVER2_PID=`ps -ef | grep -v grep | grep -i "org.apache.hive.service.server.HiveServer2" | awk '{print $2}'` +# Start Hive MetaStore +su -c "nohup ${HIVE_HOME}/bin/hive --service metastore > metastore.log 2>&1 &" hive + +# Start HiveServer2 +su -c "nohup ${HIVE_HOME}/bin/hiveserver2 > hive-server2.log 2>&1 &" hive + +sleep 10 + +HIVE_SERVER2_PID=`ps -ef | grep -v grep | grep -i "org.apache.hive.service.server.HiveServer2" | awk '{print $2}'` # prevent the container from exiting -tail --pid=$HIVESERVER2_PID -f /dev/null +if [ -z "$HIVE_SERVER2_PID" ] +then + echo "The HiveServer2 process probably exited, no process id found!" +else + tail --pid="$HIVE_SERVER2_PID" -f /dev/null +fi
[ranger] branch master updated: RANGER-3749: Fix healthcheck in mysql docker compose file
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f5e6fa8b1 RANGER-3749: Fix healthcheck in mysql docker compose file f5e6fa8b1 is described below commit f5e6fa8b1c12deb0b4f6bfc119d940aa42540a84 Author: Abhishek Kumar AuthorDate: Mon May 9 12:41:35 2022 -0700 RANGER-3749: Fix healthcheck in mysql docker compose file --- dev-support/ranger-docker/docker-compose.ranger-mysql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dev-support/ranger-docker/docker-compose.ranger-mysql.yml b/dev-support/ranger-docker/docker-compose.ranger-mysql.yml index 9c353d61b..0e739b766 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-mysql.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-mysql.yml @@ -11,7 +11,8 @@ services: networks: - ranger healthcheck: - test: ["CMD-SHELL", 'mysqladmin ping'] + # Double dollar($$) is required to expand the env variable + test: "mysql -u root -p$$MYSQL_ROOT_PASSWORD ranger -e 'select 1' > /dev/null" interval: 10s timeout: 2s retries: 30
[ranger] branch master updated: RANGER-3748: Fix healthcheck command in postgres docker compose
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 6e6e76519 RANGER-3748: Fix healthcheck command in postgres docker compose 6e6e76519 is described below commit 6e6e765191ae5686f166e3b1df010ff34ea869a4 Author: Abhishek Kumar AuthorDate: Mon May 9 12:37:46 2022 -0700 RANGER-3748: Fix healthcheck command in postgres docker compose --- dev-support/ranger-docker/docker-compose.ranger-postgres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-support/ranger-docker/docker-compose.ranger-postgres.yml b/dev-support/ranger-docker/docker-compose.ranger-postgres.yml index 997365fad..b9624aa21 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-postgres.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-postgres.yml @@ -10,7 +10,7 @@ services: networks: - ranger healthcheck: - test: ["CMD-SHELL", 'pg_isready -q'] + test: 'su -c "pg_isready -q" postgres' interval: 10s timeout: 2s retries: 30
[ranger] branch master updated: RANGER-3738: Restructure ranger Dockerfile to use multi-stage builds
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f63aa56fa RANGER-3738: Restructure ranger Dockerfile to use multi-stage builds f63aa56fa is described below commit f63aa56fa885642b00ca58d606337cfc6c009914 Author: Abhishek Kumar AuthorDate: Thu Apr 28 10:41:42 2022 -0700 RANGER-3738: Restructure ranger Dockerfile to use multi-stage builds --- dev-support/ranger-docker/Dockerfile.ranger | 37 + 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/dev-support/ranger-docker/Dockerfile.ranger b/dev-support/ranger-docker/Dockerfile.ranger index b11e72666..f5a1ed93f 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger +++ b/dev-support/ranger-docker/Dockerfile.ranger @@ -13,33 +13,40 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +ARG RANGER_DB_TYPE -FROM ranger-base:latest +FROM ranger-base:latest AS ranger ARG RANGER_VERSION ARG RANGER_DB_TYPE COPY ./dist/version /home/ranger/dist/ COPY ./dist/ranger-${RANGER_VERSION}-admin.tar.gz /home/ranger/dist/ -COPY ./downloads/postgresql-42.2.16.jre7.jar /home/ranger/dist/ -COPY ./downloads/mysql-connector-java-8.0.28.jar /home/ranger/dist/ -COPY ./downloads/log4jdbc-1.2.jar /home/ranger/dist/ COPY ./scripts/ranger.sh ${RANGER_SCRIPTS}/ COPY ./scripts/ranger-admin-install-${RANGER_DB_TYPE}.properties ${RANGER_SCRIPTS}/ranger-admin-install.properties COPY ./scripts/create-ranger-services.py ${RANGER_SCRIPTS}/ -RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --directory=${RANGER_HOME} && \ -ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-admin ${RANGER_HOME}/admin && \ -rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz && \ -cp -f ${RANGER_SCRIPTS}/ranger-admin-install.properties ${RANGER_HOME}/admin/install.properties && \ -mkdir -p /var/run/ranger && \ -mkdir -p /var/log/ranger && \ -chown -R ranger:ranger ${RANGER_HOME}/admin/ /var/run/ranger/ /var/log/ranger/ && \ -mkdir -p /usr/share/java/ && \ -mv /home/ranger/dist/postgresql-42.2.16.jre7.jar /usr/share/java/postgresql.jar && \ -mv /home/ranger/dist/mysql-connector-java-8.0.28.jar /usr/share/java/mysql-connector.jar && \ -mv /home/ranger/dist/log4jdbc-1.2.jar ${RANGER_HOME}/admin/ews/webapp/WEB-INF/lib/log4jdbc-1.2.jar +RUNtar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --directory=${RANGER_HOME} \ +&& ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-admin ${RANGER_HOME}/admin \ +&& rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz \ +&& cp -f ${RANGER_SCRIPTS}/ranger-admin-install.properties ${RANGER_HOME}/admin/install.properties \ +&& mkdir -p /var/run/ranger \ +&& mkdir -p /var/log/ranger \ +&& chown -R ranger:ranger ${RANGER_HOME}/admin/ /var/run/ranger/ /var/log/ranger/ \ +&& mkdir -p /usr/share/java/ + +FROM ranger AS ranger_postgres +COPY ./downloads/postgresql-42.2.16.jre7.jar /home/ranger/dist/ +RUN mv /home/ranger/dist/postgresql-42.2.16.jre7.jar /usr/share/java/postgresql.jar + +FROM ranger AS ranger_mysql +COPY ./downloads/mysql-connector-java-8.0.28.jar /home/ranger/dist/ +COPY ./downloads/log4jdbc-1.2.jar /home/ranger/dist/ +RUN mv /home/ranger/dist/mysql-connector-java-8.0.28.jar /usr/share/java/mysql-connector.jar \ + && mv /home/ranger/dist/log4jdbc-1.2.jar ${RANGER_HOME}/admin/ews/webapp/WEB-INF/lib/log4jdbc-1.2.jar + +FROM ranger_${RANGER_DB_TYPE} USER ranger
[ranger] branch master updated: RANGER-3705: Improve logging messages to help debug potential issues
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new ffd11894d RANGER-3705: Improve logging messages to help debug potential issues ffd11894d is described below commit ffd11894d818e9067d98eb48d0cb3e929f4450a9 Author: Abhay Kulkarni AuthorDate: Mon Apr 11 18:36:35 2022 -0700 RANGER-3705: Improve logging messages to help debug potential issues --- .../RangerServiceResourceMatcher.java | 5 .../plugin/policyengine/RangerResourceTrie.java| 31 +++--- .../ranger/plugin/service/RangerBasePlugin.java| 10 +++ 3 files changed, 30 insertions(+), 16 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java index 7b02dd6e1..9433ae1da 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java @@ -80,4 +80,9 @@ public class RangerServiceResourceMatcher implements RangerPolicyResourceEvaluat return Long.compare(me.getId(), other.getId()); } } + + @Override + public String toString() { + return String.valueOf(getId()); + } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java index 331d6371d..70b9f6884 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java @@ -35,6 +35,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; @@ -94,9 +95,7 @@ public class RangerResourceTrie { } if (TRACE_LOG.isTraceEnabled()) { -StringBuilder sb = new StringBuilder(); -root.toString("", sb); -TRACE_LOG.trace("Trie Dump from RangerResourceTrie.copyTrie(name=" + other.resourceDef.getName() + "):\n{" + sb.toString() + "}"); +TRACE_LOG.trace("Trie Dump from RangerResourceTrie.copyTrie(name=" + other.resourceDef.getName() + "):\n[" + dumpTrie() + "]"); } } @@ -170,9 +169,7 @@ public class RangerResourceTrie { } if (TRACE_LOG.isTraceEnabled()) { -StringBuilder sb = new StringBuilder(); -root.toString("", sb); -TRACE_LOG.trace("Trie Dump from RangerResourceTrie.init(name=" + resourceDef.getName() + "):\n{" + sb.toString() + "}"); +TRACE_LOG.trace("Trie Dump from RangerResourceTrie.init(name=" + resourceDef.getName() + "):\n[" + dumpTrie() + "]"); } if(LOG.isDebugEnabled()) { @@ -231,9 +228,7 @@ public class RangerResourceTrie { RangerPerfTracer.logAlways(perf); if (TRACE_LOG.isTraceEnabled()) { -StringBuilder sb = new StringBuilder(); -root.toString("", sb); -TRACE_LOG.trace("Trie Dump from RangerResourceTrie.add(name=" + resource + "):\n{" + sb.toString() + "}"); +TRACE_LOG.trace("Trie Dump from RangerResourceTrie.add(name=" + resource + "):\n[" + dumpTrie() + "]"); } } @@ -262,9 +257,7 @@ public class RangerResourceTrie { RangerPerfTracer.logAlways(perf); if (TRACE_LOG.isTraceEnabled()) { -StringBuilder sb = new StringBuilder(); -root.toString("", sb); -TRACE_LOG.trace("Trie Dump from RangerResourceTrie.delete(name=" + resource + "):\n{" + sb.toString() + "}"); +TRACE_LOG.trace("Trie Dump from RangerResourceTrie.delete(name=" + resource + "):\n[" + dumpTrie()+ "]"); } } @@ -272,13 +265,19 @@ public class RangerResourceTrie { if (root != null) { root.wrapUpUpdate(); if (TRACE_LOG.isTraceEnabled()) { -StringBuilder sb = new StringBuilder(); -root.toString("", sb); -TRACE_LOG.trace("Trie Dump from RangerResourceTrie.wrapUpUpdate(name=" + resourceDef.getName() + "):\n{" + sb.toString() + "}"); +
[ranger] branch master updated: RANGER-3663: RangerBizUtil.checkAdminAccess() should return false if user-session is not available
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new e6bb82b RANGER-3663: RangerBizUtil.checkAdminAccess() should return false if user-session is not available e6bb82b is described below commit e6bb82b8c192707a7f60bc190819a17ee335a3a0 Author: Abhay Kulkarni AuthorDate: Fri Mar 11 15:11:29 2022 -0800 RANGER-3663: RangerBizUtil.checkAdminAccess() should return false if user-session is not available --- .../src/main/java/org/apache/ranger/biz/RangerBizUtil.java | 10 ++ 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index 1ec1df0..6237c0c 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -1537,14 +1537,8 @@ public class RangerBizUtil { public boolean checkAdminAccess() { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); - if (currentUserSession != null) { - return currentUserSession.isUserAdmin(); - } else { - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + + return currentUserSession != null && currentUserSession.isUserAdmin(); } }
[ranger] branch master updated: RANGER-3584: ServiceTags are not computed correctly by applying incremental changes to existing ServiceTags
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 47617bb RANGER-3584: ServiceTags are not computed correctly by applying incremental changes to existing ServiceTags 47617bb is described below commit 47617bb0610bd7a3c722e7ffd4718255ae9041b0 Author: Abhay Kulkarni AuthorDate: Wed Jan 12 16:19:19 2022 -0800 RANGER-3584: ServiceTags are not computed correctly by applying incremental changes to existing ServiceTags --- .../java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java index 088b2b8..00e8d86 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java @@ -88,10 +88,13 @@ public class RangerServiceTagsDeltaUtil { if (cachedTagId == null) { serviceTags.cachedTags.put(tag, tagId); +tags.put(tagId, tag); } else { replacedIds.put(tagId, cachedTagId); deltaTagIter.remove(); } +} else { +tags.put(tagId, tag); } } }
[ranger] branch master updated: RANGER-3578: Simplify code for policy label creation
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new ba917a6 RANGER-3578: Simplify code for policy label creation ba917a6 is described below commit ba917a683dae46e534e4da388128d3eb9ab97af9 Author: Abhay Kulkarni AuthorDate: Sat Jan 8 11:45:50 2022 -0800 RANGER-3578: Simplify code for policy label creation --- .../java/org/apache/ranger/biz/ServiceDBStore.java | 63 ++-- .../ranger/service/RangerPolicyLabelHelper.java| 68 -- 2 files changed, 46 insertions(+), 85 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 85adda5..6ed0800 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -62,7 +62,6 @@ import org.apache.poi.ss.usermodel.Workbook; import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig; import org.apache.ranger.authorization.utils.JsonUtils; -import org.apache.ranger.biz.ServiceDBStore.METRIC_TYPE; import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.GUIDUtil; @@ -170,7 +169,6 @@ import org.apache.ranger.rest.ServiceREST; import org.apache.ranger.rest.TagREST; import org.apache.ranger.service.RangerAuditFields; import org.apache.ranger.service.RangerDataHistService; -import org.apache.ranger.service.RangerPolicyLabelHelper; import org.apache.ranger.service.RangerPolicyLabelsService; import org.apache.ranger.service.RangerPolicyService; import org.apache.ranger.service.RangerPolicyWithAssignedIdService; @@ -285,9 +283,6 @@ public class ServiceDBStore extends AbstractServiceStore { RangerPolicyLabelsService policyLabelsService; @Autowired - RangerPolicyLabelHelper policyLabelsHelper; - - @Autowired XUserService xUserService; @Autowired @@ -2072,24 +2067,58 @@ public class ServiceDBStore extends AbstractServiceStore { for (String policyLabel : uniquePolicyLabels) { //check and create new label If does not exist + if (StringUtils.isNotEmpty(policyLabel)) { + transactionSynchronizationAdapter.executeOnTransactionCommit(new AssociatePolicyLabel(policyLabel, xPolicy)); + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceDBStore.createOrMapLabels()"); + } + } + + private class AssociatePolicyLabel implements Runnable { + private String policyLabel; + private XXPolicy xPolicy; + + AssociatePolicyLabel(String policyLabel, XXPolicy xPolicy) { + this.policyLabel = policyLabel; + this.xPolicy = xPolicy; + } + + @Override + public void run() { + getOrCreateLabel(); + } + + private void getOrCreateLabel() { + if (LOG.isDebugEnabled()) { + LOG.debug("==> AssociatePolicyLabel.getOrCreateLabel(policyId=" + xPolicy.getId() + ", label=" + policyLabel + ")"); + } + XXPolicyLabel xxPolicyLabel = daoMgr.getXXPolicyLabels().findByName(policyLabel); - if(xxPolicyLabel == null) { - synchronized(this) { - xxPolicyLabel = policyLabelsHelper.createNewOrGetLabel(policyLabel, xPolicy); + + if (xxPolicyLabel == null) { + xxPolicyLabel = daoMgr.getXXPolicyLabels().findByName(policyLabel); + + if (xxPolicyLabel == null) { + xxPolicyLabel = new XXPolicyLabel(); + xxPolicyLabel.setPolicyLabel(policyLabel); + xxPolicyLabel = rangerAuditFields.populateAuditFieldsForCreate(xxPolicyLabel); + xxPolicyLabel = daoMgr.getXXPolicyLabels().create(xxPolicyLabel); } } - //label mapping with policy - if (xxPolicyLabel.getId() != null) { + + if (xxPolicyLabel != null) { XXPolicyLabelMap xxPolicyLabelMap = new XXPolicyLabelMap();
[ranger] branch master updated: RANGER-3573: Add vim in docker base image
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 7fd191e RANGER-3573: Add vim in docker base image 7fd191e is described below commit 7fd191e9e3f236807e0a69c31dd881269d550025 Author: Abhishek Kumar AuthorDate: Wed Jan 5 15:51:09 2022 -0800 RANGER-3573: Add vim in docker base image --- dev-support/ranger-docker/Dockerfile.ranger-base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-support/ranger-docker/Dockerfile.ranger-base b/dev-support/ranger-docker/Dockerfile.ranger-base index 688eed4..a4bb900 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-base +++ b/dev-support/ranger-docker/Dockerfile.ranger-base @@ -19,7 +19,7 @@ FROM ubuntu:20.04 # Install tzdata, Python, Java, python-requests RUN apt-get update && \ -DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata \ +DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata vim\ python3 python3-pip openjdk-8-jdk bc iputils-ping ssh pdsh && \ pip3 install apache-ranger && \ pip3 install requests
[ranger] branch master updated: RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new dd7c773 RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated - Part 2 dd7c773 is described below commit dd7c773dee6d8f15ffcb14304d71b79c29fdf082 Author: Abhay Kulkarni AuthorDate: Wed Jan 5 15:24:39 2022 -0800 RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated - Part 2 --- .../java/org/apache/ranger/biz/PolicyRefUpdater.java | 18 +++--- .../java/org/apache/ranger/biz/RoleRefUpdater.java | 18 +++--- .../resources/stability-tests/ranger-policy/app.conf | 6 +++--- .../resources/stability-tests/ranger-policy/start.sh | 2 +- 4 files changed, 10 insertions(+), 34 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java index f8f0ee9..b1f331b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java @@ -176,11 +176,7 @@ public class PolicyRefUpdater { continue; } PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy); - if (associator.doAssociate(false)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Role name: " + role + " specified in policy does not exist in ranger admin."); - } - } else { + if (!associator.doAssociate(false)) { if (isAdmin) { rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); } else { @@ -200,11 +196,7 @@ public class PolicyRefUpdater { } PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy); - if (associator.doAssociate(false)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Group name: " + group + " specified in policy does not exist in ranger admin."); - } - } else { + if (!associator.doAssociate(false)) { if (isAdmin) { rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); } else { @@ -221,11 +213,7 @@ public class PolicyRefUpdater { continue; } PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy); - if (associator.doAssociate(false)) { - if (LOG.isDebugEnabled()) { - LOG.debug("User name: " + user + " specified in policy does not exist in ranger admin."); - } - } else { + if (!associator.doAssociate(false)) { if (isAdmin) { rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); } else { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java index 0e5ccd3..6ada7ee 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java @@ -107,11 +107,7 @@ public class RoleRefUpdater { } RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE.USER, roleUser, roleId); - if (associator.doAssociate(false)) { - if (LOG.isDebugEnabled()) { - LOG.debug("User name: " + roleUser + " specified in role does not exist in ranger admin."); - } - } else { + if (!associator.doAssoci
[ranger] branch master updated: RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new df07b0d RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated df07b0d is described below commit df07b0da94dced97e6022b1d0d243c8b2e358803 Author: Abhay Kulkarni AuthorDate: Mon Jan 3 18:38:55 2022 -0800 RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated --- .../main/java/org/apache/ranger/biz/AssetMgr.java | 18 +- .../org/apache/ranger/biz/PolicyRefUpdater.java| 474 ++--- .../java/org/apache/ranger/biz/RoleRefUpdater.java | 395 + .../ranger/service/RangerPluginActivityLogger.java | 15 +- .../service/TestRangerPluginActivityLogger.java| 3 +- 5 files changed, 436 insertions(+), 469 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java index 36f137e..08255b3 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java @@ -48,6 +48,7 @@ import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.StringUtil; +import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.elasticsearch.ElasticSearchAccessAuditsService; import org.apache.ranger.entity.XXPermMap; @@ -121,7 +122,7 @@ public class AssetMgr extends AssetMgrBase { XPolicyService xPolicyService; @Autowired - RangerPluginActivityLogger activityLogger; + RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter; @Autowired RangerPluginInfoService pluginInfoService; @@ -663,7 +664,7 @@ public class AssetMgr extends AssetMgrBase { } }; - activityLogger.commitAfterTransactionComplete(commitWork); + transactionSynchronizationAdapter.executeOnTransactionCompletion(commitWork); } } else { ret = rangerDaoManager.getXXPolicyExportAudit().create(xXPolicyExportAudit); @@ -733,6 +734,7 @@ public class AssetMgr extends AssetMgrBase { } final boolean isTagVersionResetNeeded; + final Runnable commitWork; if (httpCode == HttpServletResponse.SC_NOT_MODIFIED) { // Create or update PluginInfo record after transaction is completed. If it is created in-line here @@ -757,15 +759,13 @@ public class AssetMgr extends AssetMgrBase { break; } - Runnable commitWork = new Runnable() { + commitWork = new Runnable() { @Override public void run() { doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, isTagVersionResetNeeded, clusterName); } }; - activityLogger.commitAfterTransactionComplete(commitWork); } else if (httpCode == HttpServletResponse.SC_NOT_FOUND) { - Runnable commitWork; if ((isPolicyDownloadRequest(entityType) && (pluginInfo.getPolicyActiveVersion() == null || pluginInfo.getPolicyActiveVersion() == -1)) || (isTagDownloadRequest(entityType) && (pluginInfo.getTagActiveVersion() == null || pluginInfo.getTagActiveVersion() == -1)) || (isRoleDownloadRequest(entityType) && (pluginInfo.getRoleActiveVersion() == null || pluginInfo.getRoleActiveVersion() == -1)) @@ -784,12 +784,16 @@ public class AssetMgr extends AssetMgrBase { } }; } - activityLogger.commitAfterTransactionComplete(commitWork); - } else { isTagVersionResetNeeded = false; + commitWork = null; doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, isTagVersionResetNeeded, clusterName); } + + if (commitWork != null) { + transactionSynchronizationAdapter.executeOnTransactionCompletion(commitWork); + } + if (logger.isDebugEnabled()) {
[ranger] branch master updated: RANGER-3554: [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response - Part 2"
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 993cf0d RANGER-3554: [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response - Part 2" 993cf0d is described below commit 993cf0d9a98a2ea8f01d1fbbd3d6a1177a8887ca Author: Abhay Kulkarni AuthorDate: Sat Dec 18 14:57:18 2021 -0800 RANGER-3554: [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response - Part 2" --- .../ranger/common/db/RangerTransactionSynchronizationAdapter.java| 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java b/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java index ed84462..0f3f311 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java +++ b/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java @@ -123,13 +123,14 @@ public class RangerTransactionSynchronizationAdapter extends TransactionSynchron List runnablesAfterCommit = RUNNABLES_AFTER_COMMIT.get(); RUNNABLES_AFTER_COMMIT.remove(); +List runnables = RUNNABLES.get(); +RUNNABLES.remove(); + if (isParentTransactionCommitted) { // Run tasks scheduled to run after transaction is successfully committed runRunnables(runnablesAfterCommit, true); } -List runnables = RUNNABLES.get(); -RUNNABLES.remove(); // Run other tasks scheduled to run after transaction completes runRunnables(runnables, false);
[ranger] branch master updated: RANGER-3556: Ranger tagsync logs unnecessary messages
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new d6f0196 RANGER-3556: Ranger tagsync logs unnecessary messages d6f0196 is described below commit d6f0196bcbde1c0202ee978ebd007003911842f9 Author: Abhay Kulkarni AuthorDate: Fri Dec 17 11:56:04 2021 -0800 RANGER-3556: Ranger tagsync logs unnecessary messages --- .../org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java| 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java index e9fe02f..41ef181 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java @@ -190,7 +190,9 @@ public class AtlasTagSource extends AbstractTagSource { List> newMessages = consumer.receive(MAX_WAIT_TIME_IN_MILLIS); if (newMessages.size() == 0) { - LOG.info("AtlasTagSource.ConsumerRunnable.run: no message from NotificationConsumer within " + MAX_WAIT_TIME_IN_MILLIS + " milliseconds"); + if (LOG.isDebugEnabled()) { + LOG.debug("AtlasTagSource.ConsumerRunnable.run: no message from NotificationConsumer within " + MAX_WAIT_TIME_IN_MILLIS + " milliseconds"); + } if (CollectionUtils.isNotEmpty(atlasEntitiesWithTags)) { buildAndUploadServiceTags(); } @@ -274,7 +276,9 @@ public class AtlasTagSource extends AbstractTagSource { updateSink(entry.getValue()); } offsetOfLastMessageDeliveredToRanger = messages.get(messages.size()-1).getOffset(); - LOG.info("Completed processing batch of messages of size:[" + messages.size() + "] received from NotificationConsumer"); + if (LOG.isDebugEnabled()) { + LOG.debug("Completed processing batch of messages of size:[" + messages.size() + "] received from NotificationConsumer"); + } commitToKafka(); }
[ranger] branch master updated: RANGER-3554: [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 7406d2d RANGER-3554: [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response 7406d2d is described below commit 7406d2d04d473d0dbacb39b9d75d883768a44cea Author: Abhay Kulkarni AuthorDate: Wed Dec 15 21:18:56 2021 -0800 RANGER-3554: [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response --- .../ranger/common/db/RangerTransactionSynchronizationAdapter.java| 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java b/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java index 6c4902b..ed84462 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java +++ b/security-admin/src/main/java/org/apache/ranger/common/db/RangerTransactionSynchronizationAdapter.java @@ -120,9 +120,10 @@ public class RangerTransactionSynchronizationAdapter extends TransactionSynchron final boolean isParentTransactionCommitted = status == STATUS_COMMITTED; +List runnablesAfterCommit = RUNNABLES_AFTER_COMMIT.get(); +RUNNABLES_AFTER_COMMIT.remove(); + if (isParentTransactionCommitted) { -List runnablesAfterCommit = RUNNABLES_AFTER_COMMIT.get(); -RUNNABLES_AFTER_COMMIT.remove(); // Run tasks scheduled to run after transaction is successfully committed runRunnables(runnablesAfterCommit, true); }
[ranger] branch master updated: RANGER-3548: Update performance engine test scripts
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 3b32ec7 RANGER-3548: Update performance engine test scripts 3b32ec7 is described below commit 3b32ec719e89748f7478e64d5df448d22bfbf5b5 Author: Abhay Kulkarni AuthorDate: Mon Dec 13 12:58:22 2021 -0800 RANGER-3548: Update performance engine test scripts --- distro/src/main/assembly/ranger-tools.xml | 6 + ranger-tools/scripts/create_tags_file.sh | 43 +++ ranger-tools/scripts/gen_service_tags.sh | 38 ++- 3 files changed, 63 insertions(+), 24 deletions(-) diff --git a/distro/src/main/assembly/ranger-tools.xml b/distro/src/main/assembly/ranger-tools.xml index 1eb9104..b8713d8 100644 --- a/distro/src/main/assembly/ranger-tools.xml +++ b/distro/src/main/assembly/ranger-tools.xml @@ -158,5 +158,11 @@ gen_service_policies.sh 755 + + ${project.parent.basedir}/ranger-tools/scripts/create_tags_file.sh + + create_tags_file.sh + 755 + diff --git a/ranger-tools/scripts/create_tags_file.sh b/ranger-tools/scripts/create_tags_file.sh new file mode 100755 index 000..ad4410d --- /dev/null +++ b/ranger-tools/scripts/create_tags_file.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +echo_stderr () +{ +echo "$@" >&2 +} + + +if [ $# -ne 5 ] +then +echo_stderr "usage: $0 " +exit 1 +fi + +service_name=$1 +num_of_tags=$2 +initial_id=$3 +output_file=$4 +seconds_to_sleep=$5 + +echo_stderr "$0 $service_name $num_of_tags $initial_id $output_file $seconds_to_sleep" + +while true +do + ./gen_service_tags.sh ${service_name} ${num_of_tags} ${initial_id} > /tmp/$$-${output_file} + mv /tmp/$$-${output_file} ${output_file} + ((initial_id+=${num_of_tags})) + sleep ${seconds_to_sleep} +done diff --git a/ranger-tools/scripts/gen_service_tags.sh b/ranger-tools/scripts/gen_service_tags.sh index 9a81a0a..c36e4cd 100755 --- a/ranger-tools/scripts/gen_service_tags.sh +++ b/ranger-tools/scripts/gen_service_tags.sh @@ -19,28 +19,17 @@ echo_stderr () echo "$@" >&2 } -if [ $# -ne 2 ] +if [ $# -ne 3 ] then - echo_stderr "usage: $0 " + echo_stderr "usage: $0 " + exit 1 fi -service_name=cm_hive -num_of_service_resources=1 +service_name=$1 +num_of_service_resources=$2 +initial_id=$3 -if [ $# -ge 1 ] -then - service_name=$1 - echo_stderr "service_name=${service_name}, num_of_service_resources=${num_of_service_resources}" - if [ $# -ge 2 ] - then - num_of_service_resources=$2 - else - echo_stderr "service_name=${service_name}, Assuming num_of_service_resources=${num_of_service_resources}" - fi -else - echo_stderr "Assuming service_name=${service_name}, num_of_service_resources=${num_of_service_resources}" - -fi +echo_stderr "Assuming service_name=${service_name}, num_of_service_resources=${num_of_service_resources} initial_id=${initial_id}" echo "{ \"op\": \"add_or_update\", @@ -65,8 +54,8 @@ echo "{ } }, \"tags\": {" -for ((i = 1; i <= $num_of_service_resources; i++)); do -if [ $i -ne 1 ] +for ((i = ${initial_id}; i < ${initial_id} + $num_of_service_resources; i++)); do +if [ $i -ne ${initial_id} ] then echo " ," fi @@ -82,8 +71,8 @@ for ((i = 1; i <= $num_of_service_resources; i++)); do done echo " }," echo " \"serviceResources\": [" -for ((i = 1; i <= $num_of_service_resources; i++)); do -if [ $i -ne 1 ] +for ((i = ${initial_id}; i < ${initial_id} + $num_of_service_resources; i++)); do +if [ $i -ne ${initial_id} ] then echo " ," fi @@ -91,14 +80,15 @@ for ((i = 1; i <= $num_of_service_resources; i++)); do \"
[ranger] branch master updated: RANGER-3538: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new d3af747 RANGER-3538: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service d3af747 is described below commit d3af7476dcab3719b8a75b506b10400640f3bf3e Author: Abhay Kulkarni AuthorDate: Tue Dec 7 16:58:25 2021 -0800 RANGER-3538: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service --- .../apache/ranger/biz/RangerPolicyAdminCache.java | 124 + .../RangerPolicyAdminCacheForEngineOptions.java| 15 ++- 2 files changed, 89 insertions(+), 50 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java index 5a69231..47fa99c 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java @@ -22,6 +22,8 @@ package org.apache.ranger.biz; import java.util.Collections; import java.util.HashMap; import java.util.Map; +import java.util.concurrent.locks.Lock; +import java.util.concurrent.locks.ReentrantLock; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -37,9 +39,25 @@ import org.apache.ranger.plugin.util.RangerRoles; import org.apache.ranger.plugin.util.ServicePolicies; public class RangerPolicyAdminCache { + + static class RangerPolicyAdminWrapper { + final RangerPolicyAdmin policyAdmin; + final Lock lock = new ReentrantLock(); + + RangerPolicyAdminWrapper(RangerPolicyAdmin policyAdmin) { + this.policyAdmin = policyAdmin; + } + RangerPolicyAdmin getPolicyAdmin() { + return policyAdmin; + } + Lock getLock() { + return lock; + } + } + private static final Log LOG = LogFactory.getLog(RangerPolicyAdminCache.class); - private final Map policyAdminCache = Collections.synchronizedMap(new HashMap<>()); + private final Map policyAdminCache = Collections.synchronizedMap(new HashMap<>()); final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions options) { @@ -49,13 +67,13 @@ public class RangerPolicyAdminCache { return null; } - RangerPolicyAdmin ret = policyAdminCache.get(serviceName); - longpolicyVersion; longroleVersion; RangerRoles roles; boolean isRolesUpdated = true; + RangerPolicyAdminWrapper ret = policyAdminCache.get(serviceName); + try { if (ret == null) { policyVersion = -1L; @@ -68,8 +86,8 @@ public class RangerPolicyAdminCache { } } } else { - policyVersion = ret.getPolicyVersion(); - roleVersion = ret.getRoleVersion(); + policyVersion = ret.getPolicyAdmin().getPolicyVersion(); + roleVersion = ret.getPolicyAdmin().getRoleVersion(); roles = roleStore.getRoles(serviceName, roleVersion); if (roles == null) { // No changes to roles @@ -82,70 +100,88 @@ public class RangerPolicyAdminCache { if (policies != null) { ret = addOrUpdatePolicyAdmin(ret, policies, roles, options); - } else { + if (ret == null) { - LOG.error("getPolicyAdmin(" + serviceName + "): failed to get any policies from service-store"); + LOG.error("getPolicyAdmin(" + serviceName + "): failed to build engine from policies from service-store"); } else { if (isRolesUpdated) { - ret.setRoles(roles); + ret.getPolicyAdmin().setRoles(roles); } } } } catch (Exception exception) { LOG.error("g
[ranger] branch master updated: RANGER-3535: A delegate admin user should be able to add another user with all or subset of permissions they have
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 695bedd RANGER-3535: A delegate admin user should be able to add another user with all or subset of permissions they have 695bedd is described below commit 695bedd07b4f58aef4f5747393c06d83c8805438 Author: Abhay Kulkarni AuthorDate: Fri Dec 3 15:01:01 2021 -0800 RANGER-3535: A delegate admin user should be able to add another user with all or subset of permissions they have --- .../model/RangerPolicyResourceSignature.java | 4 +- .../apache/ranger/biz/RangerPolicyAdminImpl.java | 244 + 2 files changed, 205 insertions(+), 43 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java index c84d0bc..77b274e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java @@ -175,10 +175,10 @@ public class RangerPolicyResourceSignature { } - static class ResourceSerializer { + static public class ResourceSerializer { final RangerPolicyResource _policyResource; - ResourceSerializer(RangerPolicyResource policyResource) { + public ResourceSerializer(RangerPolicyResource policyResource) { _policyResource = policyResource; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java index 5311a54..6dbc59f 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java @@ -27,6 +27,7 @@ import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.contextenricher.RangerTagForEval; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerPolicyResourceSignature; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.PolicyEngine; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; @@ -59,6 +60,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.TreeMap; public class RangerPolicyAdminImpl implements RangerPolicyAdmin { private static final Log LOG = LogFactory.getLog(RangerPolicyAdminImpl.class); @@ -176,22 +178,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { @Override public boolean isDelegatedAdminAccessAllowedForModify(RangerPolicy policy, String user, Set userGroups, Set roles, Map evalContext) { -boolean ret = isDelegatedAdminAccessAllowed(policy, user, userGroups, roles, false, evalContext); -if (ret) { -// Get old policy from policy-engine -RangerPolicy oldPolicy = null; -if (policy.getId() != null) { -try { -oldPolicy = serviceDBStore.getPolicy(policy.getId()); -} catch (Exception e) { -// Ignore -} -} -if (oldPolicy != null) { -ret = isDelegatedAdminAccessAllowed(oldPolicy, user, userGroups, roles, false, evalContext); -} -} -return ret; +return isDelegatedAdminAccessAllowed(policy, user, userGroups, roles, false, evalContext); } boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user, Set userGroups, Set roles, boolean isRead, Map evalContext) { @@ -217,46 +204,104 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { final RangerPolicyRepository matchedRepository = policyEngine.getRepositoryForMatchedZone(policy); if (matchedRepository != null) { -// RANGER-3082 -// Convert policy resources to by substituting macros with ASTERISK -Map modifiedPolicyResources = getPolicyResourcesWithMacrosReplaced(policy.getResources(), wildcardEvalContext); -Set accessTypes = getAllAccessTypes(policy, getServiceDef()); +if (isRead) { +Set accessTypes = getAllAccessTypes(policy, getServiceDef()); +ret = isDelegatedAdminAccessAllowedForPolicy(matchedRepository, policy, user, userGroups, roles, accessTypes, true, evalContext); +} else { +// Get old policy
[ranger] branch master updated: RANGER-3519: Provide an option to optimize space needed by Trie objects - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 5852efd RANGER-3519: Provide an option to optimize space needed by Trie objects - Part 2 5852efd is described below commit 5852efde1cba728ad580231ad02145ea72861186 Author: Abhay Kulkarni AuthorDate: Thu Dec 2 09:23:05 2021 -0800 RANGER-3519: Provide an option to optimize space needed by Trie objects - Part 2 --- .../RangerFileBasedTagRetriever.java | 9 + .../service/RangerDefaultRequestProcessor.java | 12 + .../ranger/plugin/util/RangerCommonConstants.java | 4 + .../plugin/util/RangerServiceTagsDeltaUtil.java| 58 ++- .../org/apache/ranger/plugin/util/ServiceTags.java | 48 +++ distro/src/main/assembly/ranger-tools.xml | 12 + ranger-tools/scripts/create_requests.py| 2 +- ranger-tools/scripts/gen_service_policies.sh | 475 + ranger-tools/scripts/gen_service_tags.sh | 30 +- .../policyengine/RangerPolicyenginePerfTester.java | 1 + .../src/test/resources/testdata/ranger-config.xml | 4 + ranger-tools/testdata/ranger-config.xml| 4 + .../java/org/apache/ranger/biz/TagDBStore.java | 7 + 13 files changed, 649 insertions(+), 17 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java index b858879..ab3b4a7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java @@ -39,6 +39,7 @@ public class RangerFileBasedTagRetriever extends RangerTagRetriever { private URL serviceTagsFileURL; private String serviceTagsFileName; private Gson gsonBuilder; + private boolean deDupTags; @Override public void init(Map options) { @@ -53,6 +54,7 @@ public class RangerFileBasedTagRetriever extends RangerTagRetriever { String serviceTagsFileNameProperty = "serviceTagsFileName"; String serviceTagsDefaultFileName = "/testdata/test_servicetags_hive.json"; + String deDupTagsProperty = "deDupTags"; if (StringUtils.isNotBlank(serviceName) && serviceDef != null && StringUtils.isNotBlank(appId)) { InputStream serviceTagsFileStream = null; @@ -61,6 +63,8 @@ public class RangerFileBasedTagRetriever extends RangerTagRetriever { // Open specified file from options- it should contain service-tags serviceTagsFileName = options != null? options.get(serviceTagsFileNameProperty) : null; + String deDupTagsVal = options != null? options.get(deDupTagsProperty) : "false"; + deDupTags = Boolean.parseBoolean(deDupTagsVal); serviceTagsFileName = serviceTagsFileName == null ? serviceTagsDefaultFileName : serviceTagsFileName; @@ -137,6 +141,11 @@ public class RangerFileBasedTagRetriever extends RangerTagRetriever { if (serviceTags.getTagVersion() <= lastKnownVersion) { // No change in serviceTags serviceTags = null; + } else { + if (deDupTags) { + final int countOfDuplicateTags = serviceTags.dedupTags(); + LOG.info("Number of duplicate tags removed from the received serviceTags:[" + countOfDuplicateTags + "]. Number of tags in the de-duplicated serviceTags :[" + serviceTags.getTags().size() + "]."); + } } } catch (IOException e) { LOG.warn("Error processing input file: or no privilege for reading file " + serviceTagsFileName); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java index facf05d..c2e8ae9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java @@ -21,6 +21,7 @@ package org.apache.ranger.plugin.service; import org.apache.commons.collections.C
[ranger] branch master updated: RANGER-3490: Make policy resource signature is unique in a service
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 856571c RANGER-3490: Make policy resource signature is unique in a service 856571c is described below commit 856571c4348e31725498c0922338339c76ebba02 Author: Abhay Kulkarni AuthorDate: Wed Nov 24 07:38:20 2021 -0800 RANGER-3490: Make policy resource signature is unique in a service --- .../model/RangerPolicyResourceSignature.java | 5 .../model/validation/RangerPolicyValidator.java| 35 ++ .../plugin/model/validation/RangerValidator.java | 21 + .../model/TestRangerPolicyResourceSignature.java | 18 +++ .../validation/TestRangerPolicyValidator.java | 24 +-- .../model/validation/TestRangerValidator.java | 4 +-- .../java/org/apache/ranger/biz/ServiceDBStore.java | 30 --- .../org/apache/ranger/biz/TestServiceDBStore.java | 4 +++ 8 files changed, 95 insertions(+), 46 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java index 312005e..c84d0bc 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java @@ -121,6 +121,8 @@ public class RangerPolicyResourceSignature { LOG.debug("isPolicyValidForResourceSignatureComputation: resources collection on policy was null!"); } else if (_policy.getResources().containsKey(null)) { LOG.debug("isPolicyValidForResourceSignatureComputation: resources collection has resource with null name!"); + } else if (StringUtils.isEmpty(_policy.getGuid())) { + LOG.debug("isPolicyValidForResourceSignatureComputation: policy GUID is empty!"); } else { valid = true; } @@ -163,6 +165,9 @@ public class RangerPolicyResourceSignature { CustomConditionSerialiser customConditionSerialiser = new CustomConditionSerialiser(_policy.getConditions()); resource += customConditionSerialiser.toString(); } + if (!_policy.getIsEnabled()) { + resource += _policy.getGuid(); + } String result = String.format("{version=%d,type=%d,resource=%s}", _SignatureVersion, type, resource); return result; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index 0ba1fb9..0519227 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -539,25 +539,22 @@ public class RangerPolicyValidator extends RangerValidator { } boolean valid = true; - if (!Boolean.TRUE.equals(policy.getIsEnabled())) { - LOG.debug("Policy is disabled. Skipping resource uniqueness validation."); - } else { - RangerPolicyResourceSignature policySignature = _factory.createPolicyResourceSignature(policy); - String signature = policySignature.getSignature(); - List policies = getPoliciesForResourceSignature(policy.getService(), signature); - if (CollectionUtils.isNotEmpty(policies)) { - ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_DUPLICATE_POLICY_RESOURCE; - RangerPolicy matchedPolicy = policies.iterator().next(); - // there shouldn't be a matching policy for create. During update only match should be to itself - if (action == Action.CREATE || (action == Action.UPDATE && (policies.size() > 1 || !matchedPolicy.getId().equals(policy.getId() { - failures.add(new ValidationFailureDetailsBuilder() - .field("resources") - .isSemanticallyIncorrect() -
[ranger] branch master updated: RANGER-3522: Improve Tagsync authentication error reporting
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 3f82858 RANGER-3522: Improve Tagsync authentication error reporting 3f82858 is described below commit 3f82858760e01ed186a2b3055c95b9cdd343db4b Author: Abhay Kulkarni AuthorDate: Mon Nov 22 17:44:44 2021 -0800 RANGER-3522: Improve Tagsync authentication error reporting --- .../ranger/tagsync/process/TagSynchronizer.java| 45 -- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java index c723b0f..9800566 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java @@ -398,34 +398,39 @@ public class TagSynchronizer { LOG.debug("nameRules=" + nameRules); } } - final boolean isKerberized = !StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab); + final boolean isKerberized = !StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS); if (isKerberized) { - if (LOG.isDebugEnabled()) { - LOG.debug("Trying to get kerberos identitiy"); - } + LOG.info("Configured for Kerberos Authentication"); - UserGroupInformation kerberosIdentity; + if (SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { + LOG.error("Invalid Kerberos principal and/or keytab specified. Failed to initialize Kerberos identity"); + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("Trying to get kerberos identity"); + } - try { - UserGroupInformation.loginUserFromKeytab(principal, keytab); - kerberosIdentity = UserGroupInformation.getLoginUser(); - if (kerberosIdentity != null) { - props.put(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY, kerberosIdentity.getUserName()); - if (LOG.isDebugEnabled()) { - LOG.debug("Got UGI, user:[" + kerberosIdentity.getUserName() + "]"); + UserGroupInformation kerberosIdentity; + + try { + UserGroupInformation.loginUserFromKeytab(principal, keytab); + kerberosIdentity = UserGroupInformation.getLoginUser(); + if (kerberosIdentity != null) { + props.put(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY, kerberosIdentity.getUserName()); + if (LOG.isDebugEnabled()) { + LOG.debug("Got UGI, user:[" + kerberosIdentity.getUserName() + "]"); + } + ret = true; + } else { + LOG.error("KerberosIdentity is null!"); } - ret = true; - } else { - LOG.error("KerberosIdentity is null!"); + } catch (IOException exception) { + LOG.error("Failed to get UGI from principal:[" + principal + "], and keytab:[" + keytab + "]", exception); } - } catch (IOException exception) { - LOG.error("Failed to get UGI from principal:[" + principal + "], and keytab:[" + keytab + "]", exception); } } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Not configured for Kerberos Authentication"); - } + LOG.info("Not configured for Kerberos Authentication"); + props.remove(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY); ret = true;
[ranger] branch master updated: RANGER-3519: Provide an option to optimize space needed by Trie objects
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 71888f2 RANGER-3519: Provide an option to optimize space needed by Trie objects 71888f2 is described below commit 71888f243d38ae7cff5e0406c7d54a386d269664 Author: Abhay Kulkarni AuthorDate: Sun Nov 21 09:38:11 2021 -0800 RANGER-3519: Provide an option to optimize space needed by Trie objects --- .../plugin/contextenricher/RangerTagEnricher.java | 4 +- .../policyengine/RangerPolicyEngineOptions.java| 32 +++- .../policyengine/RangerPolicyRepository.java | 22 - .../plugin/policyengine/RangerResourceTrie.java| 57 +++--- distro/src/main/assembly/ranger-tools.xml | 6 +++ ranger-tools/scripts/create_requests.py| 42 .../ranger/policyengine/PerfTestConfiguration.java | 31 .../apache/ranger/policyengine/PerfTestEngine.java | 7 +++ .../ranger/policyengine/PerfTestOptions.java | 11 + .../policyengine/RangerPolicyenginePerfTester.java | 27 ++ .../src/test/resources/testdata/ranger-config.xml | 9 .../resources/testdata/test_requests_hive.json | 4 +- ranger-tools/testdata/ranger-config.xml| 11 - 13 files changed, 227 insertions(+), 36 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index c8346d3..6b0451e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -447,7 +447,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { serviceResourceTrie = new HashMap<>(); for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { - serviceResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, resourceMatchers, getPolicyEngineOptions().optimizeTrieForRetrieval, null)); + serviceResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, resourceMatchers, getPolicyEngineOptions().optimizeTagTrieForRetrieval, getPolicyEngineOptions().optimizeTagTrieForSpace, null)); } } enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie); @@ -491,7 +491,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { LOG.debug("Added resource-matcher for service-resource:[" + serviceResource + "]"); } } else { - trie = new RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher)); + trie = new RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher), getPolicyEngineOptions().optimizeTagTrieForRetrieval, getPolicyEngineOptions().optimizeTagTrieForSpace, null); serviceResourceTrie.put(resourceDef.getName(), trie); } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java index 07d0a39..2afa755 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java @@ -37,6 +37,10 @@ public class RangerPolicyEngineOptions { public boolean disableAccessEvaluationWithPolicyACLSummary = true; public boolean optimizeTrieForRetrieval = false; public boolean disableRoleResolution = true; + public boolean optimizeTrieForSpace = false; + public boolean optimizeTagTrieForRetrieval = false; + public boolean optimizeTagTrieForSpace = false; + private RangerServiceDefHelper serviceDefHelper; @@ -56,6 +60,9 @@ public class RangerPolicyEngineOptions { this.optimizeTrieForRetr
[ranger] branch master updated: RANGER-3481: Incremental policy updates do not work correctly for multiple security zones
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new b8f8a3e RANGER-3481: Incremental policy updates do not work correctly for multiple security zones b8f8a3e is described below commit b8f8a3e30781a5e3165debe885cdc21e24e5d500 Author: Abhay Kulkarni AuthorDate: Wed Oct 13 13:45:20 2021 -0700 RANGER-3481: Incremental policy updates do not work correctly for multiple security zones --- .../ranger/plugin/policyengine/PolicyEngine.java | 20 +++- .../ranger/plugin/util/RangerPolicyDeltaUtil.java| 2 +- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index eee1b7a..7299387 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -849,22 +849,16 @@ public class PolicyEngine { Map> zoneDeltasMap = new HashMap<>(); for (Map.Entry zone : servicePolicies.getSecurityZones().entrySet()) { -List deltas = zone.getValue().getPolicyDeltas(); +String zoneName = zone.getKey(); +List deltas = zone.getValue().getPolicyDeltas(); +List zoneDeltas = new ArrayList<>(); -for (RangerPolicyDelta delta : deltas) { -String zoneName = delta.getZoneName(); - -if (StringUtils.isNotEmpty(zoneName)) { -List zoneDeltas = zoneDeltasMap.get(zoneName); - -if (zoneDeltas == null) { -zoneDeltas = new ArrayList<>(); -zoneDeltasMap.put(zoneName, zoneDeltas); -} +if (StringUtils.isNotEmpty(zoneName)) { +zoneDeltasMap.put(zoneName, zoneDeltas); +for (RangerPolicyDelta delta : deltas) { +zoneDeltas = zoneDeltasMap.get(zoneName); zoneDeltas.add(delta); -} else { -LOG.warn("policyDelta : [" + delta + "] does not belong to any zone. Should not have come here."); } } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java index 8866eed..38c62ed 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java @@ -134,7 +134,7 @@ public class RangerPolicyDeltaUtil { } } else { if (LOG.isDebugEnabled()) { -LOG.warn("Unexpected : applyDeltas called with deltas=null"); +LOG.debug("applyDeltas called with empty deltas. Will return policies without change"); } ret = policies; }
[ranger] branch master updated: RANGER-3453: Avoid logging sensitive information in UserMgr.java
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 4715c3e RANGER-3453: Avoid logging sensitive information in UserMgr.java 4715c3e is described below commit 4715c3e81fdf59b3d9bcc9fc0133ec6228799404 Author: Abhishek Kumar AuthorDate: Wed Oct 6 16:16:02 2021 -0700 RANGER-3453: Avoid logging sensitive information in UserMgr.java --- .../main/java/org/apache/ranger/biz/UserMgr.java | 151 ++--- .../org/apache/ranger/view/VXPasswordChange.java | 6 +- 2 files changed, 45 insertions(+), 112 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 7046c9b..91144fb 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -198,127 +198,73 @@ public class UserMgr { * @return */ public XXPortalUser updateUser(VXPortalUser userProfile) { - XXPortalUser gjUser = daoManager.getXXPortalUser().getById( - userProfile.getId()); + XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userProfile.getId()); if (gjUser == null) { - logger.error("updateUser(). User not found. userProfile=" - + userProfile); + logger.error("updateUser(). User not found. userProfile=" + userProfile); return null; } checkAccess(gjUser); -rangerBizUtil.blockAuditorRoleUser(); - boolean updateUser = false; + rangerBizUtil.blockAuditorRoleUser(); // Selectively update fields - // status - if (userProfile.getStatus() != gjUser.getStatus()) { - updateUser = true; - } - // Allowing email address update even when its set to empty. - // emailAddress String emailAddress = userProfile.getEmailAddress(); if (stringUtil.isEmpty(emailAddress)) { userProfile.setEmailAddress(null); - updateUser = true; } else { if (stringUtil.validateEmail(emailAddress)) { - XXPortalUser checkUser = daoManager.getXXPortalUser() - .findByEmailAddress(emailAddress); + XXPortalUser checkUser = daoManager.getXXPortalUser().findByEmailAddress(emailAddress); if (checkUser != null) { String loginId = userProfile.getLoginId(); if (loginId == null) { throw restErrorUtil.createRESTException( - "Invalid user, please provide valid " - + "username.", - MessageEnums.INVALID_INPUT_DATA); + "Invalid user, please provide valid username.", MessageEnums.INVALID_INPUT_DATA); } else if (!loginId.equals(checkUser.getLoginId())) { - throw restErrorUtil - .createRESTException( - "The email address " - + "you've provided already exists in system.", - MessageEnums.INVALID_INPUT_DATA); + throw restErrorUtil.createRESTException( + "The email address you've provided already exists in system.", MessageEnums.INVALID_INPUT_DATA); } else { userProfile.setEmailAddress(emailAddress); - updateUser = true; } } else { userProfile.setEmailAddress(emailAddress); - upd
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new c1c22d9 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2 c1c22d9 is described below commit c1c22d94065e96705f696075d10f6ec41e282a05 Author: Abhay Kulkarni AuthorDate: Fri Oct 1 12:44:52 2021 -0700 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2 --- .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 739ecd0..9757047 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -138,6 +138,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if(policy != null) { validityScheduleEvaluators = createValidityScheduleEvaluators(policy); + this.disableRoleResolution = options.disableRoleResolution; + if (!options.disableAccessEvaluationWithPolicyACLSummary) { aclSummary = createPolicyACLSummary(); }
[ranger] branch ranger-2.2 updated: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new f5924b3 RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource f5924b3 is described below commit f5924b3476ba3fed6f128e6257ebab9bea5cd769 Author: Abhay Kulkarni AuthorDate: Tue Oct 5 19:19:37 2021 -0700 RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource --- .../org/apache/ranger/biz/RangerPolicyAdmin.java | 7 +++- .../apache/ranger/biz/RangerPolicyAdminCache.java | 2 + .../apache/ranger/biz/RangerPolicyAdminImpl.java | 48 +++--- .../java/org/apache/ranger/rest/ServiceREST.java | 15 +-- 4 files changed, 63 insertions(+), 9 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java index e2a0884..f1ce602 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java @@ -27,6 +27,7 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.RangerRoles; @@ -34,7 +35,9 @@ public interface RangerPolicyAdmin { boolean isDelegatedAdminAccessAllowed(RangerAccessResource resource, String zoneName, String user, Set userGroups, Set accessTypes); -boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user, Set userGroups, Set roles, Map evalContext); +boolean isDelegatedAdminAccessAllowedForRead(RangerPolicy policy, String user, Set userGroups, Set roles, Map evalContext); + +boolean isDelegatedAdminAccessAllowedForModify(RangerPolicy policy, String user, Set userGroups, Set roles, Map evalContext); List getExactMatchPolicies(RangerAccessResource resource, String zoneName, Map evalContext); @@ -62,4 +65,6 @@ public interface RangerPolicyAdmin { // This API is used only by test-code List getAllowedUnzonedPolicies(String user, Set userGroups, String accessType); +void setServiceStore(ServiceStore svcStore); + } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java index a6f0a1a..5a69231 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java @@ -96,6 +96,8 @@ public class RangerPolicyAdminCache { } if (ret == null) { LOG.error("Policy-engine is not built! Returning null policy-engine!"); + } else { + ret.setServiceStore(svcStore); } return ret; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java index 090384b..5311a54 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java @@ -42,6 +42,7 @@ import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor; +import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.RangerPerfTracer; @@ -70,6 +71,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { @Override public Object get(Object key) { return RangerAbstractResourceMatcher.WILDCARD_ASTERISK; } }; +private ServiceDBStore serviceDBStore; static { wildcardEvalContext.put(RangerAbstractResourceMatcher.WILDCARD_ASTERISK, RangerAbstractResourceMatcher.WILDCARD_ASTERISK); @@ -104,6 +106,13 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { } @Override +public void setServiceStore(ServiceStore svcStore) { +if (svcStore instanceof ServiceDBStore) { +this.serviceDBStore = (Serv
[ranger] branch master updated: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new d90361d RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource d90361d is described below commit d90361db662de1531eafa4d05853e7bc7e08c2a2 Author: Abhay Kulkarni AuthorDate: Tue Oct 5 19:19:37 2021 -0700 RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource --- .../org/apache/ranger/biz/RangerPolicyAdmin.java | 7 +++- .../apache/ranger/biz/RangerPolicyAdminCache.java | 2 + .../apache/ranger/biz/RangerPolicyAdminImpl.java | 48 +++--- .../java/org/apache/ranger/rest/ServiceREST.java | 15 +-- 4 files changed, 63 insertions(+), 9 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java index e2a0884..f1ce602 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java @@ -27,6 +27,7 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.RangerRoles; @@ -34,7 +35,9 @@ public interface RangerPolicyAdmin { boolean isDelegatedAdminAccessAllowed(RangerAccessResource resource, String zoneName, String user, Set userGroups, Set accessTypes); -boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user, Set userGroups, Set roles, Map evalContext); +boolean isDelegatedAdminAccessAllowedForRead(RangerPolicy policy, String user, Set userGroups, Set roles, Map evalContext); + +boolean isDelegatedAdminAccessAllowedForModify(RangerPolicy policy, String user, Set userGroups, Set roles, Map evalContext); List getExactMatchPolicies(RangerAccessResource resource, String zoneName, Map evalContext); @@ -62,4 +65,6 @@ public interface RangerPolicyAdmin { // This API is used only by test-code List getAllowedUnzonedPolicies(String user, Set userGroups, String accessType); +void setServiceStore(ServiceStore svcStore); + } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java index a6f0a1a..5a69231 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java @@ -96,6 +96,8 @@ public class RangerPolicyAdminCache { } if (ret == null) { LOG.error("Policy-engine is not built! Returning null policy-engine!"); + } else { + ret.setServiceStore(svcStore); } return ret; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java index 090384b..5311a54 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java @@ -42,6 +42,7 @@ import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor; +import org.apache.ranger.plugin.store.ServiceStore; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.RangerPerfTracer; @@ -70,6 +71,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { @Override public Object get(Object key) { return RangerAbstractResourceMatcher.WILDCARD_ASTERISK; } }; +private ServiceDBStore serviceDBStore; static { wildcardEvalContext.put(RangerAbstractResourceMatcher.WILDCARD_ASTERISK, RangerAbstractResourceMatcher.WILDCARD_ASTERISK); @@ -104,6 +106,13 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { } @Override +public void setServiceStore(ServiceStore svcStore) { +if (svcStore instanceof ServiceDBStore) { +this.serviceDBStore = (Serv
[ranger] branch master updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 1debdbc RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2 1debdbc is described below commit 1debdbcdec23c6688d4589253e75a32a894659c3 Author: Abhay Kulkarni AuthorDate: Fri Oct 1 12:44:52 2021 -0700 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2 --- .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index d25e306..c80050c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -138,6 +138,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if(policy != null) { validityScheduleEvaluators = createValidityScheduleEvaluators(policy); + this.disableRoleResolution = options.disableRoleResolution; + if (!options.disableAccessEvaluationWithPolicyACLSummary) { aclSummary = createPolicyACLSummary(); }
[ranger] branch ranger-2.2 updated: RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new f47acb5 RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data new 20234c1 Merge branch 'ranger-2.2' of https://gitbox.apache.org/repos/asf/ranger into ranger-2.2 f47acb5 is described below commit f47acb52681c0d8378b15637299f8baf51d0d226 Author: Abhishek Kumar AuthorDate: Tue Sep 28 12:33:35 2021 -0700 RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data --- .../src/main/java/org/apache/ranger/common/PropertiesUtil.java| 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java index 80a2d60..0ad7abb 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java @@ -62,8 +62,7 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer { Set keySet = System.getProperties().keySet(); for (Object key : keySet) { String keyStr = key.toString(); - propertiesMap.put(keyStr, System.getProperties() - .getProperty(keyStr).trim()); + propertiesMap.put(keyStr, System.getProperties().getProperty(keyStr).trim()); } // Let's add our properties now @@ -321,8 +320,9 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer { keySet = props.keySet(); for (Object key : keySet) { String keyStr = key.toString(); -logger.debug("PropertiesUtil:[" + keyStr + "][" + -(keyStr.contains("password") || keyStr.contains("keystore.pass") ? "]" : props.get(keyStr)) + "]"); + if (logger.isDebugEnabled()) { + logger.debug("PropertiesUtil:[" + keyStr + "][" + (keyStr.toLowerCase().contains("pass") ? "]" : props.get(keyStr)) + "]"); + } } super.processProperties(beanFactory, props);
[ranger] branch master updated: RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f599c91 RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data new 0ffc660 Merge branch 'master' of https://gitbox.apache.org/repos/asf/ranger f599c91 is described below commit f599c916d84461847613560f856be47438bda884 Author: Abhishek Kumar AuthorDate: Tue Sep 28 12:33:35 2021 -0700 RANGER-3441:PropertiesUtil (Admin) logging potentially sensitive data --- .../src/main/java/org/apache/ranger/common/PropertiesUtil.java| 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java index 80a2d60..0ad7abb 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java @@ -62,8 +62,7 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer { Set keySet = System.getProperties().keySet(); for (Object key : keySet) { String keyStr = key.toString(); - propertiesMap.put(keyStr, System.getProperties() - .getProperty(keyStr).trim()); + propertiesMap.put(keyStr, System.getProperties().getProperty(keyStr).trim()); } // Let's add our properties now @@ -321,8 +320,9 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer { keySet = props.keySet(); for (Object key : keySet) { String keyStr = key.toString(); -logger.debug("PropertiesUtil:[" + keyStr + "][" + -(keyStr.contains("password") || keyStr.contains("keystore.pass") ? "]" : props.get(keyStr)) + "]"); + if (logger.isDebugEnabled()) { + logger.debug("PropertiesUtil:[" + keyStr + "][" + (keyStr.toLowerCase().contains("pass") ? "]" : props.get(keyStr)) + "]"); + } } super.processProperties(beanFactory, props);
[ranger] branch ranger-2.2 updated: RANGER-3404: user with no permissions can access and edit deligate admin only policies
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 0324e50 RANGER-3404: user with no permissions can access and edit deligate admin only policies 0324e50 is described below commit 0324e50c4833555fed6dbdb6166c12bf8ffb18c8 Author: Abhay Kulkarni AuthorDate: Fri Sep 17 22:31:42 2021 -0700 RANGER-3404: user with no permissions can access and edit deligate admin only policies --- .../RangerDefaultPolicyEvaluator.java | 16 .../RangerDefaultPolicyItemEvaluator.java | 2 ++ .../apache/ranger/biz/RangerPolicyAdminImpl.java | 30 +++--- 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 8471918..739ecd0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -382,10 +382,16 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator Set ret = null; if (isMatch(resources, evalContext)) { - ret = new HashSet<>(); - for (String accessType : accessTypes) { - if (isAccessAllowed(user, userGroups, roles, null, accessType)) { - ret.add(accessType); + if (CollectionUtils.isNotEmpty(accessTypes)) { + ret = new HashSet<>(); + for (String accessType : accessTypes) { + if (isAccessAllowed(user, userGroups, roles, null, accessType)) { + ret.add(accessType); + } + } + } else { + if (isAccessAllowed(user, userGroups, roles, null, null)) { + ret = new HashSet<>(); } } } @@ -959,7 +965,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getId() +"]"); } - Integer accessResult = lookupPolicyACLSummary(user, userGroups, roles, accessType); + Integer accessResult = StringUtils.isEmpty(accessType) ? null : lookupPolicyACLSummary(user, userGroups, roles, accessType); if (accessResult != null && accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) { ret = true; } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java index 8f2d3f1..2cf9a99 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java @@ -212,6 +212,8 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv break; } } + } else if (StringUtils.isEmpty(accessType)) { + ret = true; } } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java index 2eef20b..090384b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java @@ -193,24 +193,24 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { LOG.debug("Checking admin-access for the access-types:[" + accessTypes + "]"); } -if (CollectionUtils.isEmpty(accessTypes)) { -LOG.info("access-types to check for admin-access are empty!! Allowing adm
[ranger] branch master updated: RANGER-3404: user with no permissions can access and edit deligate admin only policies
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 53c9811 RANGER-3404: user with no permissions can access and edit deligate admin only policies 53c9811 is described below commit 53c98116850f90810c0bb85d651a64fe01ef865d Author: Abhay Kulkarni AuthorDate: Fri Sep 17 22:31:42 2021 -0700 RANGER-3404: user with no permissions can access and edit deligate admin only policies --- .../RangerDefaultPolicyEvaluator.java | 16 .../RangerDefaultPolicyItemEvaluator.java | 2 ++ .../apache/ranger/biz/RangerPolicyAdminImpl.java | 30 +++--- 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 9f0abf2..d25e306 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -382,10 +382,16 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator Set ret = null; if (isMatch(resources, evalContext)) { - ret = new HashSet<>(); - for (String accessType : accessTypes) { - if (isAccessAllowed(user, userGroups, roles, null, accessType)) { - ret.add(accessType); + if (CollectionUtils.isNotEmpty(accessTypes)) { + ret = new HashSet<>(); + for (String accessType : accessTypes) { + if (isAccessAllowed(user, userGroups, roles, null, accessType)) { + ret.add(accessType); + } + } + } else { + if (isAccessAllowed(user, userGroups, roles, null, null)) { + ret = new HashSet<>(); } } } @@ -959,7 +965,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getId() +"]"); } - Integer accessResult = lookupPolicyACLSummary(user, userGroups, roles, accessType); + Integer accessResult = StringUtils.isEmpty(accessType) ? null : lookupPolicyACLSummary(user, userGroups, roles, accessType); if (accessResult != null && accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) { ret = true; } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java index 8f2d3f1..2cf9a99 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java @@ -212,6 +212,8 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv break; } } + } else if (StringUtils.isEmpty(accessType)) { + ret = true; } } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java index 2eef20b..090384b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java @@ -193,24 +193,24 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { LOG.debug("Checking admin-access for the access-types:[" + accessTypes + "]"); } -if (CollectionUtils.isEmpty(accessTypes)) { -LOG.info("access-types to check for admin-access are empty!! Allowing adm
[ranger] branch ranger-2.2 updated: RANGER-3419:compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 3773072 RANGER-3419:compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call 3773072 is described below commit 37730726038082a074f3a2621185c560515d929b Author: Abhay Kulkarni AuthorDate: Fri Sep 17 14:53:07 2021 -0700 RANGER-3419:compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call --- security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java | 1 - 1 file changed, 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index a50a1f6..a3fcbb5 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -3032,7 +3032,6 @@ public class ServiceDBStore extends AbstractServiceStore { break; } } - policyDeltasForPolicy.add(policyDeltas.get(index)); index++; break; case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
[ranger] branch master updated: RANGER-3419:compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new e276af0 RANGER-3419:compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call e276af0 is described below commit e276af0162d4fe7953dd24e9506d572e38b46471 Author: Abhay Kulkarni AuthorDate: Fri Sep 17 14:53:07 2021 -0700 RANGER-3419:compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call --- security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java | 1 - 1 file changed, 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index a50a1f6..a3fcbb5 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -3032,7 +3032,6 @@ public class ServiceDBStore extends AbstractServiceStore { break; } } - policyDeltasForPolicy.add(policyDeltas.get(index)); index++; break; case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new b1dcfb4 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3 b1dcfb4 is described below commit b1dcfb42f942273de17bba58ab4c94cd3990b4f2 Author: Abhay Kulkarni AuthorDate: Sun Sep 12 09:52:52 2021 -0700 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3 --- .../plugin/policyengine/RangerResourceACLs.java| 6 ++-- .../ranger/plugin/service/RangerBasePlugin.java| 36 +++--- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java index eb12543..aa49507 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java @@ -176,7 +176,7 @@ public class RangerResourceACLs { sb.append("permissions={"); for (Map.Entry permission : entry.getValue().entrySet()) { sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("},"); - sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy().getId()).append("},"); + sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},"); } sb.append("},"); } @@ -188,7 +188,7 @@ public class RangerResourceACLs { sb.append("permissions={"); for (Map.Entry permission : entry.getValue().entrySet()) { sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("}, "); - sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy().getId()).append("},"); + sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},"); } sb.append("},"); } @@ -200,7 +200,7 @@ public class RangerResourceACLs { sb.append("permissions={"); for (Map.Entry permission : entry.getValue().entrySet()) { sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("}, "); - sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy().getId()).append("},"); + sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},"); } sb.append("},"); } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 99c48d0..57a4b4b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -994,6 +994,23 @@ public class RangerBasePlugin { return ret; } + public static RangerResourceACLs getMergedResourceACLs(RangerResourceACLs baseACLs, RangerResourceACLs chainedACLs) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerBasePlugin.getMergedResourceACLs()"); + LOG.debug("baseACLs:[" + baseACLs + "]"); + LOG.debug("chainedACLS:[" + chainedACLs + "]"); + } + + overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.USER); + overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.GROUP); + overrideACLs(chainedACLs, baseAC
[ranger] branch master updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new e5cd204 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3 e5cd204 is described below commit e5cd204efe69fa62b63cc70bf0960ea71ccc6453 Author: Abhay Kulkarni AuthorDate: Sun Sep 12 09:52:52 2021 -0700 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3 --- .../plugin/policyengine/RangerResourceACLs.java| 6 ++-- .../ranger/plugin/service/RangerBasePlugin.java| 36 +++--- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java index eb12543..aa49507 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java @@ -176,7 +176,7 @@ public class RangerResourceACLs { sb.append("permissions={"); for (Map.Entry permission : entry.getValue().entrySet()) { sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("},"); - sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy().getId()).append("},"); + sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},"); } sb.append("},"); } @@ -188,7 +188,7 @@ public class RangerResourceACLs { sb.append("permissions={"); for (Map.Entry permission : entry.getValue().entrySet()) { sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("}, "); - sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy().getId()).append("},"); + sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},"); } sb.append("},"); } @@ -200,7 +200,7 @@ public class RangerResourceACLs { sb.append("permissions={"); for (Map.Entry permission : entry.getValue().entrySet()) { sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("}, "); - sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy().getId()).append("},"); + sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},"); } sb.append("},"); } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 99c48d0..57a4b4b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -994,6 +994,23 @@ public class RangerBasePlugin { return ret; } + public static RangerResourceACLs getMergedResourceACLs(RangerResourceACLs baseACLs, RangerResourceACLs chainedACLs) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerBasePlugin.getMergedResourceACLs()"); + LOG.debug("baseACLs:[" + baseACLs + "]"); + LOG.debug("chainedACLS:[" + chainedACLs + "]"); + } + + overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.USER); + overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.GROUP); + overrideACLs(chainedACLs, baseAC
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 7fb90c3 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2 7fb90c3 is described below commit 7fb90c3941dbb5c381d9be967888b681c6b04fcb Author: Abhay Kulkarni AuthorDate: Wed Sep 8 09:35:48 2021 -0700 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2 --- .../main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java| 2 ++ 1 file changed, 2 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 3ad74e5..99c48d0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -147,6 +147,8 @@ public class RangerBasePlugin { public RangerAuthContext getCurrentRangerAuthContext() { return currentAuthContext; } + public List getChainedPlugins() { return chainedPlugins; } + // For backward compatibility public RangerAuthContext createRangerAuthContext() { return currentAuthContext; }
[ranger] branch master updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 3b0a9c8 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2 3b0a9c8 is described below commit 3b0a9c8f5273ce7c6d12170b86e7a83a9fdba225 Author: Abhay Kulkarni AuthorDate: Wed Sep 8 09:35:48 2021 -0700 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2 --- .../main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java| 2 ++ 1 file changed, 2 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 3ad74e5..99c48d0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -147,6 +147,8 @@ public class RangerBasePlugin { public RangerAuthContext getCurrentRangerAuthContext() { return currentAuthContext; } + public List getChainedPlugins() { return chainedPlugins; } + // For backward compatibility public RangerAuthContext createRangerAuthContext() { return currentAuthContext; }
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 218c06f RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation 218c06f is described below commit 218c06ff54f389a2ee57d80e156ecbf7364a51ec Author: Abhay Kulkarni AuthorDate: Fri Sep 3 16:50:29 2021 -0700 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation --- .../plugin/policyengine/RangerPolicyEngine.java| 2 + .../policyengine/RangerPolicyEngineImpl.java | 23 ++-- .../policyengine/RangerPolicyEngineOptions.java| 11 +- .../RangerDefaultPolicyEvaluator.java | 131 --- .../policyevaluator/RangerPolicyEvaluator.java | 8 +- .../ranger/plugin/service/RangerBasePlugin.java| 127 +- .../ranger/plugin/service/RangerChainedPlugin.java | 7 + .../apache/ranger/plugin/util/RangerRolesUtil.java | 64 ++ .../ranger/plugin/policyengine/TestPolicyACLs.java | 14 +- .../policyengine/test_aclprovider_hdfs.json| 131 +++ .../aclprovider/test_aclprovider_default.json | 142 + 11 files changed, 597 insertions(+), 63 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 7a4bb12..7bf8c7c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -70,6 +70,8 @@ public interface RangerPolicyEngine { RangerResourceACLs getResourceACLs(RangerAccessRequest request); + RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer requestedPolicyType); + Set getRolesFromUserAndGroups(String user, Set groups); RangerRoles getRangerRoles(); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 9e0a89e..c92b550 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -243,8 +243,13 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public RangerResourceACLs getResourceACLs(RangerAccessRequest request) { + return getResourceACLs(request, null); + } + + @Override + public RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer requestedPolicyType) { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.getResourceACLs(request=" + request + ")"); + LOG.debug("==> RangerPolicyEngineImpl.getResourceACLs(request=" + request + ", policyType=" + requestedPolicyType + ")"); } RangerResourceACLs ret = new RangerResourceACLs(); @@ -269,7 +274,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("zoneName:[" + zoneName + "]"); } - for (int policyType : RangerPolicy.POLICY_TYPES) { + int[] policyTypes = requestedPolicyType == null ? RangerPolicy.POLICY_TYPES : new int[] { requestedPolicyType }; + + + for (int policyType : policyTypes) { List allEvaluators = new ArrayList<>(); MaptagMatchTypeMap = new HashMap<>(); Set policyIdForTemporalTags = new HashSet<>(); @@ -331,7 +339,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerPerfTracer.logAlways(perf); if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.getResourceACLs(request=" + request + ") : ret=" + ret); + LOG.debug("<== RangerPolicyEngineImpl.getResourceACLs(request=" + request + ", policyType=" + requestedPolicyType + ") : ret=" + ret); } return ret; @@ -773,7 +781,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
[ranger] branch master updated: RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new fe27e0b RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation fe27e0b is described below commit fe27e0b32d388033d305b6e58b9686566ee40eb1 Author: Abhay Kulkarni AuthorDate: Fri Sep 3 16:50:29 2021 -0700 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation --- .../plugin/policyengine/RangerPolicyEngine.java| 2 + .../policyengine/RangerPolicyEngineImpl.java | 23 ++-- .../policyengine/RangerPolicyEngineOptions.java| 11 +- .../RangerDefaultPolicyEvaluator.java | 131 --- .../policyevaluator/RangerPolicyEvaluator.java | 8 +- .../ranger/plugin/service/RangerBasePlugin.java| 127 +- .../ranger/plugin/service/RangerChainedPlugin.java | 7 + .../apache/ranger/plugin/util/RangerRolesUtil.java | 64 ++ .../ranger/plugin/policyengine/TestPolicyACLs.java | 14 +- .../policyengine/test_aclprovider_hdfs.json| 131 +++ .../aclprovider/test_aclprovider_default.json | 142 + 11 files changed, 597 insertions(+), 63 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 7a4bb12..7bf8c7c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -70,6 +70,8 @@ public interface RangerPolicyEngine { RangerResourceACLs getResourceACLs(RangerAccessRequest request); + RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer requestedPolicyType); + Set getRolesFromUserAndGroups(String user, Set groups); RangerRoles getRangerRoles(); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 9e0a89e..c92b550 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -243,8 +243,13 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { @Override public RangerResourceACLs getResourceACLs(RangerAccessRequest request) { + return getResourceACLs(request, null); + } + + @Override + public RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer requestedPolicyType) { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.getResourceACLs(request=" + request + ")"); + LOG.debug("==> RangerPolicyEngineImpl.getResourceACLs(request=" + request + ", policyType=" + requestedPolicyType + ")"); } RangerResourceACLs ret = new RangerResourceACLs(); @@ -269,7 +274,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("zoneName:[" + zoneName + "]"); } - for (int policyType : RangerPolicy.POLICY_TYPES) { + int[] policyTypes = requestedPolicyType == null ? RangerPolicy.POLICY_TYPES : new int[] { requestedPolicyType }; + + + for (int policyType : policyTypes) { List allEvaluators = new ArrayList<>(); MaptagMatchTypeMap = new HashMap<>(); Set policyIdForTemporalTags = new HashSet<>(); @@ -331,7 +339,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerPerfTracer.logAlways(perf); if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.getResourceACLs(request=" + request + ") : ret=" + ret); + LOG.debug("<== RangerPolicyEngineImpl.getResourceACLs(request=" + request + ", policyType=" + requestedPolicyType + ") : ret=" + ret); } return ret; @@ -773,7 +781,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
[ranger] branch ranger-2.2 updated: RANGER-3371: Update algorithm to build Ranger policy-database object from Ranger policy-view object
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 9c69c0b RANGER-3371: Update algorithm to build Ranger policy-database object from Ranger policy-view object 9c69c0b is described below commit 9c69c0b25812ef977bb5d351ed312437ca3e53cd Author: Abhay Kulkarni AuthorDate: Tue Aug 17 10:51:26 2021 -0700 RANGER-3371: Update algorithm to build Ranger policy-database object from Ranger policy-view object --- .../ranger/plugin/util/RangerPolicyDeltaUtil.java | 2 +- .../java/org/apache/ranger/biz/ServiceDBStore.java | 61 +++--- .../ranger/common/RangerServicePoliciesCache.java | 6 +-- .../RangerTransactionSynchronizationAdapter.java | 27 +++--- .../org/apache/ranger/db/XXPolicyChangeLogDao.java | 15 +++--- .../ranger/service/RangerPolicyServiceBase.java| 28 +++--- 6 files changed, 94 insertions(+), 45 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java index f040a66..42143d0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java @@ -90,7 +90,7 @@ public class RangerPolicyDeltaUtil { while (iter.hasNext()) { RangerPolicy policy = iter.next(); -if (policyId.equals(policy.getId())) { +if (policyId.equals(policy.getId()) && changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) { deletedPolicies.add(policy); iter.remove(); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index c5add3a..b9a926b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1401,7 +1401,7 @@ public class ServiceDBStore extends AbstractServiceStore { } if (LOG.isDebugEnabled()) { - LOG.debug("== ServiceDBStore.getServiceDefByName(" + name + "): " + ret); + LOG.debug("== ServiceDBStore.getServiceDefByName(" + name + "): " ); } return ret; @@ -3139,7 +3139,7 @@ public class ServiceDBStore extends AbstractServiceStore { boolean isValid; - resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(policyService, lastKnownVersion, service.getId()); + resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, service.getId()); if (CollectionUtils.isNotEmpty(resourcePolicyDeltas)) { isValid = RangerPolicyDeltaUtil.isValidDeltas(resourcePolicyDeltas, componentServiceType); @@ -3151,7 +3151,7 @@ public class ServiceDBStore extends AbstractServiceStore { if (isValid && tagService != null) { Long id = resourcePolicyDeltas.get(0).getId(); - tagPolicyDeltas = daoMgr.getXXPolicyChangeLog().findGreaterThan(policyService, id, tagService.getId()); + tagPolicyDeltas = daoMgr.getXXPolicyChangeLog().findGreaterThan(id, tagService.getId()); if (CollectionUtils.isNotEmpty(tagPolicyDeltas)) { @@ -3542,46 +3542,53 @@ public class ServiceDBStore extends AbstractServiceStore { XXServiceVersionInfo serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(id); XXService service = daoMgr.getXXService().getById(id); - Long nextPolicyVersion = 1L; + Long nextVersion = 1L; Date now = new Date(); if (serviceVersionInfoDbObj != null) { if (versionType == VERSION_TYPE.POLICY_VERSION) { - nextPolicyVersion = getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()); - - serviceVersionInfoDbObj.setPolicyVersion(nextPolicyVersion); + nextVersion = getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()); + serviceVersionInfoDbObj.setPolicyVersion(nextVersion);
[ranger] branch master updated: RANGER-3371: Update algorithm to build Ranger policy-database object from Ranger policy-view object
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 6030613 RANGER-3371: Update algorithm to build Ranger policy-database object from Ranger policy-view object 6030613 is described below commit 6030613254ae628b924b2337a59c6ddb1fba1155 Author: Abhay Kulkarni AuthorDate: Tue Aug 17 10:51:26 2021 -0700 RANGER-3371: Update algorithm to build Ranger policy-database object from Ranger policy-view object --- .../ranger/plugin/util/RangerPolicyDeltaUtil.java | 2 +- .../java/org/apache/ranger/biz/ServiceDBStore.java | 61 +++--- .../ranger/common/RangerServicePoliciesCache.java | 6 +-- .../RangerTransactionSynchronizationAdapter.java | 27 +++--- .../org/apache/ranger/db/XXPolicyChangeLogDao.java | 15 +++--- .../ranger/service/RangerPolicyServiceBase.java| 28 +++--- 6 files changed, 94 insertions(+), 45 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java index f040a66..42143d0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java @@ -90,7 +90,7 @@ public class RangerPolicyDeltaUtil { while (iter.hasNext()) { RangerPolicy policy = iter.next(); -if (policyId.equals(policy.getId())) { +if (policyId.equals(policy.getId()) && changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) { deletedPolicies.add(policy); iter.remove(); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index c5add3a..b9a926b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1401,7 +1401,7 @@ public class ServiceDBStore extends AbstractServiceStore { } if (LOG.isDebugEnabled()) { - LOG.debug("== ServiceDBStore.getServiceDefByName(" + name + "): " + ret); + LOG.debug("== ServiceDBStore.getServiceDefByName(" + name + "): " ); } return ret; @@ -3139,7 +3139,7 @@ public class ServiceDBStore extends AbstractServiceStore { boolean isValid; - resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(policyService, lastKnownVersion, service.getId()); + resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, service.getId()); if (CollectionUtils.isNotEmpty(resourcePolicyDeltas)) { isValid = RangerPolicyDeltaUtil.isValidDeltas(resourcePolicyDeltas, componentServiceType); @@ -3151,7 +3151,7 @@ public class ServiceDBStore extends AbstractServiceStore { if (isValid && tagService != null) { Long id = resourcePolicyDeltas.get(0).getId(); - tagPolicyDeltas = daoMgr.getXXPolicyChangeLog().findGreaterThan(policyService, id, tagService.getId()); + tagPolicyDeltas = daoMgr.getXXPolicyChangeLog().findGreaterThan(id, tagService.getId()); if (CollectionUtils.isNotEmpty(tagPolicyDeltas)) { @@ -3542,46 +3542,53 @@ public class ServiceDBStore extends AbstractServiceStore { XXServiceVersionInfo serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(id); XXService service = daoMgr.getXXService().getById(id); - Long nextPolicyVersion = 1L; + Long nextVersion = 1L; Date now = new Date(); if (serviceVersionInfoDbObj != null) { if (versionType == VERSION_TYPE.POLICY_VERSION) { - nextPolicyVersion = getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()); - - serviceVersionInfoDbObj.setPolicyVersion(nextPolicyVersion); + nextVersion = getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()); + serviceVersionInfoDbObj.setPolicyVersion(nextVersion); serviceVersionInfoDbObj.setPolicyUpdateTime(now); -
[ranger] branch ranger-2.2 updated: RANGER-3360: Best Practice: Use updated policy object after pruning the policy object
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 5a07338 RANGER-3360: Best Practice: Use updated policy object after pruning the policy object 5a07338 is described below commit 5a07338439dc9a1de10a3066ebe17aed7de2239c Author: Abhay Kulkarni AuthorDate: Tue Aug 3 10:44:01 2021 -0700 RANGER-3360: Best Practice: Use updated policy object after pruning the policy object --- .../ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java| 2 +- .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 5c6083e..52a30a1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -59,7 +59,7 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource()); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); + LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + this.policy + ", " + serviceDef + ")"); } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 831b6d4..b5b859c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -123,6 +123,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator super.init(policy, serviceDef, options); + policy = getPolicy(); + preprocessPolicy(policy, serviceDef); resourceMatcher = new RangerDefaultPolicyResourceMatcher();
[ranger] branch master updated: RANGER-3360: Best Practice: Use updated policy object after pruning the policy object
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new c9003ff RANGER-3360: Best Practice: Use updated policy object after pruning the policy object c9003ff is described below commit c9003ff68a35bb1fa56d00b3cb2505ac00fbeb2e Author: Abhay Kulkarni AuthorDate: Tue Aug 3 10:44:01 2021 -0700 RANGER-3360: Best Practice: Use updated policy object after pruning the policy object --- .../ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java| 2 +- .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 5c6083e..52a30a1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -59,7 +59,7 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource()); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); + LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + this.policy + ", " + serviceDef + ")"); } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 831b6d4..b5b859c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -123,6 +123,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator super.init(policy, serviceDef, options); + policy = getPolicy(); + preprocessPolicy(policy, serviceDef); resourceMatcher = new RangerDefaultPolicyResourceMatcher();
[ranger] branch ranger-2.2 updated: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 0f60a40 RANGER-3329: Request for _any access-type is denied only when on all access-types are denied 0f60a40 is described below commit 0f60a401ce36737da905f77b8d98fc4851b69aee Author: Abhay Kulkarni AuthorDate: Tue Jul 20 08:55:31 2021 -0700 RANGER-3329: Request for _any access-type is denied only when on all access-types are denied --- .../policyengine/RangerAccessRequestImpl.java | 18 ++ .../policyengine/RangerPolicyEngineImpl.java | 60 --- .../RangerDefaultPolicyEvaluator.java | 69 +++--- .../plugin/util/RangerAccessRequestUtil.java | 9 +++ .../ranger/plugin/policyengine/TestPolicyACLs.java | 4 +- .../test_policyengine_descendant_tags.json | 8 +-- .../policyengine/test_policyengine_hive.json | 2 +- .../policyengine/test_policyengine_tag_hive.json | 14 + ...t_policyengine_tag_hive_for_show_databases.json | 10 ++-- 9 files changed, 114 insertions(+), 80 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index 74a7a26..3d0168a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -78,6 +78,24 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { setClusterName(null); } + public RangerAccessRequestImpl(RangerAccessRequest request) { + setResource(request.getResource()); + setAccessType(request.getAccessType()); + setUser(request.getUser()); + setUserGroups(request.getUserGroups()); + setUserRoles(request.getUserRoles()); + setForwardedAddresses(request.getForwardedAddresses()); + setAccessTime(request.getAccessTime()); + setRemoteIPAddress(request.getRemoteIPAddress()); + setClientType(request.getClientType()); + setAction(request.getAction()); + setRequestData(request.getRequestData()); + setSessionId(request.getSessionId()); + setContext(request.getContext()); + setClusterName(request.getClusterName()); + setResourceMatchingScope(request.getResourceMatchingScope()); + } + @Override public RangerAccessResource getResource() { return resource; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 3c0e32c..9e0a89e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -661,11 +661,59 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ")"); } - final Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date(); - final RangerAccessResult ret = createAccessResult(request, policyType); + RangerAccessResult ret = createAccessResult(request, policyType); + + if (request.isAccessTypeAny()) { + RangerAccessResult denyResult = null; + RangerAccessResult allowResult = null; + + List allAccessDefs = getServiceDef().getAccessTypes(); + + for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : allAccessDefs) { + RangerAccessRequestImpl requestForOneAccessType = new RangerAccessRequestImpl(request); + RangerAccessRequestUtil.setIsAnyAccessInContext(requestForOneAccessType.getContext(), Boolean.TRUE); + + requestForOneAccessType.setAccessType(accessTypeDef.getName()); + + RangerAccessResult resultForOneAccessType = evaluatePoliciesForOneAccessTypeNoAudit(requestForOneAccessType, policyType, zoneName, policyRepository, tagPolicyRepository); + + ret.setAuditResultFrom(resultForOneAccessType); + + if (r
[ranger] branch master updated: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new db2bd7c RANGER-3329: Request for _any access-type is denied only when on all access-types are denied db2bd7c is described below commit db2bd7c4f50be5987cf272c42a2b8a2565175461 Author: Abhay Kulkarni AuthorDate: Tue Jul 20 08:55:31 2021 -0700 RANGER-3329: Request for _any access-type is denied only when on all access-types are denied --- .../policyengine/RangerAccessRequestImpl.java | 18 ++ .../policyengine/RangerPolicyEngineImpl.java | 60 --- .../RangerDefaultPolicyEvaluator.java | 69 +++--- .../plugin/util/RangerAccessRequestUtil.java | 9 +++ .../ranger/plugin/policyengine/TestPolicyACLs.java | 4 +- .../test_policyengine_descendant_tags.json | 8 +-- .../policyengine/test_policyengine_hive.json | 2 +- .../policyengine/test_policyengine_tag_hive.json | 14 + ...t_policyengine_tag_hive_for_show_databases.json | 10 ++-- 9 files changed, 114 insertions(+), 80 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index 74a7a26..3d0168a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -78,6 +78,24 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { setClusterName(null); } + public RangerAccessRequestImpl(RangerAccessRequest request) { + setResource(request.getResource()); + setAccessType(request.getAccessType()); + setUser(request.getUser()); + setUserGroups(request.getUserGroups()); + setUserRoles(request.getUserRoles()); + setForwardedAddresses(request.getForwardedAddresses()); + setAccessTime(request.getAccessTime()); + setRemoteIPAddress(request.getRemoteIPAddress()); + setClientType(request.getClientType()); + setAction(request.getAction()); + setRequestData(request.getRequestData()); + setSessionId(request.getSessionId()); + setContext(request.getContext()); + setClusterName(request.getClusterName()); + setResourceMatchingScope(request.getResourceMatchingScope()); + } + @Override public RangerAccessResource getResource() { return resource; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 3c0e32c..9e0a89e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -661,11 +661,59 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ")"); } - final Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date(); - final RangerAccessResult ret = createAccessResult(request, policyType); + RangerAccessResult ret = createAccessResult(request, policyType); + + if (request.isAccessTypeAny()) { + RangerAccessResult denyResult = null; + RangerAccessResult allowResult = null; + + List allAccessDefs = getServiceDef().getAccessTypes(); + + for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : allAccessDefs) { + RangerAccessRequestImpl requestForOneAccessType = new RangerAccessRequestImpl(request); + RangerAccessRequestUtil.setIsAnyAccessInContext(requestForOneAccessType.getContext(), Boolean.TRUE); + + requestForOneAccessType.setAccessType(accessTypeDef.getName()); + + RangerAccessResult resultForOneAccessType = evaluatePoliciesForOneAccessTypeNoAudit(requestForOneAccessType, policyType, zoneName, policyRepository, tagPolicyRepository); + + ret.setAuditResultFrom(resultForOneAccessType); + + if (r
[ranger] branch ranger-2.2 updated: RANGER-3343: Ranger policy cache is incorrect in some scenario
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.2 by this push: new 8cf1668 RANGER-3343: Ranger policy cache is incorrect in some scenario 8cf1668 is described below commit 8cf1668c165c9a981d47597a4cfc693169debf18 Author: Abhay Kulkarni AuthorDate: Tue Jul 20 07:14:53 2021 -0700 RANGER-3343: Ranger policy cache is incorrect in some scenario --- .../RangerAbstractPolicyEvaluator.java | 62 -- .../RangerDefaultPolicyEvaluator.java | 12 - 2 files changed, 59 insertions(+), 15 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 99ae598..5c6083e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -19,8 +19,6 @@ package org.apache.ranger.plugin.policyevaluator; - - import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -32,7 +30,9 @@ import org.apache.ranger.plugin.policyengine.RangerPluginContext; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.util.ServiceDefUtil; +import java.util.List; import java.util.Map; +import java.util.stream.Collectors; public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class); @@ -54,7 +54,7 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); } - this.policy = policy; + this.policy = getPrunedPolicy(policy); this.serviceDef = serviceDef; this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource()); @@ -105,6 +105,62 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu return policy != null && (policy.getIsDenyAllElse() || CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())); } + private RangerPolicy getPrunedPolicy(final RangerPolicy policy) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAbstractPolicyEvaluator.getPrunedPolicy(" + policy + ")"); + } + + final RangerPolicyret; + + final boolean isPruningNeeded; + final List prunedAllowItems; + final List prunedDenyItems; + final List prunedAllowExceptions; + final List prunedDenyExceptions; + + final RangerPluginContext pluginContext = getPluginContext(); + + if (pluginContext != null && pluginContext.getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) { + prunedAllowItems = policy.getPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedDenyItems = policy.getDenyPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedAllowExceptions = policy.getAllowExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedDenyExceptions = policy.getDenyExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + + isPruningNeeded = prunedAllowItems.size() != policy.getPolicyItems().size() + || prunedDenyItems.size() != policy.getDenyPolicyItems().size() + || prunedAllowExceptions.size() != policy.getAllowExceptions().size() + || prunedDenyExceptions.size() != policy.getDenyExceptions().size(); + } else { + prunedAllowItems = null; + prunedDenyItems = null; + prunedAllowExceptions = null; + prunedDenyExceptions = null; + isPruningNeeded = false; + } + + if (!isPruni
[ranger] branch master updated: RANGER-3343: Ranger policy cache is incorrect in some scenario
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 5b075e6 RANGER-3343: Ranger policy cache is incorrect in some scenario 5b075e6 is described below commit 5b075e6ca77f387b9e094b8f45947f90902e20d5 Author: Abhay Kulkarni AuthorDate: Tue Jul 20 07:14:53 2021 -0700 RANGER-3343: Ranger policy cache is incorrect in some scenario --- .../RangerAbstractPolicyEvaluator.java | 62 -- .../RangerDefaultPolicyEvaluator.java | 12 - 2 files changed, 59 insertions(+), 15 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 99ae598..5c6083e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -19,8 +19,6 @@ package org.apache.ranger.plugin.policyevaluator; - - import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -32,7 +30,9 @@ import org.apache.ranger.plugin.policyengine.RangerPluginContext; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.util.ServiceDefUtil; +import java.util.List; import java.util.Map; +import java.util.stream.Collectors; public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class); @@ -54,7 +54,7 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); } - this.policy = policy; + this.policy = getPrunedPolicy(policy); this.serviceDef = serviceDef; this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource()); @@ -105,6 +105,62 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu return policy != null && (policy.getIsDenyAllElse() || CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())); } + private RangerPolicy getPrunedPolicy(final RangerPolicy policy) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAbstractPolicyEvaluator.getPrunedPolicy(" + policy + ")"); + } + + final RangerPolicyret; + + final boolean isPruningNeeded; + final List prunedAllowItems; + final List prunedDenyItems; + final List prunedAllowExceptions; + final List prunedDenyExceptions; + + final RangerPluginContext pluginContext = getPluginContext(); + + if (pluginContext != null && pluginContext.getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) { + prunedAllowItems = policy.getPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedDenyItems = policy.getDenyPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedAllowExceptions = policy.getAllowExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedDenyExceptions = policy.getDenyExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + + isPruningNeeded = prunedAllowItems.size() != policy.getPolicyItems().size() + || prunedDenyItems.size() != policy.getDenyPolicyItems().size() + || prunedAllowExceptions.size() != policy.getAllowExceptions().size() + || prunedDenyExceptions.size() != policy.getDenyExceptions().size(); + } else { + prunedAllowItems = null; + prunedDenyItems = null; + prunedAllowExceptions = null; + prunedDenyExceptions = null; + isPruningNeeded = false; + } + + if (!isPruni