[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 4b941b2f0 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3 4b941b2f0 is described below commit 4b941b2f0d7a8390155c61fa0960c42aa8a37b69 Author: Abhay Kulkarni AuthorDate: Thu Feb 16 10:20:13 2023 -0800 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3 --- .../RangerDefaultPolicyEvaluator.java | 2 +- .../plugin/util/RangerAccessRequestUtil.java | 2 +- .../plugin/policyengine/TestPolicyEngine.java | 8 ++ .../policyengine/test_policyengine_hive.json | 32 ++ 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 9a0df550c..2f9c1b019 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -242,7 +242,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator final boolean isMatched; - if (request.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) { + if (request.isAccessTypeAny()) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index a51f2322a..b505f495b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -222,7 +222,7 @@ public class RangerAccessRequestUtil { public static void setAllRequestedAccessTypes(Map context, Set accessTypes, Boolean isAny) { context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes); -context.put(KEY_CONTEXT_IS_ANY_ACCESS, isAny); + setIsAnyAccessInContext(context, isAny); } public static Set getAllRequestedAccessTypes(RangerAccessRequest request) { diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index eb3d0ff46..89e678bf9 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -69,6 +69,7 @@ import java.io.OutputStreamWriter; import java.lang.reflect.Type; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import java.util.Date; import java.util.HashSet; import java.util.List; @@ -923,6 +924,13 @@ public class TestPolicyEngine { if (ret.getAccessTime() == null) { ret.setAccessTime(new Date()); } + Map reqContext = ret.getContext(); + Object accessTypes = reqContext.get("ACCESSTYPES"); + if (accessTypes != null) { + Collection accessTypesCollection = (Collection) accessTypes; + Set requestedAccesses = new HashSet<>(accessTypesCollection); + ret.getContext().put("ACCESSTYPES", requestedAccesses); + } return ret; } diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json index 0544feb14..8e34aa174 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json @@ -123,10 +123,42 @@ "policyItems":[
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 7a7215f67 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2 7a7215f67 is described below commit 7a7215f67e7db807ee0401f2b41d7bb871a248f5 Author: Abhay Kulkarni AuthorDate: Mon Feb 13 14:23:02 2023 -0800 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2 --- .../ranger/plugin/policyengine/RangerPolicyEngineImpl.java | 3 +-- .../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 9 - .../org/apache/ranger/plugin/util/RangerAccessRequestUtil.java | 5 + 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 4f65d3da2..e75bb722c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -703,8 +703,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { String requestedAccess = accessTypeDef.getName(); allRequestedAccesses.add(requestedAccess); } - RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(), Boolean.TRUE); - request.getContext().put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES, allRequestedAccesses); + RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), allRequestedAccesses, Boolean.TRUE); } ret = evaluatePoliciesForOneAccessTypeNoAudit(request, policyType, zoneName, policyRepository, tagPolicyRepository); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 55752e79c..9a0df550c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -833,6 +833,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator for (String accessType : allRequestedAccesses) { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking for accessType:[" + accessType + "]"); + } RangerAccessRequestWrapper oneRequest = new RangerAccessRequestWrapper(request, accessType); RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(), result.getServiceName(), result.getServiceDef(), oneRequest); @@ -846,7 +849,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator updateAccessResult(oneResult, matchType, false, "matched deny-all-else policy"); } - if (request.isAccessTypeAny()) { + if (request.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) { // Implement OR logic if (oneResult.getIsAllowed()) { allowResult = oneResult; @@ -879,6 +882,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } + if (LOG.isDebugEnabled()) { + LOG.debug("allowResult:[" + allowResult + "], denyResult:[" + denyResult + "], noResult:[" + noResult + "]"); + } + if (allowResult != null) { result.setAccessResultFrom(allowResult); } else if (denyResult != null) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index 0ebb9cba5..a51f2322a 100644 ---
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 56d5bf917 RANGER-3999: Implement more efficient way to handle _any access authorization 56d5bf917 is described below commit 56d5bf9173dc2c6d04692a07e67eace5e5d98ed4 Author: Abhay Kulkarni AuthorDate: Tue Dec 6 14:25:10 2022 -0800 RANGER-3999: Implement more efficient way to handle _any access authorization --- .../policyengine/RangerAccessRequestWrapper.java | 105 + .../policyengine/RangerPolicyEngineImpl.java | 37 ++-- .../RangerDefaultPolicyEvaluator.java | 95 +-- .../RangerOptimizedPolicyEvaluator.java| 6 ++ .../plugin/util/RangerAccessRequestUtil.java | 13 ++- 5 files changed, 218 insertions(+), 38 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java new file mode 100644 index 0..6aec330d7 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import org.apache.commons.lang.StringUtils; + +import java.util.Date; +import java.util.List; +import java.util.Map; +import java.util.Set; + +public class RangerAccessRequestWrapper implements RangerAccessRequest { + +private final RangerAccessRequest request; +private final String accessType; +private final boolean isAccessTypeAny; +private final boolean isAccessTypeDelegatedAdmin; + + +public RangerAccessRequestWrapper(RangerAccessRequest request, String accessType) { +this.request= request; +this.accessType = accessType; +this.isAccessTypeAny= StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); +this.isAccessTypeDelegatedAdmin = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS); +} + +@Override +public RangerAccessResource getResource() { return request.getResource(); } + +@Override +public String getAccessType() { return accessType; } + +@Override +public boolean isAccessTypeAny() { return isAccessTypeAny; } + +@Override +public boolean isAccessTypeDelegatedAdmin() { return isAccessTypeDelegatedAdmin; } + +@Override +public String getUser() { return request.getUser(); } + +@Override +public Set getUserGroups() { return request.getUserGroups(); } + +@Override +public Set getUserRoles() {return request.getUserRoles(); } + +@Override +public Date getAccessTime() { return request.getAccessTime(); } + +@Override +public String getClientIPAddress() { return request.getClientIPAddress(); } + +@Override +public String getRemoteIPAddress() { return request.getRemoteIPAddress(); } + +@Override +public List getForwardedAddresses() { return request.getForwardedAddresses(); } + +@Override +public String getClientType() { return request.getClientType(); } + +@Override +public String getAction() { return request.getAction(); } + +@Override +public String getRequestData() { return request.getRequestData(); } + +@Override +public String getSessionId() { return request.getSessionId(); } + +@Override +public String getClusterName() { return request.getClusterName(); } + +@Override +public String getClusterType() { return request.getClusterType(); } + +@Override +public Map getContext() { return request.getContext(); } + +@Override +public RangerAccessRequest getReadOnlyCopy() { return request.getReadOnlyCopy(); } + +@Override +public ResourceMatchingScope getResourceMatchingScope() { return request.getResourceMatchingScope(); } + +} + diff --git