[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4b941b2f0 RANGER-3999: Implement more efficient way to handle _any
access authorization - Part 3
4b941b2f0 is described below
commit 4b941b2f0d7a8390155c61fa0960c42aa8a37b69
Author: Abhay Kulkarni
AuthorDate: Thu Feb 16 10:20:13 2023 -0800
RANGER-3999: Implement more efficient way to handle _any access
authorization - Part 3
---
.../RangerDefaultPolicyEvaluator.java | 2 +-
.../plugin/util/RangerAccessRequestUtil.java | 2 +-
.../plugin/policyengine/TestPolicyEngine.java | 8 ++
.../policyengine/test_policyengine_hive.json | 32 ++
4 files changed, 42 insertions(+), 2 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 9a0df550c..2f9c1b019 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -242,7 +242,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
final boolean isMatched;
- if (request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
+ if (request.isAccessTypeAny()) {
isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
} else if
(request.getResourceMatchingScope() ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index a51f2322a..b505f495b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -222,7 +222,7 @@ public class RangerAccessRequestUtil {
public static void setAllRequestedAccessTypes(Map
context, Set accessTypes, Boolean isAny) {
context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes);
-context.put(KEY_CONTEXT_IS_ANY_ACCESS, isAny);
+ setIsAnyAccessInContext(context, isAny);
}
public static Set
getAllRequestedAccessTypes(RangerAccessRequest request) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index eb3d0ff46..89e678bf9 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -69,6 +69,7 @@ import java.io.OutputStreamWriter;
import java.lang.reflect.Type;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
@@ -923,6 +924,13 @@ public class TestPolicyEngine {
if (ret.getAccessTime() == null) {
ret.setAccessTime(new Date());
}
+ Map reqContext = ret.getContext();
+ Object accessTypes = reqContext.get("ACCESSTYPES");
+ if (accessTypes != null) {
+ Collection accessTypesCollection =
(Collection) accessTypes;
+ Set requestedAccesses = new
HashSet<>(accessTypesCollection);
+ ret.getContext().put("ACCESSTYPES",
requestedAccesses);
+ }
return ret;
}
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
index 0544feb14..8e34aa174 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
@@ -123,10 +123,42 @@
"policyItems":[
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 7a7215f67 RANGER-3999: Implement more efficient way to handle _any
access authorization - Part 2
7a7215f67 is described below
commit 7a7215f67e7db807ee0401f2b41d7bb871a248f5
Author: Abhay Kulkarni
AuthorDate: Mon Feb 13 14:23:02 2023 -0800
RANGER-3999: Implement more efficient way to handle _any access
authorization - Part 2
---
.../ranger/plugin/policyengine/RangerPolicyEngineImpl.java | 3 +--
.../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 9 -
.../org/apache/ranger/plugin/util/RangerAccessRequestUtil.java | 5 +
3 files changed, 14 insertions(+), 3 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 4f65d3da2..e75bb722c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -703,8 +703,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
String requestedAccess =
accessTypeDef.getName();
allRequestedAccesses.add(requestedAccess);
}
-
RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(),
Boolean.TRUE);
-
request.getContext().put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES,
allRequestedAccesses);
+
RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(),
allRequestedAccesses, Boolean.TRUE);
}
ret = evaluatePoliciesForOneAccessTypeNoAudit(request,
policyType, zoneName, policyRepository, tagPolicyRepository);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 55752e79c..9a0df550c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -833,6 +833,9 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
for (String accessType : allRequestedAccesses) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking for
accessType:[" + accessType + "]");
+ }
RangerAccessRequestWrapper oneRequest
= new RangerAccessRequestWrapper(request, accessType);
RangerAccessResult oneResult
= new RangerAccessResult(result.getPolicyType(), result.getServiceName(),
result.getServiceDef(), oneRequest);
@@ -846,7 +849,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
updateAccessResult(oneResult,
matchType, false, "matched deny-all-else policy");
}
- if (request.isAccessTypeAny()) {
+ if (request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
// Implement OR logic
if (oneResult.getIsAllowed()) {
allowResult = oneResult;
@@ -879,6 +882,10 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("allowResult:[" + allowResult
+ "], denyResult:[" + denyResult + "], noResult:[" + noResult + "]");
+ }
+
if (allowResult != null) {
result.setAccessResultFrom(allowResult);
} else if (denyResult != null) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index 0ebb9cba5..a51f2322a 100644
---
[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 56d5bf917 RANGER-3999: Implement more efficient way to handle _any
access authorization
56d5bf917 is described below
commit 56d5bf9173dc2c6d04692a07e67eace5e5d98ed4
Author: Abhay Kulkarni
AuthorDate: Tue Dec 6 14:25:10 2022 -0800
RANGER-3999: Implement more efficient way to handle _any access
authorization
---
.../policyengine/RangerAccessRequestWrapper.java | 105 +
.../policyengine/RangerPolicyEngineImpl.java | 37 ++--
.../RangerDefaultPolicyEvaluator.java | 95 +--
.../RangerOptimizedPolicyEvaluator.java| 6 ++
.../plugin/util/RangerAccessRequestUtil.java | 13 ++-
5 files changed, 218 insertions(+), 38 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
new file mode 100644
index 0..6aec330d7
--- /dev/null
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import org.apache.commons.lang.StringUtils;
+
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public class RangerAccessRequestWrapper implements RangerAccessRequest {
+
+private final RangerAccessRequest request;
+private final String accessType;
+private final boolean isAccessTypeAny;
+private final boolean isAccessTypeDelegatedAdmin;
+
+
+public RangerAccessRequestWrapper(RangerAccessRequest request, String
accessType) {
+this.request= request;
+this.accessType = accessType;
+this.isAccessTypeAny= StringUtils.equals(accessType,
RangerPolicyEngine.ANY_ACCESS);
+this.isAccessTypeDelegatedAdmin = StringUtils.equals(accessType,
RangerPolicyEngine.ADMIN_ACCESS);
+}
+
+@Override
+public RangerAccessResource getResource() { return request.getResource(); }
+
+@Override
+public String getAccessType() { return accessType; }
+
+@Override
+public boolean isAccessTypeAny() { return isAccessTypeAny; }
+
+@Override
+public boolean isAccessTypeDelegatedAdmin() { return
isAccessTypeDelegatedAdmin; }
+
+@Override
+public String getUser() { return request.getUser(); }
+
+@Override
+public Set getUserGroups() { return request.getUserGroups(); }
+
+@Override
+public Set getUserRoles() {return request.getUserRoles(); }
+
+@Override
+public Date getAccessTime() { return request.getAccessTime(); }
+
+@Override
+public String getClientIPAddress() { return request.getClientIPAddress(); }
+
+@Override
+public String getRemoteIPAddress() { return request.getRemoteIPAddress(); }
+
+@Override
+public List getForwardedAddresses() { return
request.getForwardedAddresses(); }
+
+@Override
+public String getClientType() { return request.getClientType(); }
+
+@Override
+public String getAction() { return request.getAction(); }
+
+@Override
+public String getRequestData() { return request.getRequestData(); }
+
+@Override
+public String getSessionId() { return request.getSessionId(); }
+
+@Override
+public String getClusterName() { return request.getClusterName(); }
+
+@Override
+public String getClusterType() { return request.getClusterType(); }
+
+@Override
+public Map getContext() { return request.getContext(); }
+
+@Override
+public RangerAccessRequest getReadOnlyCopy() { return
request.getReadOnlyCopy(); }
+
+@Override
+public ResourceMatchingScope getResourceMatchingScope() { return
request.getResourceMatchingScope(); }
+
+}
+
diff --git
