This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 27c36c1 RANGER-2547: Good coding practices: minimize use of static/unnecessary class members 27c36c1 is described below commit 27c36c1daedd28ef20872cb786afca177c0a6e23 Author: Abhay Kulkarni <akulka...@cloudera.com> AuthorDate: Mon Sep 9 11:22:01 2019 -0700 RANGER-2547: Good coding practices: minimize use of static/unnecessary class members --- .../RangerAbstractContextEnricher.java | 28 ++- .../plugin/contextenricher/RangerTagEnricher.java | 12 +- .../plugin/policyengine/RangerPluginContext.java | 6 + .../policyengine/RangerPolicyEngineImpl.java | 47 +++-- .../policyengine/RangerPolicyRepository.java | 17 +- .../ranger/plugin/service/RangerAuthContext.java | 217 +++++++++++++-------- .../ranger/plugin/service/RangerBasePlugin.java | 22 ++- .../plugin/policyengine/TestRangerAuthContext.java | 2 + .../hive/authorizer/RangerHiveAuthorizer.java | 5 +- 9 files changed, 211 insertions(+), 145 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java index 0712bfc..737ce04 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java @@ -35,7 +35,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.service.RangerAuthContext; -import org.apache.ranger.plugin.service.RangerBasePlugin; public abstract class RangerAbstractContextEnricher implements RangerContextEnricher { @@ -45,6 +44,7 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri protected String serviceName; protected String appId; protected RangerServiceDef serviceDef; + protected RangerAuthContext authContext; @Override public void setEnricherDef(RangerContextEnricherDef enricherDef) { @@ -71,13 +71,8 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAbstractContextEnricher.init(" + enricherDef + ")"); } - Map<String, RangerBasePlugin> servicePluginMap = RangerBasePlugin.getServicePluginMap(); - RangerBasePlugin plugin = servicePluginMap != null ? servicePluginMap.get(getServiceName()) : null; - if (plugin != null) { - RangerAuthContext currentAuthContext = plugin.getCurrentRangerAuthContext(); - if (currentAuthContext != null) { - currentAuthContext.addOrReplaceRequestContextEnricher(this, null); - } + if (authContext != null) { + authContext.addOrReplaceRequestContextEnricher(this, null); } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerAbstractContextEnricher.init(" + enricherDef + ")"); @@ -94,13 +89,8 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAbstractContextEnricher.preCleanup(" + enricherDef + ")"); } - Map<String, RangerBasePlugin> servicePluginMap = RangerBasePlugin.getServicePluginMap(); - RangerBasePlugin plugin = servicePluginMap != null ? servicePluginMap.get(getServiceName()) : null; - if (plugin != null) { - RangerAuthContext currentAuthContext = plugin.getCurrentRangerAuthContext(); - if (currentAuthContext != null) { - currentAuthContext.cleanupRequestContextEnricher(this); - } + if (authContext != null) { + authContext.cleanupRequestContextEnricher(this); } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerAbstractContextEnricher.preCleanup(" + enricherDef + ")"); @@ -157,6 +147,14 @@ public abstract class RangerAbstractContextEnricher implements RangerContextEnri return ret; } + public void setAuthContext(RangerAuthContext authContext) { + this.authContext = authContext; + } + + public RangerAuthContext getAuthContext() { + return authContext; + } + public String getOption(String name, String defaultValue) { String ret = defaultValue; String val = getOption(name); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index fbf0360..b596992 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -314,17 +314,19 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { } enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie, tagsForEmptyResourceAndAnyAccess); + } + + RangerAuthContext authContext = getAuthContext(); + if (authContext != null) { + authContext.addOrReplaceRequestContextEnricher(this, enrichedServiceTags); Map<String, RangerBasePlugin> servicePluginMap = RangerBasePlugin.getServicePluginMap(); RangerBasePlugin plugin = servicePluginMap != null ? servicePluginMap.get(getServiceName()) : null; if (plugin != null) { - RangerAuthContext currentAuthContext = plugin.getCurrentRangerAuthContext(); - if (currentAuthContext != null) { - currentAuthContext.addOrReplaceRequestContextEnricher(this, enrichedServiceTags); - plugin.contextChanged(); - } + plugin.contextChanged(); } } + } protected Long getServiceTagsVersion() { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java index e596b2a..df21c5d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java @@ -23,6 +23,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.plugin.service.RangerAuthContext; import org.apache.ranger.plugin.service.RangerBasePlugin; public class RangerPluginContext { @@ -30,6 +31,7 @@ public class RangerPluginContext { private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class); private String clusterName; private String clusterType; + private RangerAuthContext authContext; public RangerPluginContext(String serviceType){ this.clusterName = findClusterName(serviceType); @@ -52,6 +54,10 @@ public class RangerPluginContext { this.clusterType = clusterType; } + public RangerAuthContext getAuthContext() { return authContext; } + + public void setAuthContext(RangerAuthContext authContext) { this.authContext = authContext; } + private String findClusterName(String serviceType) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPluginContext.findClusterName , serviceType = " + serviceType); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 51cd658..d33f5d3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -36,6 +36,7 @@ import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.service.RangerAuthContext; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.RangerAccessRequestUtil; @@ -82,17 +83,13 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { private Map<String, RangerPolicyRepository> policyRepositories = new HashMap<>(); - private Map<String, RangerResourceTrie> trieMap; - private Map<String, String> zoneTagServiceMap; - private final Map<String, Set<String>> userRoleMapping; - private final Map<String, Set<String>> groupRoleMapping; - private final RangerPluginContext rangerPluginContext; + private Map<String, RangerResourceTrie> trieMap; + private Map<String, String> zoneTagServiceMap; + private final Map<String, Set<String>> userRoleMapping; + private final Map<String, Set<String>> groupRoleMapping; + private final RangerPluginContext pluginContext; public RangerPolicyEngineImpl(final RangerPolicyEngineImpl other, ServicePolicies servicePolicies) { - this(other, servicePolicies, null); - } - - public RangerPolicyEngineImpl(final RangerPolicyEngineImpl other, ServicePolicies servicePolicies, RangerPluginContext rangerPluginContext) { List<RangerPolicyDelta> deltas = servicePolicies.getPolicyDeltas(); long policyVersion = servicePolicies.getPolicyVersion(); @@ -100,6 +97,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { this.useForwardedIPAddress = other.useForwardedIPAddress; this.trustedProxyAddresses = other.trustedProxyAddresses; + this.pluginContext = other.pluginContext; + List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>(); List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new ArrayList<>(); @@ -146,7 +145,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } servicePolicies.getSecurityZones().get(zoneName).setPolicies(policies); - policyRepository = new RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies, other.policyRepository.getOptions(), zoneName); + policyRepository = new RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies, other.policyRepository.getOptions(), this.pluginContext, zoneName); } else { policyRepository = new RangerPolicyRepository(otherRepository, zoneDeltas, policyVersion); } @@ -192,7 +191,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } servicePolicies.getTagPolicies().setPolicies(tagPolicies); - this.tagPolicyRepository = new RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies.getTagPolicies(), other.policyRepository.getOptions(), servicePolicies.getServiceDef(), servicePolicies.getServiceName()); + this.tagPolicyRepository = new RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies.getTagPolicies(), other.policyRepository.getOptions(), this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName()); } } else { this.tagPolicyRepository = other.tagPolicyRepository; @@ -200,8 +199,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } - this.rangerPluginContext = (rangerPluginContext != null) ? rangerPluginContext : null; - List<RangerContextEnricher> tmpList; List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers(); List<RangerContextEnricher> resourceContextEnrichers = policyRepository.getContextEnrichers(); @@ -224,10 +221,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } - public RangerPolicyEngineImpl(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options) { - this(appId, servicePolicies, options, null); - } - public RangerPolicyEngineImpl(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext rangerPluginContext) { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl(" + appId + ", " + servicePolicies + ", " + options + ", " + rangerPluginContext + ")"); @@ -246,7 +239,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { options = new RangerPolicyEngineOptions(); } - this.rangerPluginContext = (rangerPluginContext != null) ? rangerPluginContext : null; + this.pluginContext = (rangerPluginContext != null) ? rangerPluginContext : new RangerPluginContext(servicePolicies.getServiceDef().getName()); + + RangerAuthContext authContext = new RangerAuthContext(this, null, this.pluginContext); + this.pluginContext.setAuthContext(authContext); + if(StringUtils.isBlank(options.evaluatorType) || StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) { @@ -269,7 +266,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED; } - policyRepository = new RangerPolicyRepository(appId, servicePolicies, options); + policyRepository = new RangerPolicyRepository(appId, servicePolicies, options, this.pluginContext); ServicePolicies.TagPolicies tagPolicies = servicePolicies.getTagPolicies(); @@ -282,7 +279,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName()); } - tagPolicyRepository = new RangerPolicyRepository(appId, tagPolicies, options, servicePolicies.getServiceDef(), servicePolicies.getServiceName()); + tagPolicyRepository = new RangerPolicyRepository(appId, tagPolicies, options, this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName()); } else { if (LOG.isDebugEnabled()) { @@ -310,7 +307,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) { buildZoneTrie(servicePolicies); for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone : servicePolicies.getSecurityZones().entrySet()) { - RangerPolicyRepository policyRepository = new RangerPolicyRepository(appId, servicePolicies, options, zone.getKey()); + RangerPolicyRepository policyRepository = new RangerPolicyRepository(appId, servicePolicies, options, this.pluginContext, zone.getKey()); policyRepositories.put(zone.getKey(), policyRepository); } } @@ -347,7 +344,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerServiceDef serviceDef = this.getServiceDef(); String serviceType = (serviceDef != null) ? serviceDef.getName() : ""; if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) && RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(), serviceType)) { - ret = new RangerPolicyEngineImpl(this, servicePolicies, this.rangerPluginContext); + ret = new RangerPolicyEngineImpl(this, servicePolicies); } else { ret = null; } @@ -425,9 +422,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl) request; reqImpl.extractAndSetClientIPAddress(useForwardedIPAddress, trustedProxyAddresses); - if(rangerPluginContext != null) { - reqImpl.setClusterName(rangerPluginContext.getClusterName()); - reqImpl.setClusterType(rangerPluginContext.getClusterType()); + if(pluginContext != null) { + reqImpl.setClusterName(pluginContext.getClusterName()); + reqImpl.setClusterType(pluginContext.getClusterType()); } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 3a954f3..aec325c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -24,6 +24,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; +import org.apache.ranger.plugin.contextenricher.RangerAbstractContextEnricher; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.contextenricher.RangerTagEnricher; import org.apache.ranger.plugin.contextenricher.RangerTagForEval; @@ -81,6 +82,7 @@ class RangerPolicyRepository { private final String zoneName; private final String appId; private final RangerPolicyEngineOptions options; + private final RangerPluginContext pluginContext; private final RangerServiceDef serviceDef; private final List<RangerPolicy> policies; private final long policyVersion; @@ -106,6 +108,7 @@ class RangerPolicyRepository { this.zoneName = other.zoneName; this.appId = other.appId; this.options = other.options; + this.pluginContext = other.pluginContext; this.serviceDef = other.serviceDef; this.policies = new ArrayList<>(other.policies); this.policyEvaluators = new ArrayList<>(other.policyEvaluators); @@ -252,11 +255,11 @@ class RangerPolicyRepository { } - RangerPolicyRepository(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options) { - this(appId, servicePolicies, options, null); + RangerPolicyRepository(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext pluginContext) { + this(appId, servicePolicies, options, pluginContext, null); } - RangerPolicyRepository(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, String zoneName) { + RangerPolicyRepository(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext pluginContext, String zoneName) { super(); this.componentServiceName = this.serviceName = servicePolicies.getServiceName(); @@ -266,6 +269,7 @@ class RangerPolicyRepository { this.appId = appId; this.options = new RangerPolicyEngineOptions(options); + this.pluginContext = pluginContext; if (StringUtils.isEmpty(zoneName)) { this.policies = Collections.unmodifiableList(servicePolicies.getPolicies()); @@ -322,7 +326,7 @@ class RangerPolicyRepository { } } - RangerPolicyRepository(String appId, ServicePolicies.TagPolicies tagPolicies, RangerPolicyEngineOptions options, + RangerPolicyRepository(String appId, ServicePolicies.TagPolicies tagPolicies, RangerPolicyEngineOptions options, RangerPluginContext pluginContext, RangerServiceDef componentServiceDef, String componentServiceName) { super(); @@ -336,6 +340,7 @@ class RangerPolicyRepository { this.appId = appId; this.options = options; + this.pluginContext = pluginContext; this.policies = Collections.unmodifiableList(normalizeAndPrunePolicies(tagPolicies.getPolicies(), componentServiceDef.getName())); this.policyVersion = tagPolicies.getPolicyVersion() != null ? tagPolicies.getPolicyVersion() : -1; @@ -1023,6 +1028,10 @@ class RangerPolicyRepository { ret.setServiceName(componentServiceName); ret.setServiceDef(componentServiceDef); ret.setAppId(appId); + if (ret instanceof RangerAbstractContextEnricher) { + RangerAbstractContextEnricher abstractContextEnricher = (RangerAbstractContextEnricher) ret; + abstractContextEnricher.setAuthContext(pluginContext.getAuthContext()); + } ret.init(); } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java index 3d0f107..842c58b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java @@ -50,137 +50,153 @@ import java.util.concurrent.ConcurrentHashMap; public class RangerAuthContext implements RangerPolicyEngine { private static final Log LOG = LogFactory.getLog(RangerAuthContext.class); private final RangerPluginContext rangerPluginContext; - private RangerPolicyEngine policyEngine; - private Map<RangerContextEnricher, Object> requestContextEnrichers; + private final RangerPolicyEngine policyEngine; + private final Map<RangerContextEnricher, Object> requestContextEnrichers; - protected RangerAuthContext() { - this(null, null, null); - } - - protected RangerAuthContext(RangerPluginContext rangerPluginContext) { - this(null, null, rangerPluginContext); - } - - RangerAuthContext(RangerPolicyEngine policyEngine, Map<RangerContextEnricher, Object> requestContextEnrichers, RangerPluginContext rangerPluginContext) { + public RangerAuthContext(RangerPolicyEngine policyEngine, Map<RangerContextEnricher, Object> requestContextEnrichers, RangerPluginContext rangerPluginContext) { this.policyEngine = policyEngine; - this.requestContextEnrichers = requestContextEnrichers; + this.requestContextEnrichers = requestContextEnrichers != null ? requestContextEnrichers : new ConcurrentHashMap<>(); this.rangerPluginContext = rangerPluginContext; } - RangerAuthContext(RangerAuthContext other) { - this(other, null); - } + RangerAuthContext(RangerAuthContext other) { + if (other != null) { + this.policyEngine = other.getPolicyEngine(); + + Map<RangerContextEnricher, Object> localReference = other.requestContextEnrichers; + if (MapUtils.isNotEmpty(localReference)) { + this.requestContextEnrichers = new ConcurrentHashMap<>(localReference); + } else { + this.requestContextEnrichers = new ConcurrentHashMap<>(); + } - RangerAuthContext(RangerAuthContext other, RangerPluginContext rangerPluginContext) { - if (other != null) { - this.policyEngine = other.getPolicyEngine(); - Map<RangerContextEnricher, Object> localReference = other.requestContextEnrichers; - if (MapUtils.isNotEmpty(localReference)) { - this.requestContextEnrichers = new ConcurrentHashMap<>(localReference); - } - } - this.rangerPluginContext = rangerPluginContext; + this.rangerPluginContext = other.rangerPluginContext; + } else { + this.policyEngine = null; + this.requestContextEnrichers = new ConcurrentHashMap<>(); + this.rangerPluginContext = null; + } } public RangerPolicyEngine getPolicyEngine() { return policyEngine; } - void setPolicyEngine(RangerPolicyEngine policyEngine) { this.policyEngine = policyEngine; } - public Map<RangerContextEnricher, Object> getRequestContextEnrichers() { return requestContextEnrichers; } public void addOrReplaceRequestContextEnricher(RangerContextEnricher enricher, Object database) { - if (requestContextEnrichers == null) { - requestContextEnrichers = new ConcurrentHashMap<>(); - } // concurrentHashMap does not allow null to be inserted into it, so insert a dummy which is checked // when enrich() is called requestContextEnrichers.put(enricher, database != null ? database : enricher); } public void cleanupRequestContextEnricher(RangerContextEnricher enricher) { - if (requestContextEnrichers != null) { - requestContextEnrichers.remove(enricher); - } + requestContextEnrichers.remove(enricher); + } @Override public void setUseForwardedIPAddress(boolean useForwardedIPAddress) { - policyEngine.setUseForwardedIPAddress(useForwardedIPAddress); + if (policyEngine != null) { + policyEngine.setUseForwardedIPAddress(useForwardedIPAddress); + } } @Override public void setTrustedProxyAddresses(String[] trustedProxyAddresses) { - policyEngine.setTrustedProxyAddresses(trustedProxyAddresses); + if (policyEngine != null) { + policyEngine.setTrustedProxyAddresses(trustedProxyAddresses); + } } @Override public boolean getUseForwardedIPAddress() { - return policyEngine.getUseForwardedIPAddress(); + if (policyEngine != null) { + return policyEngine.getUseForwardedIPAddress(); + } + return false; } @Override public String[] getTrustedProxyAddresses() { - return policyEngine.getTrustedProxyAddresses(); + if (policyEngine != null) { + return policyEngine.getTrustedProxyAddresses(); + } + return null; } @Override public RangerServiceDef getServiceDef() { - return policyEngine.getServiceDef(); + if (policyEngine != null) { + return policyEngine.getServiceDef(); + } + return null; } @Override public long getPolicyVersion() { - return policyEngine.getPolicyVersion(); + if (policyEngine != null) { + return policyEngine.getPolicyVersion(); + } + return 0L; } public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) { - preProcess(requests); - return policyEngine.evaluatePolicies(requests, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor); + if (policyEngine != null) { + preProcess(requests); + return policyEngine.evaluatePolicies(requests, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor); + } + return null; } public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { - preProcess(request); - return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor); + if (policyEngine != null) { + preProcess(request); + return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor); + } + return null; } public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { - preProcess(request); - return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor); + if (policyEngine != null) { + preProcess(request); + return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor); + } + return null; } public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) { - preProcess(request); - return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor); + if (policyEngine != null) { + preProcess(request); + return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor); + } + return null; } @Override public void preProcess(RangerAccessRequest request) { - - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAuthContext.preProcess"); - } - + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthContext.preProcess"); + } RangerAccessResource resource = request.getResource(); if (resource.getServiceDef() == null) { - if (resource instanceof RangerMutableResource) { - RangerMutableResource mutable = (RangerMutableResource) resource; - mutable.setServiceDef(getServiceDef()); - } + if (resource instanceof RangerMutableResource) { + RangerMutableResource mutable = (RangerMutableResource) resource; + mutable.setServiceDef(getServiceDef()); + } + } + if (request instanceof RangerAccessRequestImpl) { + RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl) request; + reqImpl.extractAndSetClientIPAddress(getUseForwardedIPAddress(), getTrustedProxyAddresses()); + if (rangerPluginContext != null) { + reqImpl.setClusterName(rangerPluginContext.getClusterName()); + reqImpl.setClusterType(rangerPluginContext.getClusterType()); + } } - if (request instanceof RangerAccessRequestImpl) { - RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl) request; - reqImpl.extractAndSetClientIPAddress(getUseForwardedIPAddress(), getTrustedProxyAddresses()); - if(rangerPluginContext != null) { - reqImpl.setClusterName(rangerPluginContext.getClusterName()); - reqImpl.setClusterType(rangerPluginContext.getClusterType()); - } - } - RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser()); + RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser()); Set<String> roles = getRolesFromUserAndGroups(request.getUser(), request.getUserGroups()); @@ -194,7 +210,7 @@ public class RangerAuthContext implements RangerPolicyEngine { RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner); } - if (MapUtils.isNotEmpty(requestContextEnrichers)) { + if (MapUtils.isNotEmpty(requestContextEnrichers)) { for (Map.Entry<RangerContextEnricher, Object> entry : requestContextEnrichers.entrySet()) { if (entry.getValue() instanceof RangerContextEnricher && entry.getKey().equals(entry.getValue())) { // This entry was a result of addOrReplaceRequestContextEnricher() API called with null database value @@ -204,10 +220,9 @@ public class RangerAuthContext implements RangerPolicyEngine { } } } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAuthContext.preProcess"); - } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthContext.preProcess"); + } } @Override @@ -221,51 +236,77 @@ public class RangerAuthContext implements RangerPolicyEngine { @Override public RangerAccessResult evaluatePolicies(RangerAccessRequest request, int policyType, RangerAccessResultProcessor resultProcessor) { - return policyEngine.evaluatePolicies(request, policyType, resultProcessor); + if (policyEngine != null) { + return policyEngine.evaluatePolicies(request, policyType, resultProcessor); + } + return null; } @Override public Collection<RangerAccessResult> evaluatePolicies(Collection<RangerAccessRequest> requests, int policyType, RangerAccessResultProcessor resultProcessor) { - return policyEngine.evaluatePolicies(requests, policyType, resultProcessor); + if (policyEngine != null) { + return policyEngine.evaluatePolicies(requests, policyType, resultProcessor); + } + return null; } @Override public RangerResourceACLs getResourceACLs(RangerAccessRequest request) { - preProcess(request); - return policyEngine.getResourceACLs(request); + if (policyEngine != null) { + preProcess(request); + return policyEngine.getResourceACLs(request); + } + return null; } @Override public String getMatchedZoneName(GrantRevokeRequest grantRevokeRequest) { - return policyEngine.getMatchedZoneName(grantRevokeRequest); + if (policyEngine != null) { + return policyEngine.getMatchedZoneName(grantRevokeRequest); + } + return null; } @Override public boolean preCleanup() { - return policyEngine.preCleanup(); + if (policyEngine != null) { + return policyEngine.preCleanup(); + } + return false; } @Override public void cleanup() { - policyEngine.cleanup(); + if (policyEngine != null) { + policyEngine.cleanup(); + } } @Override public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) { - preProcess(request); - return policyEngine.getResourceAccessInfo(request); + if (policyEngine != null) { + preProcess(request); + return policyEngine.getResourceAccessInfo(request); + } + return null; } @Override public List<RangerPolicy> getMatchingPolicies(RangerAccessResource resource) { - RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, RangerPolicyEngine.ANY_ACCESS, null, null); - preProcess(request); - return getMatchingPolicies(request); + if (policyEngine != null) { + RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, RangerPolicyEngine.ANY_ACCESS, null, null); + preProcess(request); + return getMatchingPolicies(request); + } + return null; } @Override public List<RangerPolicy> getMatchingPolicies(RangerAccessRequest request) { - return policyEngine.getMatchingPolicies(request); + if (policyEngine != null) { + return policyEngine.getMatchingPolicies(request); + } + return null; } /* This API is called for a long running policy-engine. Not needed here */ @@ -285,7 +326,7 @@ public class RangerAuthContext implements RangerPolicyEngine { } @Override - public boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, Set<String> roles, String accessType) { + public boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, Set<String> roles, String accessType) { return false; } @@ -311,12 +352,18 @@ public class RangerAuthContext implements RangerPolicyEngine { @Override public RangerPolicyEngine cloneWithDelta(ServicePolicies servicePolicies) { - return policyEngine.cloneWithDelta(servicePolicies); + if (policyEngine != null) { + return policyEngine.cloneWithDelta(servicePolicies); + } + return null; } @Override public Set<String> getRolesFromUserAndGroups(String user, Set<String> groups) { - return policyEngine.getRolesFromUserAndGroups(user, groups); + if (policyEngine != null) { + return policyEngine.getRolesFromUserAndGroups(user, groups); + } + return null; } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 8d89a18..8de0329 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -70,7 +70,6 @@ public class RangerBasePlugin { private RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); private RangerPluginContext rangerPluginContext; private RangerAuthContext currentAuthContext; - private RangerAuthContext readOnlyAuthContext; private RangerAccessResultProcessor resultProcessor; private boolean useForwardedIPAddress; private String[] trustedProxyAddresses; @@ -143,7 +142,7 @@ public class RangerBasePlugin { } public RangerAuthContext createRangerAuthContext() { - return new RangerAuthContext(readOnlyAuthContext); + return new RangerAuthContext(currentAuthContext); } public RangerAuthContext getCurrentRangerAuthContext() { return currentAuthContext; } @@ -216,6 +215,8 @@ public class RangerBasePlugin { auditProviderFactory = null; } + rangerPluginContext = new RangerPluginContext(serviceType); + policyEngineOptions.configureForPlugin(configuration, propertyPrefix); LOG.info(policyEngineOptions); @@ -314,8 +315,6 @@ public class RangerBasePlugin { if (LOG.isDebugEnabled()) { LOG.debug("policies are not null. Creating engine from policies"); } - rangerPluginContext = new RangerPluginContext(serviceType); - currentAuthContext = new RangerAuthContext(rangerPluginContext); newPolicyEngine = new RangerPolicyEngineImpl(appId, policies, policyEngineOptions, rangerPluginContext); } else { if (LOG.isDebugEnabled()) { @@ -335,8 +334,6 @@ public class RangerBasePlugin { LOG.debug("Failed to apply policyDeltas=" + Arrays.toString(policies.getPolicyDeltas().toArray()) + "), Creating engine from policies"); LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies + "]"); } - rangerPluginContext = new RangerPluginContext(serviceType); - currentAuthContext = new RangerAuthContext(rangerPluginContext); newPolicyEngine = new RangerPolicyEngineImpl(appId, servicePolicies, policyEngineOptions, rangerPluginContext); } } else { @@ -351,8 +348,7 @@ public class RangerBasePlugin { newPolicyEngine.setUseForwardedIPAddress(useForwardedIPAddress); newPolicyEngine.setTrustedProxyAddresses(trustedProxyAddresses); this.policyEngine = newPolicyEngine; - currentAuthContext.setPolicyEngine(this.policyEngine); - readOnlyAuthContext = new RangerAuthContext(currentAuthContext); + this.currentAuthContext = new RangerAuthContext(rangerPluginContext.getAuthContext()); contextChanged(); @@ -363,6 +359,7 @@ public class RangerBasePlugin { this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies); } } + } else { LOG.error("Returning without saving policies to cache. Leaving current policy engine as-is"); } @@ -699,6 +696,15 @@ public class RangerBasePlugin { } } + + /* + This API is provided only for unit testing + */ + + public void setPluginContext(RangerPluginContext pluginContext) { + this.rangerPluginContext = pluginContext; + } + private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) { if(request != null && resultProcessor != null) { RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl(); diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java index 49dba88..061b392 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java @@ -87,6 +87,8 @@ public class TestRangerAuthContext { for(RangerAuthContextTests.TestCase testCase : testCases.testCases) { String testName = testCase.name; + RangerPluginContext pluginContext = new RangerPluginContext(testCase.servicePolicies.getServiceDef().getName()); + plugin.setPluginContext(pluginContext); plugin.setPolicies(testCase.servicePolicies); RangerAuthContext ctx = plugin.createRangerAuthContext(); diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index bb015c5..0c5449d 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -97,8 +97,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { private static volatile RangerHivePlugin hivePlugin = null; - private static RangerAuthContext authContext; - private static final String ROLE_ALL = "ALL", ROLE_DEFAULT = "DEFAULT", ROLE_NONE = "NONE"; private static final Set<String> RESERVED_ROLE_NAMES; @@ -2016,7 +2014,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } try { - authContext = hivePlugin.createRangerAuthContext(); HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj); if (msObjRef.getObjectName() == null) { @@ -2335,6 +2332,8 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { RangerHiveResource hiveResource = createHiveResource(hiveObject); RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null); + final RangerAuthContext authContext = hivePlugin.createRangerAuthContext(); + ret = authContext.getResourceACLs(request); if (LOG.isDebugEnabled()) {