Example 1 with XXPolicyRefRole
use of org.apache.ranger.entity.XXPolicyRefRole in project ranger by apache.
the class PolicyRefUpdater method createNewPolMappingForRefTable.
public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception {
if (policy == null) {
return;
}
cleanupRefTables(policy);
final Set<String> resourceNames = policy.getResources().keySet();
final Set<String> roleNames = new HashSet<>();
final Set<String> groupNames = new HashSet<>();
final Set<String> userNames = new HashSet<>();
final Set<String> accessTypes = new HashSet<>();
final Set<String> conditionTypes = new HashSet<>();
final Set<String> dataMaskTypes = new HashSet<>();
boolean oldBulkMode = RangerBizUtil.isBulkMode();
List<RangerPolicy.RangerPolicyItemCondition> rangerPolicyConditions = policy.getConditions();
if (CollectionUtils.isNotEmpty(rangerPolicyConditions)) {
for (RangerPolicy.RangerPolicyItemCondition condition : rangerPolicyConditions) {
conditionTypes.add(condition.getType());
}
}
for (List<? extends RangerPolicyItem> policyItems : getAllPolicyItems(policy)) {
if (CollectionUtils.isEmpty(policyItems)) {
continue;
}
for (RangerPolicyItem policyItem : policyItems) {
roleNames.addAll(policyItem.getRoles());
groupNames.addAll(policyItem.getGroups());
userNames.addAll(policyItem.getUsers());
if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) {
for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
accessTypes.add(access.getType());
}
}
if (CollectionUtils.isNotEmpty(policyItem.getConditions())) {
for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
conditionTypes.add(condition.getType());
}
}
if (policyItem instanceof RangerDataMaskPolicyItem) {
RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerDataMaskPolicyItem) policyItem).getDataMaskInfo();
dataMaskTypes.add(dataMaskInfo.getDataMaskType());
}
}
}
List<XXPolicyRefResource> xPolResources = new ArrayList<>();
for (String resource : resourceNames) {
XXResourceDef xResDef = daoMgr.getXXResourceDef().findByNameAndPolicyId(resource, policy.getId());
if (xResDef == null) {
throw new Exception(resource + ": is not a valid resource-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyRefResource xPolRes = rangerAuditFields.populateAuditFields(new XXPolicyRefResource(), xPolicy);
xPolRes.setPolicyId(policy.getId());
xPolRes.setResourceDefId(xResDef.getId());
xPolRes.setResourceName(resource);
xPolResources.add(xPolRes);
}
daoMgr.getXXPolicyRefResource().batchCreate(xPolResources);
final boolean isAdmin = rangerBizUtil.checkAdminAccess();
List<XXPolicyRefRole> xPolRoles = new ArrayList<>();
for (String role : roleNames) {
if (StringUtils.isBlank(role)) {
continue;
}
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy);
if (!associator.doAssociate(false)) {
if (isAdmin) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
gjResponse.setMsgDesc("Operation denied. Role name: " + role + " specified in policy does not exist in ranger admin.");
throw restErrorUtil.generateRESTException(gjResponse);
}
}
}
RangerBizUtil.setBulkMode(oldBulkMode);
daoMgr.getXXPolicyRefRole().batchCreate(xPolRoles);
for (String group : groupNames) {
if (StringUtils.isBlank(group)) {
continue;
}
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy);
if (!associator.doAssociate(false)) {
if (isAdmin) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
gjResponse.setMsgDesc("Operation denied. Group name: " + group + " specified in policy does not exist in ranger admin.");
throw restErrorUtil.generateRESTException(gjResponse);
}
}
}
for (String user : userNames) {
if (StringUtils.isBlank(user)) {
continue;
}
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy);
if (!associator.doAssociate(false)) {
if (isAdmin) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
gjResponse.setMsgDesc("Operation denied. User name: " + user + " specified in policy does not exist in ranger admin.");
throw restErrorUtil.generateRESTException(gjResponse);
}
}
}
List<XXPolicyRefAccessType> xPolAccesses = new ArrayList<>();
for (String accessType : accessTypes) {
XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(accessType, xPolicy.getService());
if (xAccTypeDef == null) {
throw new Exception(accessType + ": is not a valid access-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyRefAccessType xPolAccess = rangerAuditFields.populateAuditFields(new XXPolicyRefAccessType(), xPolicy);
xPolAccess.setPolicyId(policy.getId());
xPolAccess.setAccessDefId(xAccTypeDef.getId());
xPolAccess.setAccessTypeName(accessType);
xPolAccesses.add(xPolAccess);
}
daoMgr.getXXPolicyRefAccessType().batchCreate(xPolAccesses);
List<XXPolicyRefCondition> xPolConds = new ArrayList<>();
for (String condition : conditionTypes) {
XXPolicyConditionDef xPolCondDef = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition);
if (xPolCondDef == null) {
throw new Exception(condition + ": is not a valid condition-type. policy='" + xPolicy.getName() + "' service='" + xPolicy.getService() + "'");
}
XXPolicyRefCondition xPolCond = rangerAuditFields.populateAuditFields(new XXPolicyRefCondition(), xPolicy);
xPolCond.setPolicyId(policy.getId());
xPolCond.setConditionDefId(xPolCondDef.getId());
xPolCond.setConditionName(condition);
xPolConds.add(xPolCond);
}
daoMgr.getXXPolicyRefCondition().batchCreate(xPolConds);
List<XXPolicyRefDataMaskType> xxDataMaskInfos = new ArrayList<>();
for (String dataMaskType : dataMaskTypes) {
XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskType, xPolicy.getService());
if (dataMaskDef == null) {
throw new Exception(dataMaskType + ": is not a valid datamask-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyRefDataMaskType xxDataMaskInfo = new XXPolicyRefDataMaskType();
xxDataMaskInfo.setPolicyId(policy.getId());
xxDataMaskInfo.setDataMaskDefId(dataMaskDef.getId());
xxDataMaskInfo.setDataMaskTypeName(dataMaskType);
xxDataMaskInfos.add(xxDataMaskInfo);
}
daoMgr.getXXPolicyRefDataMaskType().batchCreate(xxDataMaskInfos);
}
Also used :
ArrayList(java.util.ArrayList)
XXPolicyRefRole(org.apache.ranger.entity.XXPolicyRefRole)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
XXPolicyConditionDef(org.apache.ranger.entity.XXPolicyConditionDef)
XXDataMaskTypeDef(org.apache.ranger.entity.XXDataMaskTypeDef)
XXPolicyRefCondition(org.apache.ranger.entity.XXPolicyRefCondition)
XXAccessTypeDef(org.apache.ranger.entity.XXAccessTypeDef)
RangerPolicyItemDataMaskInfo(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)
HashSet(java.util.HashSet)
VXResponse(org.apache.ranger.view.VXResponse)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
XXResourceDef(org.apache.ranger.entity.XXResourceDef)
XXPolicyRefAccessType(org.apache.ranger.entity.XXPolicyRefAccessType)
XXPolicyRefDataMaskType(org.apache.ranger.entity.XXPolicyRefDataMaskType)
XXPolicyRefResource(org.apache.ranger.entity.XXPolicyRefResource)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Aggregations
ArrayList (java.util.ArrayList)1
HashSet (java.util.HashSet)1
XXAccessTypeDef (org.apache.ranger.entity.XXAccessTypeDef)1
XXDataMaskTypeDef (org.apache.ranger.entity.XXDataMaskTypeDef)1
XXPolicyConditionDef (org.apache.ranger.entity.XXPolicyConditionDef)1
XXPolicyRefAccessType (org.apache.ranger.entity.XXPolicyRefAccessType)1
XXPolicyRefCondition (org.apache.ranger.entity.XXPolicyRefCondition)1
XXPolicyRefDataMaskType (org.apache.ranger.entity.XXPolicyRefDataMaskType)1
XXPolicyRefResource (org.apache.ranger.entity.XXPolicyRefResource)1
XXPolicyRefRole (org.apache.ranger.entity.XXPolicyRefRole)1
XXResourceDef (org.apache.ranger.entity.XXResourceDef)1
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)1
RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)1
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)1
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)1
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)1
RangerPolicyItemDataMaskInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)1
VXResponse (org.apache.ranger.view.VXResponse)1
