Search in sources :

Example 1 with XXPolicyRefRole

use of org.apache.ranger.entity.XXPolicyRefRole in project ranger by apache.

the class PolicyRefUpdater method createNewPolMappingForRefTable.

public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception {
    if (policy == null) {
        return;
    }
    cleanupRefTables(policy);
    final Set<String> resourceNames = policy.getResources().keySet();
    final Set<String> roleNames = new HashSet<>();
    final Set<String> groupNames = new HashSet<>();
    final Set<String> userNames = new HashSet<>();
    final Set<String> accessTypes = new HashSet<>();
    final Set<String> conditionTypes = new HashSet<>();
    final Set<String> dataMaskTypes = new HashSet<>();
    boolean oldBulkMode = RangerBizUtil.isBulkMode();
    List<RangerPolicy.RangerPolicyItemCondition> rangerPolicyConditions = policy.getConditions();
    if (CollectionUtils.isNotEmpty(rangerPolicyConditions)) {
        for (RangerPolicy.RangerPolicyItemCondition condition : rangerPolicyConditions) {
            conditionTypes.add(condition.getType());
        }
    }
    for (List<? extends RangerPolicyItem> policyItems : getAllPolicyItems(policy)) {
        if (CollectionUtils.isEmpty(policyItems)) {
            continue;
        }
        for (RangerPolicyItem policyItem : policyItems) {
            roleNames.addAll(policyItem.getRoles());
            groupNames.addAll(policyItem.getGroups());
            userNames.addAll(policyItem.getUsers());
            if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) {
                for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
                    accessTypes.add(access.getType());
                }
            }
            if (CollectionUtils.isNotEmpty(policyItem.getConditions())) {
                for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
                    conditionTypes.add(condition.getType());
                }
            }
            if (policyItem instanceof RangerDataMaskPolicyItem) {
                RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerDataMaskPolicyItem) policyItem).getDataMaskInfo();
                dataMaskTypes.add(dataMaskInfo.getDataMaskType());
            }
        }
    }
    List<XXPolicyRefResource> xPolResources = new ArrayList<>();
    for (String resource : resourceNames) {
        XXResourceDef xResDef = daoMgr.getXXResourceDef().findByNameAndPolicyId(resource, policy.getId());
        if (xResDef == null) {
            throw new Exception(resource + ": is not a valid resource-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
        }
        XXPolicyRefResource xPolRes = rangerAuditFields.populateAuditFields(new XXPolicyRefResource(), xPolicy);
        xPolRes.setPolicyId(policy.getId());
        xPolRes.setResourceDefId(xResDef.getId());
        xPolRes.setResourceName(resource);
        xPolResources.add(xPolRes);
    }
    daoMgr.getXXPolicyRefResource().batchCreate(xPolResources);
    final boolean isAdmin = rangerBizUtil.checkAdminAccess();
    List<XXPolicyRefRole> xPolRoles = new ArrayList<>();
    for (String role : roleNames) {
        if (StringUtils.isBlank(role)) {
            continue;
        }
        PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy);
        if (!associator.doAssociate(false)) {
            if (isAdmin) {
                rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
            } else {
                VXResponse gjResponse = new VXResponse();
                gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
                gjResponse.setMsgDesc("Operation denied. Role name: " + role + " specified in policy does not exist in ranger admin.");
                throw restErrorUtil.generateRESTException(gjResponse);
            }
        }
    }
    RangerBizUtil.setBulkMode(oldBulkMode);
    daoMgr.getXXPolicyRefRole().batchCreate(xPolRoles);
    for (String group : groupNames) {
        if (StringUtils.isBlank(group)) {
            continue;
        }
        PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy);
        if (!associator.doAssociate(false)) {
            if (isAdmin) {
                rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
            } else {
                VXResponse gjResponse = new VXResponse();
                gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
                gjResponse.setMsgDesc("Operation denied. Group name: " + group + " specified in policy does not exist in ranger admin.");
                throw restErrorUtil.generateRESTException(gjResponse);
            }
        }
    }
    for (String user : userNames) {
        if (StringUtils.isBlank(user)) {
            continue;
        }
        PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy);
        if (!associator.doAssociate(false)) {
            if (isAdmin) {
                rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
            } else {
                VXResponse gjResponse = new VXResponse();
                gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
                gjResponse.setMsgDesc("Operation denied. User name: " + user + " specified in policy does not exist in ranger admin.");
                throw restErrorUtil.generateRESTException(gjResponse);
            }
        }
    }
    List<XXPolicyRefAccessType> xPolAccesses = new ArrayList<>();
    for (String accessType : accessTypes) {
        XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(accessType, xPolicy.getService());
        if (xAccTypeDef == null) {
            throw new Exception(accessType + ": is not a valid access-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
        }
        XXPolicyRefAccessType xPolAccess = rangerAuditFields.populateAuditFields(new XXPolicyRefAccessType(), xPolicy);
        xPolAccess.setPolicyId(policy.getId());
        xPolAccess.setAccessDefId(xAccTypeDef.getId());
        xPolAccess.setAccessTypeName(accessType);
        xPolAccesses.add(xPolAccess);
    }
    daoMgr.getXXPolicyRefAccessType().batchCreate(xPolAccesses);
    List<XXPolicyRefCondition> xPolConds = new ArrayList<>();
    for (String condition : conditionTypes) {
        XXPolicyConditionDef xPolCondDef = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition);
        if (xPolCondDef == null) {
            throw new Exception(condition + ": is not a valid condition-type. policy='" + xPolicy.getName() + "' service='" + xPolicy.getService() + "'");
        }
        XXPolicyRefCondition xPolCond = rangerAuditFields.populateAuditFields(new XXPolicyRefCondition(), xPolicy);
        xPolCond.setPolicyId(policy.getId());
        xPolCond.setConditionDefId(xPolCondDef.getId());
        xPolCond.setConditionName(condition);
        xPolConds.add(xPolCond);
    }
    daoMgr.getXXPolicyRefCondition().batchCreate(xPolConds);
    List<XXPolicyRefDataMaskType> xxDataMaskInfos = new ArrayList<>();
    for (String dataMaskType : dataMaskTypes) {
        XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskType, xPolicy.getService());
        if (dataMaskDef == null) {
            throw new Exception(dataMaskType + ": is not a valid datamask-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
        }
        XXPolicyRefDataMaskType xxDataMaskInfo = new XXPolicyRefDataMaskType();
        xxDataMaskInfo.setPolicyId(policy.getId());
        xxDataMaskInfo.setDataMaskDefId(dataMaskDef.getId());
        xxDataMaskInfo.setDataMaskTypeName(dataMaskType);
        xxDataMaskInfos.add(xxDataMaskInfo);
    }
    daoMgr.getXXPolicyRefDataMaskType().batchCreate(xxDataMaskInfos);
}
Also used : ArrayList(java.util.ArrayList) XXPolicyRefRole(org.apache.ranger.entity.XXPolicyRefRole) RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) XXPolicyConditionDef(org.apache.ranger.entity.XXPolicyConditionDef) XXDataMaskTypeDef(org.apache.ranger.entity.XXDataMaskTypeDef) XXPolicyRefCondition(org.apache.ranger.entity.XXPolicyRefCondition) XXAccessTypeDef(org.apache.ranger.entity.XXAccessTypeDef) RangerPolicyItemDataMaskInfo(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo) HashSet(java.util.HashSet) VXResponse(org.apache.ranger.view.VXResponse) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) XXResourceDef(org.apache.ranger.entity.XXResourceDef) XXPolicyRefAccessType(org.apache.ranger.entity.XXPolicyRefAccessType) XXPolicyRefDataMaskType(org.apache.ranger.entity.XXPolicyRefDataMaskType) XXPolicyRefResource(org.apache.ranger.entity.XXPolicyRefResource) RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)

Aggregations

ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 XXAccessTypeDef (org.apache.ranger.entity.XXAccessTypeDef)1 XXDataMaskTypeDef (org.apache.ranger.entity.XXDataMaskTypeDef)1 XXPolicyConditionDef (org.apache.ranger.entity.XXPolicyConditionDef)1 XXPolicyRefAccessType (org.apache.ranger.entity.XXPolicyRefAccessType)1 XXPolicyRefCondition (org.apache.ranger.entity.XXPolicyRefCondition)1 XXPolicyRefDataMaskType (org.apache.ranger.entity.XXPolicyRefDataMaskType)1 XXPolicyRefResource (org.apache.ranger.entity.XXPolicyRefResource)1 XXPolicyRefRole (org.apache.ranger.entity.XXPolicyRefRole)1 XXResourceDef (org.apache.ranger.entity.XXResourceDef)1 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)1 RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)1 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)1 RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)1 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)1 RangerPolicyItemDataMaskInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)1 VXResponse (org.apache.ranger.view.VXResponse)1