Search in sources :

Example 1 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerAccessRequestUtil method getCurrentTagFromContext.

public static RangerTagForEval getCurrentTagFromContext(Map<String, Object> context) {
    RangerTagForEval ret = null;
    Object val = context.get(KEY_CONTEXT_TAGS);
    if (val instanceof RangerTagForEval) {
        ret = (RangerTagForEval) val;
    }
    return ret;
}
Also used : RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)

Example 2 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerPolicyEngineImpl method getResourceAccessInfo.

/*
	* This API is used by ranger-admin
	*/
@Override
public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + request + ")");
    }
    RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request);
    List<RangerPolicyEvaluator> tagPolicyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators();
    if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) {
        Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
        if (CollectionUtils.isNotEmpty(tags)) {
            for (RangerTagForEval tag : tags) {
                RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
                List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource(), RangerPolicy.POLICY_TYPE_ACCESS);
                for (RangerPolicyEvaluator evaluator : evaluators) {
                    evaluator.getResourceAccessInfo(tagEvalRequest, ret);
                }
            }
        }
    }
    List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getLikelyMatchPolicyEvaluators(request.getResource(), RangerPolicy.POLICY_TYPE_ACCESS);
    if (CollectionUtils.isNotEmpty(resPolicyEvaluators)) {
        for (RangerPolicyEvaluator evaluator : resPolicyEvaluators) {
            evaluator.getResourceAccessInfo(request, ret);
        }
    }
    ret.getAllowedUsers().removeAll(ret.getDeniedUsers());
    ret.getAllowedGroups().removeAll(ret.getDeniedGroups());
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.getResourceAccessInfo(" + request + "): " + ret);
    }
    return ret;
}
Also used : RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator) RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)

Example 3 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerScriptExecutionContext method getCurrentTag.

public RangerTagForEval getCurrentTag() {
    RangerTagForEval ret = null;
    Object val = getRequestContext().get(RangerAccessRequestUtil.KEY_CONTEXT_TAG_OBJECT);
    if (val instanceof RangerTagForEval) {
        ret = (RangerTagForEval) val;
    } else {
        if (LOG.isDebugEnabled()) {
            logDebug("RangerScriptExecutionContext.getCurrentTag() - No current TAG object. Script execution must be for resource-based policy.");
        }
    }
    return ret;
}
Also used : RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)

Example 4 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerScriptExecutionContext method getAttributeValue.

public String getAttributeValue(final String attributeName) {
    String ret = null;
    if (StringUtils.isNotBlank(attributeName)) {
        RangerTagForEval tag = getCurrentTag();
        Map<String, String> attributes = null;
        if (tag != null) {
            attributes = tag.getAttributes();
        }
        if (attributes != null) {
            ret = attributes.get(attributeName);
        }
    }
    return ret;
}
Also used : RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)

Example 5 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class TestPolicyEngine method runTests.

private void runTests(InputStreamReader reader, String testName) {
    PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
    assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
    ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setServiceName(testCase.serviceName);
    servicePolicies.setServiceDef(testCase.serviceDef);
    servicePolicies.setPolicies(testCase.policies);
    if (StringUtils.isNotBlank(testCase.auditMode)) {
        servicePolicies.setAuditMode(testCase.auditMode);
    }
    if (null != testCase.tagPolicyInfo) {
        ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
        tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
        tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
        tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
        if (StringUtils.isNotBlank(testCase.auditMode)) {
            tagPolicies.setAuditMode(testCase.auditMode);
        }
        servicePolicies.setTagPolicies(tagPolicies);
    }
    RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
    policyEngineOptions.disableTagPolicyEvaluation = false;
    boolean useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
    String trustedProxyAddressString = RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
    String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
    if (trustedProxyAddresses != null) {
        for (int i = 0; i < trustedProxyAddresses.length; i++) {
            trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
        }
    }
    RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
    policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
    policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
    long requestCount = 0L;
    RangerAccessRequest request = null;
    for (TestData test : testCase.tests) {
        request = test.request;
        if ((requestCount++ % 10) == 1) {
            policyEngine.reorderPolicyEvaluators();
        }
        if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) || request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
            // Create a new AccessRequest
            RangerAccessRequestImpl newRequest = new RangerAccessRequestImpl(request.getResource(), request.getAccessType(), request.getUser(), request.getUserGroups());
            newRequest.setClientType(request.getClientType());
            newRequest.setAccessTime(request.getAccessTime());
            newRequest.setAction(request.getAction());
            newRequest.setRemoteIPAddress(request.getRemoteIPAddress());
            newRequest.setForwardedAddresses(request.getForwardedAddresses());
            newRequest.setRequestData(request.getRequestData());
            newRequest.setSessionId(request.getSessionId());
            Map<String, Object> context = request.getContext();
            String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
            context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
            if (!StringUtils.isEmpty(tagsJsonString)) {
                try {
                    Type setType = new TypeToken<Set<RangerTagForEval>>() {
                    }.getType();
                    Set<RangerTagForEval> tags = gsonBuilder.fromJson(tagsJsonString, setType);
                    context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tags);
                } catch (Exception e) {
                    System.err.println("TestPolicyEngine.runTests(): error parsing TAGS JSON string in file " + testName + ", tagsJsonString=" + tagsJsonString + ", exception=" + e);
                }
            } else if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
                String resourcesJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
                context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
                if (!StringUtils.isEmpty(resourcesJsonString)) {
                    try {
                        /*
							Reader stringReader = new StringReader(resourcesJsonString);
							RangerRequestedResources resources = gsonBuilder.fromJson(stringReader, RangerRequestedResources.class);
							*/
                        Type myType = new TypeToken<RangerRequestedResources>() {
                        }.getType();
                        RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, myType);
                        context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
                    } catch (Exception e) {
                        System.err.println("TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" + resourcesJsonString + ", exception=" + e);
                    }
                }
            }
            newRequest.setContext(context);
            // accessResource.ServiceDef is set here, so that we can skip call to policyEngine.preProcess() which
            // sets the serviceDef in the resource AND calls enrichers. We dont want enrichers to be called when
            // context already contains tags -- This may change when we want enrichers to enrich request in the
            // presence of tags!!!
            // Safe cast
            RangerAccessResourceImpl accessResource = (RangerAccessResourceImpl) request.getResource();
            accessResource.setServiceDef(testCase.serviceDef);
            request = newRequest;
        } else if (!request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
            policyEngine.preProcess(request);
        }
        RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
        if (test.result != null) {
            RangerAccessResult expected = test.result;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
            assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.dataMaskResult != null) {
            RangerAccessResult expected = test.dataMaskResult;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
            assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
            assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.rowFilterResult != null) {
            RangerAccessResult expected = test.rowFilterResult;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.resourceAccessInfo != null) {
            RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
            RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers());
            assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(), result.getAllowedGroups());
            assertEquals("deniedUsers mismatched! - " + test.name, expected.getDeniedUsers(), result.getDeniedUsers());
            assertEquals("deniedGroups mismatched! - " + test.name, expected.getDeniedGroups(), result.getDeniedGroups());
        }
    }
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) Set(java.util.Set) TestData(org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData) RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval) RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler) RangerRequestedResources(org.apache.ranger.plugin.util.RangerRequestedResources) JsonParseException(com.google.gson.JsonParseException) Type(java.lang.reflect.Type) TypeToken(com.google.gson.reflect.TypeToken)

Aggregations

RangerTagForEval (org.apache.ranger.plugin.contextenricher.RangerTagForEval)11 RangerPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)4 JsonParseException (com.google.gson.JsonParseException)1 TypeToken (com.google.gson.reflect.TypeToken)1 Type (java.lang.reflect.Type)1 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 Set (java.util.Set)1 Bindings (javax.script.Bindings)1 ScriptException (javax.script.ScriptException)1 RangerDefaultAuditHandler (org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)1 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)1 RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)1 TestData (org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData)1 RangerPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)1 RangerRequestedResources (org.apache.ranger.plugin.util.RangerRequestedResources)1 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)1