Examples with RangerTagForEval org.apache.ranger.plugin.contextenricher.RangerTagForEval used on opensource projects

Example 6 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerPolicyEngineImpl method evaluateTagPolicies.

private void evaluateTagPolicies(final RangerAccessRequest request, int policyType, RangerAccessResult result) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", " + result + ")");
    }
    Date accessTime = request.getAccessTime();
    Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
    List<PolicyEvaluatorForTag> policyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getLikelyMatchPolicyEvaluators(tags, policyType, accessTime);
    if (CollectionUtils.isNotEmpty(policyEvaluators)) {
        for (PolicyEvaluatorForTag policyEvaluator : policyEvaluators) {
            RangerPolicyEvaluator evaluator = policyEvaluator.getEvaluator();
            RangerTagForEval tag = policyEvaluator.getTag();
            RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
            RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest, policyType);
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerPolicyEngineImpl.evaluateTagPolicies: Evaluating policies for tag (" + tag.getType() + ")");
            }
            tagEvalResult.setAccessResultFrom(result);
            tagEvalResult.setAuditResultFrom(result);
            result.incrementEvaluatedPoliciesCount();
            evaluator.evaluate(tagEvalRequest, tagEvalResult);
            if (tagEvalResult.getIsAllowed()) {
                if (!evaluator.hasDeny()) {
                    // No Deny policies left now
                    tagEvalResult.setIsAccessDetermined(true);
                }
            }
            if (tagEvalResult.getIsAudited()) {
                result.setAuditResultFrom(tagEvalResult);
            }
            if (!result.getIsAccessDetermined()) {
                if (tagEvalResult.getIsAccessDetermined()) {
                    result.setAccessResultFrom(tagEvalResult);
                } else {
                    if (!result.getIsAllowed() && tagEvalResult.getIsAllowed()) {
                        result.setAccessResultFrom(tagEvalResult);
                    }
                }
            }
            if (result.getIsAuditedDetermined() && result.getIsAccessDetermined()) {
                // Break out of policy-evaluation loop
                break;
            }
        }
    }
    if (result.getIsAllowed()) {
        result.setIsAccessDetermined(true);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", " + result + ")");
    }
}

Example 7 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerPolicyEngineImpl method getMatchingPolicies.

/*
	* This API is used by ranger-admin
	*/
@Override
public List<RangerPolicy> getMatchingPolicies(RangerAccessResource resource) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyEngineImpl.getMatchingPolicies(" + resource + ")");
    }
    List<RangerPolicy> ret = new ArrayList<>();
    RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, RangerPolicyEngine.ANY_ACCESS, null, null);
    preProcess(request);
    if (hasTagPolicies()) {
        Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
        if (CollectionUtils.isNotEmpty(tags)) {
            for (RangerTagForEval tag : tags) {
                RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
                RangerAccessResource tagResource = tagEvalRequest.getResource();
                List<RangerPolicyEvaluator> likelyEvaluators = tagPolicyRepository.getLikelyMatchPolicyEvaluators(tagResource);
                for (RangerPolicyEvaluator evaluator : likelyEvaluators) {
                    RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
                    if (matcher != null && matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
                        ret.add(evaluator.getPolicy());
                    }
                }
            }
        }
    }
    if (hasResourcePolicies()) {
        List<RangerPolicyEvaluator> likelyEvaluators = policyRepository.getLikelyMatchPolicyEvaluators(resource);
        for (RangerPolicyEvaluator evaluator : likelyEvaluators) {
            RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
            if (matcher != null && matcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
                ret.add(evaluator.getPolicy());
            }
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyEngineImpl.getMatchingPolicies(" + resource + ") : " + ret.size());
    }
    return ret;
}

Example 8 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerPolicyRepository method getLikelyMatchPolicyEvaluators.

List<PolicyEvaluatorForTag> getLikelyMatchPolicyEvaluators(Set<RangerTagForEval> tags, int policyType, Date accessTime) {
    List<PolicyEvaluatorForTag> ret = Collections.EMPTY_LIST;
    if (CollectionUtils.isNotEmpty(tags) && getServiceDef() != null) {
        ret = new ArrayList<PolicyEvaluatorForTag>();
        for (RangerTagForEval tag : tags) {
            if (tag.isApplicable(accessTime)) {
                RangerAccessResource resource = new RangerTagResource(tag.getType(), getServiceDef());
                List<RangerPolicyEvaluator> evaluators = getLikelyMatchPolicyEvaluators(resource, policyType);
                if (CollectionUtils.isNotEmpty(evaluators)) {
                    for (RangerPolicyEvaluator evaluator : evaluators) {
                        if (evaluator.isApplicable(accessTime)) {
                            ret.add(new PolicyEvaluatorForTag(evaluator, tag));
                        }
                    }
                }
            } else {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Tag:[" + tag.getType() + "] is not applicable at accessTime:[" + accessTime + "]");
                }
            }
        }
        if (CollectionUtils.isNotEmpty(ret)) {
            switch(policyType) {
                case RangerPolicy.POLICY_TYPE_ACCESS:
                    Collections.sort(ret, PolicyEvaluatorForTag.EVAL_ORDER_COMPARATOR);
                    break;
                case RangerPolicy.POLICY_TYPE_DATAMASK:
                    Collections.sort(ret, PolicyEvaluatorForTag.NAME_COMPARATOR);
                    break;
                case RangerPolicy.POLICY_TYPE_ROWFILTER:
                    Collections.sort(ret, PolicyEvaluatorForTag.NAME_COMPARATOR);
                    break;
                default:
                    LOG.warn("Unknown policy-type:[" + policyType + "]. Ignoring..");
                    break;
            }
        }
    }
    return ret;
}

Example 9 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerScriptConditionEvaluator method isMatched.

@Override
public boolean isMatched(RangerAccessRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerScriptConditionEvaluator.isMatched()");
    }
    boolean result = true;
    if (scriptEngine != null) {
        String script = getScript();
        if (StringUtils.isNotBlank(script)) {
            RangerAccessRequest readOnlyRequest = request.getReadOnlyCopy();
            RangerScriptExecutionContext context = new RangerScriptExecutionContext(readOnlyRequest);
            RangerTagForEval currentTag = context.getCurrentTag();
            Map<String, String> tagAttribs = currentTag != null ? currentTag.getAttributes() : Collections.<String, String>emptyMap();
            Bindings bindings = scriptEngine.createBindings();
            bindings.put("ctx", context);
            bindings.put("tag", currentTag);
            bindings.put("tagAttr", tagAttribs);
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerScriptConditionEvaluator.isMatched(): script={" + script + "}");
            }
            try {
                Object ret = scriptEngine.eval(script, bindings);
                if (ret == null) {
                    ret = context.getResult();
                }
                if (ret instanceof Boolean) {
                    result = (Boolean) ret;
                }
            } catch (NullPointerException nullp) {
                LOG.error("RangerScriptConditionEvaluator.isMatched(): eval called with NULL argument(s)");
            } catch (ScriptException exception) {
                LOG.error("RangerScriptConditionEvaluator.isMatched(): failed to evaluate script," + " exception=" + exception);
            }
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerScriptConditionEvaluator.isMatched(), result=" + result);
    }
    return result;
}

Example 10 with RangerTagForEval

use of org.apache.ranger.plugin.contextenricher.RangerTagForEval in project ranger by apache.

the class RangerScriptExecutionContext method getAllTagTypes.

public Set<String> getAllTagTypes() {
    Set<String> allTagTypes = null;
    Set<RangerTagForEval> tagObjectList = getAllTags();
    if (CollectionUtils.isNotEmpty(tagObjectList)) {
        for (RangerTagForEval tag : tagObjectList) {
            String tagType = tag.getType();
            if (allTagTypes == null) {
                allTagTypes = new HashSet<>();
            }
            allTagTypes.add(tagType);
        }
    }
    return allTagTypes;
}