Example 1 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerPolicyValidator method isValidPolicyItemAccess.
boolean isValidPolicyItemAccess(RangerPolicyItemAccess access, List<ValidationFailureDetails> failures, Set<String> accessTypes) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidPolicyItemAccess(%s, %s, %s)", access, failures, accessTypes));
}
boolean valid = true;
if (CollectionUtils.isEmpty(accessTypes)) {
// caller should firewall this argument!
LOG.debug("isValidPolicyItemAccess: accessTypes was null!");
} else if (access == null) {
LOG.debug("isValidPolicyItemAccess: policy item access was null!");
} else {
String accessType = access.getType();
if (StringUtils.isBlank(accessType)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("policy item access type").isMissing().becauseOf(error.getMessage("policy item access type")).errorCode(error.getErrorCode()).build());
valid = false;
} else if (!accessTypes.contains(accessType.toLowerCase())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
failures.add(new ValidationFailureDetailsBuilder().field("policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(accessType, accessTypes)).errorCode(error.getErrorCode()).build());
valid = false;
}
Boolean isAllowed = access.getIsAllowed();
// it can be null (which is treated as allowed) but not false
if (isAllowed != null && isAllowed == false) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_DENY;
failures.add(new ValidationFailureDetailsBuilder().field("policy item access type allowed").isSemanticallyIncorrect().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValidPolicyItemAccess(%s, %s, %s): %s", access, failures, accessTypes, valid));
}
return valid;
}
Also used :
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 2 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerPolicyValidator method isValid.
boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s, %s)", policy, action, isAdmin, failures));
}
if (!(action == Action.CREATE || action == Action.UPDATE)) {
throw new IllegalArgumentException("isValid(RangerPolicy, ...) is only supported for create/update");
}
boolean valid = true;
if (policy == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_OBJECT;
failures.add(new ValidationFailureDetailsBuilder().field("policy").isMissing().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
} else {
Integer priority = policy.getPolicyPriority();
if (priority != null) {
if (priority < RangerPolicy.POLICY_PRIORITY_NORMAL || priority > RangerPolicy.POLICY_PRIORITY_OVERRIDE) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_INVALID_PRIORITY;
failures.add(new ValidationFailureDetailsBuilder().field("policyPriority").isSemanticallyIncorrect().becauseOf(error.getMessage("out of range")).errorCode(error.getErrorCode()).build());
valid = false;
}
}
Long id = policy.getId();
RangerPolicy existingPolicy = null;
if (action == Action.UPDATE) {
// id is ignored for CREATE
if (id == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("id").isMissing().becauseOf(error.getMessage("id")).errorCode(error.getErrorCode()).build());
valid = false;
}
existingPolicy = getPolicy(id);
if (existingPolicy == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_POLICY_ID;
failures.add(new ValidationFailureDetailsBuilder().field("id").isSemanticallyIncorrect().becauseOf(error.getMessage(id)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
String policyName = policy.getName();
String serviceName = policy.getService();
if (StringUtils.isBlank(policyName)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("name").isMissing().becauseOf(error.getMessage("name")).errorCode(error.getErrorCode()).build());
valid = false;
} else {
List<RangerPolicy> policies = getPolicies(serviceName, policyName);
if (CollectionUtils.isNotEmpty(policies)) {
if (policies.size() > 1) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_MULTIPLE_POLICIES_WITH_SAME_NAME;
failures.add(new ValidationFailureDetailsBuilder().field("name").isAnInternalError().becauseOf(error.getMessage(policyName)).errorCode(error.getErrorCode()).build());
valid = false;
} else if (action == Action.CREATE) {
// size == 1
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT;
failures.add(new ValidationFailureDetailsBuilder().field("policy name").isSemanticallyIncorrect().becauseOf(error.getMessage(policies.iterator().next().getId(), serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else if (!policies.iterator().next().getId().equals(id)) {
// size == 1 && action == UPDATE
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT;
failures.add(new ValidationFailureDetailsBuilder().field("id/name").isSemanticallyIncorrect().becauseOf(error.getMessage(policies.iterator().next().getId(), serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
RangerService service = null;
boolean serviceNameValid = false;
if (StringUtils.isBlank(serviceName)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isMissing().becauseOf(error.getMessage("service name")).errorCode(error.getErrorCode()).build());
valid = false;
} else {
service = getService(serviceName);
if (service == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_SERVICE_NAME;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isSemanticallyIncorrect().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else {
serviceNameValid = true;
}
}
if (existingPolicy != null) {
if (!StringUtils.equalsIgnoreCase(existingPolicy.getService(), policy.getService())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_UPDATE_MOVE_SERVICE_NOT_ALLOWED;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isSemanticallyIncorrect().becauseOf(error.getMessage(policy.getId(), existingPolicy.getService(), policy.getService())).errorCode(error.getErrorCode()).build());
valid = false;
}
int existingPolicyType = existingPolicy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : existingPolicy.getPolicyType();
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
if (existingPolicyType != policyType) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_TYPE_CHANGE_NOT_ALLOWED;
failures.add(new ValidationFailureDetailsBuilder().field("policy type").isSemanticallyIncorrect().becauseOf(error.getMessage(policy.getId(), existingPolicyType, policyType)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
boolean isAuditEnabled = getIsAuditEnabled(policy);
String serviceDefName = null;
RangerServiceDef serviceDef = null;
int policyItemsCount = 0;
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
switch(policyType) {
case RangerPolicy.POLICY_TYPE_DATAMASK:
if (CollectionUtils.isNotEmpty(policy.getDataMaskPolicyItems())) {
policyItemsCount += policy.getDataMaskPolicyItems().size();
}
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
if (CollectionUtils.isNotEmpty(policy.getRowFilterPolicyItems())) {
policyItemsCount += policy.getRowFilterPolicyItems().size();
}
break;
default:
if (CollectionUtils.isNotEmpty(policy.getPolicyItems())) {
policyItemsCount += policy.getPolicyItems().size();
}
if (CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())) {
policyItemsCount += policy.getDenyPolicyItems().size();
}
break;
}
if (policyItemsCount == 0 && !isAuditEnabled) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_POLICY_ITEMS;
failures.add(new ValidationFailureDetailsBuilder().field("policy items").isMissing().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
} else if (service != null) {
serviceDefName = service.getType();
serviceDef = getServiceDef(serviceDefName);
if (serviceDef == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_SERVICE_DEF;
failures.add(new ValidationFailureDetailsBuilder().field("policy service def").isAnInternalError().becauseOf(error.getMessage(serviceDefName, serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else {
valid = isValidPolicyItems(policy.getPolicyItems(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getDenyPolicyItems(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getAllowExceptions(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getDenyExceptions(), failures, serviceDef) && valid;
}
}
if (serviceNameValid) {
// resource checks can't be done meaningfully otherwise
valid = isValidValiditySchedule(policy, failures, action) && valid;
valid = isValidResources(policy, failures, action, isAdmin, serviceDef) && valid;
valid = isValidAccessTypeDef(policy, failures, action, isAdmin, serviceDef) && valid;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s, %s): %s", policy, action, isAdmin, failures, valid));
}
return valid;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerService(org.apache.ranger.plugin.model.RangerService)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 3 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerPolicyValidator method isValidAccessTypeDef.
boolean isValidAccessTypeDef(RangerPolicy policy, final List<ValidationFailureDetails> failures, Action action, boolean isAdmin, final RangerServiceDef serviceDef) {
boolean valid = true;
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
}
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
// row filter policy
if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
List<String> rowFilterAccessTypeDefNames = new ArrayList<String>();
if (serviceDef != null && serviceDef.getRowFilterDef() != null) {
if (!CollectionUtils.isEmpty(serviceDef.getRowFilterDef().getAccessTypes())) {
for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getRowFilterDef().getAccessTypes()) {
rowFilterAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
}
}
}
if (!CollectionUtils.isEmpty(policy.getRowFilterPolicyItems())) {
for (RangerRowFilterPolicyItem rangerRowFilterPolicyItem : policy.getRowFilterPolicyItems()) {
if (!CollectionUtils.isEmpty(rangerRowFilterPolicyItem.getAccesses())) {
for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerRowFilterPolicyItem.getAccesses()) {
if (!rowFilterAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
failures.add(new ValidationFailureDetailsBuilder().field("row filter policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), rowFilterAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
}
}
// data mask policy
if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
List<String> dataMaskAccessTypeDefNames = new ArrayList<String>();
if (serviceDef != null && serviceDef.getDataMaskDef() != null) {
if (!CollectionUtils.isEmpty(serviceDef.getDataMaskDef().getAccessTypes())) {
for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getDataMaskDef().getAccessTypes()) {
dataMaskAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
}
}
}
if (!CollectionUtils.isEmpty(policy.getDataMaskPolicyItems())) {
for (RangerDataMaskPolicyItem rangerDataMaskPolicyItem : policy.getDataMaskPolicyItems()) {
if (!CollectionUtils.isEmpty(rangerDataMaskPolicyItem.getAccesses())) {
for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerDataMaskPolicyItem.getAccesses()) {
if (!dataMaskAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
failures.add(new ValidationFailureDetailsBuilder().field("data masking policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), dataMaskAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
}
return valid;
}
Also used :
RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 4 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerServiceDefValidator method isValid.
boolean isValid(final RangerServiceDef serviceDef, final Action action, final List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceDefValidator.isValid(" + serviceDef + ")");
}
if (!(action == Action.CREATE || action == Action.UPDATE)) {
throw new IllegalArgumentException("isValid(RangerServiceDef, ...) is only supported for CREATE/UPDATE");
}
boolean valid = true;
if (serviceDef == null) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_NULL_SERVICE_DEF_OBJECT;
failures.add(new ValidationFailureDetailsBuilder().field("service def").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage(action)).build());
valid = false;
} else {
Long id = serviceDef.getId();
valid = isValidServiceDefId(id, action, failures) && valid;
valid = isValidServiceDefName(serviceDef.getName(), id, action, failures) && valid;
valid = isValidAccessTypes(serviceDef.getAccessTypes(), failures) && valid;
if (isValidResources(serviceDef, failures)) {
// Semantic check of resource graph can only be done if resources are "syntactically" valid
valid = isValidResourceGraph(serviceDef, failures) && valid;
} else {
valid = false;
}
List<RangerEnumDef> enumDefs = serviceDef.getEnums();
if (isValidEnums(enumDefs, failures)) {
// config def validation requires valid enums
valid = isValidConfigs(serviceDef.getConfigs(), enumDefs, failures) && valid;
} else {
valid = false;
}
valid = isValidPolicyConditions(serviceDef.getPolicyConditions(), failures) && valid;
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceDefValidator.isValid(" + serviceDef + "): " + valid);
}
return valid;
}
Also used :
RangerEnumDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 5 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerServiceDefValidator method isValidResourceGraph.
boolean isValidResourceGraph(RangerServiceDef serviceDef, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerServiceDefValidator.isValidResourceGraph(%s, %s)", serviceDef, failures));
}
boolean valid = true;
// We don't want this helper to get into the cache or to use what is in the cache!!
RangerServiceDefHelper defHelper = _factory.createServiceDefHelper(serviceDef, false);
if (!defHelper.isResourceGraphValid()) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_RESOURCE_GRAPH_INVALID;
failures.add(new ValidationFailureDetailsBuilder().field("resource graph").isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(error.getMessage()).build());
valid = false;
}
// resource level should be unique within a hierarchy
for (int policyType : RangerPolicy.POLICY_TYPES) {
Set<List<RangerResourceDef>> hierarchies = defHelper.getResourceHierarchies(policyType);
for (List<RangerResourceDef> aHierarchy : hierarchies) {
Set<Integer> levels = new HashSet<Integer>(aHierarchy.size());
for (RangerResourceDef resourceDef : aHierarchy) {
valid = isUnique(resourceDef.getLevel(), levels, "resource level", "resources", failures) && valid;
}
// Ensure that aHierarchy contains resource-defs with increasing level values
int lastResourceLevel = Integer.MIN_VALUE;
for (RangerResourceDef resourceDef : aHierarchy) {
Integer resourceDefLevel = resourceDef.getLevel();
if (resourceDefLevel == null || resourceDefLevel < lastResourceLevel) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_INVALID_SERVICE_RESOURCE_LEVELS;
failures.add(new ValidationFailureDetailsBuilder().field("resource level").subField(String.valueOf(resourceDefLevel)).isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(error.getMessage()).build());
valid = false;
break;
} else {
lastResourceLevel = resourceDef.getLevel();
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerServiceDefValidator.isValidResourceGraph(%s, %s): %s", serviceDef, failures, valid));
}
return valid;
}
Also used :
ArrayList(java.util.ArrayList)
List(java.util.List)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
HashSet(java.util.HashSet)
Aggregations
ValidationErrorCode (org.apache.ranger.plugin.errors.ValidationErrorCode)25
HashSet (java.util.HashSet)6
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)3
RangerEnumDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef)3
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)3
ArrayList (java.util.ArrayList)2
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)2
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)2
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)2
RangerService (org.apache.ranger.plugin.model.RangerService)2
RangerAccessTypeDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)2
List (java.util.List)1
RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)1
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)1
RangerRowFilterPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)1
RangerPolicyResourceSignature (org.apache.ranger.plugin.model.RangerPolicyResourceSignature)1
RangerEnumElementDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumElementDef)1
RangerPolicyConditionDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)1
