Example 16 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerPolicyValidator method isValidResourceNames.
boolean isValidResourceNames(final RangerPolicy policy, final List<ValidationFailureDetails> failures, final RangerServiceDef serviceDef) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidResourceNames(%s, %s, %s)", policy, failures, serviceDef));
}
boolean valid = true;
Set<String> policyResources = getPolicyResources(policy);
RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef);
// this can be empty but not null!
Set<List<RangerResourceDef>> hierarchies = defHelper.getResourceHierarchies(policy.getPolicyType());
if (hierarchies.isEmpty()) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyValidator.isValidResourceNames: serviceDef does not have any resource hierarchies, possibly due to invalid service def!!");
}
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY;
failures.add(new ValidationFailureDetailsBuilder().field("service def resource hierarchies").subField("incompatible").isSemanticallyIncorrect().becauseOf(error.getMessage(serviceDef.getName(), " does not have any resource hierarchies")).errorCode(error.getErrorCode()).build());
valid = false;
} else {
/*
* A policy is for a single hierarchy however, it doesn't specify which one. So we have to guess which hierarchy(s) it possibly be for. First, see if the policy could be for
* any of the known hierarchies? A candidate hierarchy is one whose resource levels are a superset of those in the policy.
* Why? What we want to catch at this stage is policies that straddles multiple hierarchies, e.g. db, udf and column for a hive policy.
* This has the side effect of catch spurious levels specified on the policy, e.g. having a level "blah" on a hive policy.
*/
Set<List<RangerResourceDef>> candidateHierarchies = filterHierarchies_hierarchyHasAllPolicyResources(policyResources, hierarchies, defHelper);
if (candidateHierarchies.isEmpty()) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("No compatible resource hierarchies found: resource[%s], service-def[%s], valid-resource-hierarchies[%s]", policyResources.toString(), serviceDef.getName(), toStringHierarchies_all(hierarchies, defHelper)));
}
ValidationErrorCode error;
if (hierarchies.size() == 1) {
// we can give a simpler message for single hierarchy service-defs which is the majority of cases
error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY_SINGLE;
} else {
error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY;
}
failures.add(new ValidationFailureDetailsBuilder().field("policy resources").subField("incompatible").isSemanticallyIncorrect().becauseOf(error.getMessage(serviceDef.getName(), toStringHierarchies_all(hierarchies, defHelper))).errorCode(error.getErrorCode()).build());
valid = false;
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isValidResourceNames: Found [" + candidateHierarchies.size() + "] compatible hierarchies: " + toStringHierarchies_all(candidateHierarchies, defHelper));
}
/*
* Among the candidate hierarchies there should be at least one for which policy specifies all of the mandatory resources. Note that there could be multiple
* hierarchies that meet that criteria, e.g. a hive policy that specified only DB. It is not clear if it belongs to DB->UDF or DB->TBL->COL hierarchy.
* However, if both UDF and TBL were required then we can detect that policy does not specify mandatory levels for any of the candidate hierarchies.
*/
Set<List<RangerResourceDef>> validHierarchies = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, candidateHierarchies, defHelper);
if (validHierarchies.isEmpty()) {
ValidationErrorCode error;
if (candidateHierarchies.size() == 1) {
// we can provide better message if there is a single candidate hierarchy
error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY_SINGLE;
} else {
error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY;
}
failures.add(new ValidationFailureDetailsBuilder().field("policy resources").subField("missing mandatory").isSemanticallyIncorrect().becauseOf(error.getMessage(serviceDef.getName(), toStringHierarchies_mandatory(candidateHierarchies, defHelper))).errorCode(error.getErrorCode()).build());
valid = false;
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isValidResourceNames: Found hierarchies with all mandatory fields specified: " + toStringHierarchies_mandatory(validHierarchies, defHelper));
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceNames(%s, %s, %s): %s", policy, failures, serviceDef, valid));
}
return valid;
}
Also used :
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 17 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerPolicyValidator method isPolicyResourceUnique.
boolean isPolicyResourceUnique(RangerPolicy policy, final List<ValidationFailureDetails> failures, Action action) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isPolicyResourceUnique(%s, %s, %s)", policy, failures, action));
}
boolean valid = true;
if (!Boolean.TRUE.equals(policy.getIsEnabled())) {
LOG.debug("Policy is disabled. Skipping resource uniqueness validation.");
} else {
RangerPolicyResourceSignature policySignature = _factory.createPolicyResourceSignature(policy);
String signature = policySignature.getSignature();
List<RangerPolicy> policies = getPoliciesForResourceSignature(policy.getService(), signature);
if (CollectionUtils.isNotEmpty(policies)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_DUPLICATE_POLICY_RESOURCE;
RangerPolicy matchedPolicy = policies.iterator().next();
// there shouldn't be a matching policy for create. During update only match should be to itself
if (action == Action.CREATE || (action == Action.UPDATE && (policies.size() > 1 || !matchedPolicy.getId().equals(policy.getId())))) {
failures.add(new ValidationFailureDetailsBuilder().field("resources").isSemanticallyIncorrect().becauseOf(error.getMessage(matchedPolicy.getName(), policy.getService())).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isPolicyResourceUnique(%s, %s, %s): %s", policy, failures, action, valid));
}
return valid;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 18 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerServiceDefValidator method isValid.
boolean isValid(final Long id, final Action action, final List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceDefValidator.isValid(" + id + ")");
}
boolean valid = true;
if (action != Action.DELETE) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_UNSUPPORTED_ACTION;
failures.add(new ValidationFailureDetailsBuilder().isAnInternalError().errorCode(error.getErrorCode()).becauseOf(error.getMessage(action)).build());
valid = false;
} else if (id == null) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("id").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("id")).build());
valid = false;
} else if (getServiceDef(id) == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("No service found for id[" + id + "]! ok!");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceDefValidator.isValid(" + id + "): " + valid);
}
return valid;
}
Also used :
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 19 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerServiceDefValidator method isValidResources.
boolean isValidResources(RangerServiceDef serviceDef, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerServiceDefValidator.isValidResources(%s, %s)", serviceDef, failures));
}
boolean valid = true;
List<RangerResourceDef> resources = serviceDef.getResources();
if (CollectionUtils.isEmpty(resources)) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("resources").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("resources")).build());
valid = false;
} else {
Set<String> names = new HashSet<String>(resources.size());
Set<Long> ids = new HashSet<Long>(resources.size());
for (RangerResourceDef resource : resources) {
/*
* While id is the natural key, name is a surrogate key. At several places code expects resource name to be unique within a service.
*/
valid = isUnique(resource.getName(), names, "resource name", "resources", failures) && valid;
valid = isUnique(resource.getItemId(), ids, "resource itemId", "resources", failures) && valid;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerServiceDefValidator.isValidResources(%s, %s): %s", serviceDef, failures, valid));
}
return valid;
}
Also used :
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
HashSet(java.util.HashSet)
Example 20 with ValidationErrorCode
use of org.apache.ranger.plugin.errors.ValidationErrorCode in project ranger by apache.
the class RangerServiceDefValidator method isValidEnums.
boolean isValidEnums(List<RangerEnumDef> enumDefs, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerServiceDefValidator.isValidEnums(%s, %s)", enumDefs, failures));
}
boolean valid = true;
if (CollectionUtils.isEmpty(enumDefs)) {
LOG.debug("enum def collection passed in was null/empty. Ok.");
} else {
Set<String> names = new HashSet<>();
Set<Long> ids = new HashSet<>();
for (RangerEnumDef enumDef : enumDefs) {
if (enumDef == null) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NULL_OBJECT;
failures.add(new ValidationFailureDetailsBuilder().field("enum def").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage()).build());
valid = false;
} else {
// enum-names and ids must non-blank and be unique to a service definition
String enumName = enumDef.getName();
valid = isUnique(enumName, names, "enum def name", "enum defs", failures) && valid;
valid = isUnique(enumDef.getItemId(), ids, "enum def itemId", "enum defs", failures) && valid;
// enum must contain at least one valid value and those values should be non-blank and distinct
if (CollectionUtils.isEmpty(enumDef.getElements())) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NO_VALUES;
failures.add(new ValidationFailureDetailsBuilder().field("enum values").subField(enumName).isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage(enumName)).build());
valid = false;
} else {
valid = isValidEnumElements(enumDef.getElements(), failures, enumName) && valid;
// default index should be valid
int defaultIndex = getEnumDefaultIndex(enumDef);
if (defaultIndex < 0 || defaultIndex >= enumDef.getElements().size()) {
// max index is one less than the size of the elements list
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_INVALID_DEFAULT_INDEX;
failures.add(new ValidationFailureDetailsBuilder().field("enum default index").subField(enumName).isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(error.getMessage(defaultIndex, enumName)).build());
valid = false;
}
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerServiceDefValidator.isValidEnums(%s, %s): %s", enumDefs, failures, valid));
}
return valid;
}
Also used :
RangerEnumDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
HashSet(java.util.HashSet)
Aggregations
ValidationErrorCode (org.apache.ranger.plugin.errors.ValidationErrorCode)25
HashSet (java.util.HashSet)6
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)3
RangerEnumDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef)3
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)3
ArrayList (java.util.ArrayList)2
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)2
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)2
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)2
RangerService (org.apache.ranger.plugin.model.RangerService)2
RangerAccessTypeDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)2
List (java.util.List)1
RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)1
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)1
RangerRowFilterPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)1
RangerPolicyResourceSignature (org.apache.ranger.plugin.model.RangerPolicyResourceSignature)1
RangerEnumElementDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumElementDef)1
RangerPolicyConditionDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)1
