Example 1 with RangerDataMaskPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem in project ranger by apache.
the class ServiceDBStore method writeCSV.
private StringBuilder writeCSV(List<RangerPolicy> policies, String cSVFileName, HttpServletResponse response) {
response.setContentType("text/csv");
final String LINE_SEPARATOR = "\n";
final String FILE_HEADER = "ID|Name|Resources|Roles|Groups|Users|Accesses|Service Type|Status|Policy Type|Delegate Admin|isRecursive|" + "isExcludes|Service Name|Description|isAuditEnabled|Policy Conditions|Policy Condition Type|Masking Options|Row Filter Expr|Policy Label Name";
StringBuilder csvBuffer = new StringBuilder();
csvBuffer.append(FILE_HEADER);
csvBuffer.append(LINE_SEPARATOR);
if (!CollectionUtils.isEmpty(policies)) {
for (RangerPolicy policy : policies) {
List<RangerPolicyItem> policyItems = policy.getPolicyItems();
List<RangerRowFilterPolicyItem> rowFilterPolicyItems = policy.getRowFilterPolicyItems();
List<RangerDataMaskPolicyItem> dataMaskPolicyItems = policy.getDataMaskPolicyItems();
List<RangerPolicyItem> allowExceptions = policy.getAllowExceptions();
List<RangerPolicyItem> denyExceptions = policy.getDenyExceptions();
List<RangerPolicyItem> denyPolicyItems = policy.getDenyPolicyItems();
XXService xxservice = daoMgr.getXXService().findByName(policy.getService());
String serviceType = "";
if (xxservice != null) {
Long ServiceId = xxservice.getType();
XXServiceDef xxservDef = daoMgr.getXXServiceDef().getById(ServiceId);
if (xxservDef != null) {
serviceType = xxservDef.getName();
}
}
if (CollectionUtils.isNotEmpty(policyItems)) {
for (RangerPolicyItem policyItem : policyItems) {
writeCSVForPolicyItems(policy, policyItem, null, null, csvBuffer, POLICY_ALLOW_INCLUDE);
}
} else if (CollectionUtils.isNotEmpty(dataMaskPolicyItems)) {
for (RangerDataMaskPolicyItem dataMaskPolicyItem : dataMaskPolicyItems) {
writeCSVForPolicyItems(policy, null, dataMaskPolicyItem, null, csvBuffer, null);
}
} else if (CollectionUtils.isNotEmpty(rowFilterPolicyItems)) {
for (RangerRowFilterPolicyItem rowFilterPolicyItem : rowFilterPolicyItems) {
writeCSVForPolicyItems(policy, null, null, rowFilterPolicyItem, csvBuffer, null);
}
} else if (serviceType.equalsIgnoreCase(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
if (CollectionUtils.isEmpty(policyItems)) {
RangerPolicyItem policyItem = new RangerPolicyItem();
writeCSVForPolicyItems(policy, policyItem, null, null, csvBuffer, POLICY_ALLOW_INCLUDE);
}
} else if (CollectionUtils.isEmpty(policyItems)) {
RangerPolicyItem policyItem = new RangerPolicyItem();
writeCSVForPolicyItems(policy, policyItem, null, null, csvBuffer, POLICY_ALLOW_INCLUDE);
}
if (CollectionUtils.isNotEmpty(allowExceptions)) {
for (RangerPolicyItem policyItem : allowExceptions) {
writeCSVForPolicyItems(policy, policyItem, null, null, csvBuffer, POLICY_ALLOW_EXCLUDE);
}
}
if (CollectionUtils.isNotEmpty(denyExceptions)) {
for (RangerPolicyItem policyItem : denyExceptions) {
writeCSVForPolicyItems(policy, policyItem, null, null, csvBuffer, POLICY_DENY_EXCLUDE);
}
}
if (CollectionUtils.isNotEmpty(denyPolicyItems)) {
for (RangerPolicyItem policyItem : denyPolicyItems) {
writeCSVForPolicyItems(policy, policyItem, null, null, csvBuffer, POLICY_DENY_INCLUDE);
}
}
}
}
response.setHeader("Content-Disposition", "attachment; filename=" + cSVFileName);
response.setStatus(HttpServletResponse.SC_OK);
return csvBuffer;
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)
VXString(org.apache.ranger.view.VXString)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
XXService(org.apache.ranger.entity.XXService)
Example 2 with RangerDataMaskPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem in project ranger by apache.
the class XUserMgr method deleteXGroup.
public void deleteXGroup(Long id, boolean force) {
checkAdminAccess();
blockIfZoneGroup(id);
this.blockIfRoleGroup(id);
xaBizUtil.blockAuditorRoleUser();
XXGroupDao xXGroupDao = daoManager.getXXGroup();
XXGroup xXGroup = xXGroupDao.getById(id);
VXGroup vXGroup = xGroupService.populateViewBean(xXGroup);
if (vXGroup == null || StringUtils.isEmpty(vXGroup.getName())) {
throw restErrorUtil.createRESTException("Group ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA);
}
if (logger.isDebugEnabled()) {
logger.info("Force delete status=" + force + " for group=" + vXGroup.getName());
}
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xGroupId", id);
VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria);
searchCriteria = new SearchCriteria();
searchCriteria.addParam("groupId", id);
VXPermMapList vXPermMapList = searchXPermMaps(searchCriteria);
searchCriteria = new SearchCriteria();
searchCriteria.addParam("groupId", id);
VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria);
XXGroupPermissionDao xXGroupPermissionDao = daoManager.getXXGroupPermission();
List<XXGroupPermission> xXGroupPermissions = xXGroupPermissionDao.findByGroupId(id);
XXGroupGroupDao xXGroupGroupDao = daoManager.getXXGroupGroup();
List<XXGroupGroup> xXGroupGroups = xXGroupGroupDao.findByGroupId(id);
XXPolicyDao xXPolicyDao = daoManager.getXXPolicy();
List<XXPolicy> xXPolicyList = xXPolicyDao.findByGroupId(id);
logger.warn("Deleting GROUP : " + vXGroup.getName());
if (force) {
// delete XXGroupUser records of matching group
XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser();
XXUserDao xXUserDao = daoManager.getXXUser();
XXUser xXUser = null;
for (VXGroupUser groupUser : vxGroupUserList.getList()) {
if (groupUser != null) {
xXUser = xXUserDao.getById(groupUser.getUserId());
if (xXUser != null) {
logger.warn("Removing user '" + xXUser.getName() + "' from group '" + groupUser.getName() + "'");
}
xGroupUserDao.remove(groupUser.getId());
}
}
// delete XXPermMap records of matching group
XXPermMapDao xXPermMapDao = daoManager.getXXPermMap();
XXResourceDao xXResourceDao = daoManager.getXXResource();
XXResource xXResource = null;
for (VXPermMap vXPermMap : vXPermMapList.getList()) {
if (vXPermMap != null) {
xXResource = xXResourceDao.getById(vXPermMap.getResourceId());
if (xXResource != null) {
logger.warn("Deleting '" + AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()) + "' permission from policy ID='" + vXPermMap.getResourceId() + "' for group '" + vXPermMap.getGroupName() + "'");
}
xXPermMapDao.remove(vXPermMap.getId());
}
}
// delete XXAuditMap records of matching group
XXAuditMapDao xXAuditMapDao = daoManager.getXXAuditMap();
for (VXAuditMap vXAuditMap : vXAuditMapList.getList()) {
if (vXAuditMap != null) {
xXResource = xXResourceDao.getById(vXAuditMap.getResourceId());
xXAuditMapDao.remove(vXAuditMap.getId());
}
}
// delete XXGroupGroupDao records of group-group mapping
for (XXGroupGroup xXGroupGroup : xXGroupGroups) {
if (xXGroupGroup != null) {
XXGroup xXGroupParent = xXGroupDao.getById(xXGroupGroup.getParentGroupId());
XXGroup xXGroupChild = xXGroupDao.getById(xXGroupGroup.getGroupId());
if (xXGroupParent != null && xXGroupChild != null) {
logger.warn("Removing group '" + xXGroupChild.getName() + "' from group '" + xXGroupParent.getName() + "'");
}
xXGroupGroupDao.remove(xXGroupGroup.getId());
}
}
// delete XXPolicyItemGroupPerm records of group
for (XXPolicy xXPolicy : xXPolicyList) {
RangerPolicy rangerPolicy = policyService.getPopulatedViewObject(xXPolicy);
List<RangerPolicyItem> policyItems = rangerPolicy.getPolicyItems();
removeUserGroupReferences(policyItems, null, vXGroup.getName());
rangerPolicy.setPolicyItems(policyItems);
List<RangerPolicyItem> denyPolicyItems = rangerPolicy.getDenyPolicyItems();
removeUserGroupReferences(denyPolicyItems, null, vXGroup.getName());
rangerPolicy.setDenyPolicyItems(denyPolicyItems);
List<RangerPolicyItem> allowExceptions = rangerPolicy.getAllowExceptions();
removeUserGroupReferences(allowExceptions, null, vXGroup.getName());
rangerPolicy.setAllowExceptions(allowExceptions);
List<RangerPolicyItem> denyExceptions = rangerPolicy.getDenyExceptions();
removeUserGroupReferences(denyExceptions, null, vXGroup.getName());
rangerPolicy.setDenyExceptions(denyExceptions);
List<RangerDataMaskPolicyItem> dataMaskItems = rangerPolicy.getDataMaskPolicyItems();
removeUserGroupReferences(dataMaskItems, null, vXGroup.getName());
rangerPolicy.setDataMaskPolicyItems(dataMaskItems);
List<RangerRowFilterPolicyItem> rowFilterItems = rangerPolicy.getRowFilterPolicyItems();
removeUserGroupReferences(rowFilterItems, null, vXGroup.getName());
rangerPolicy.setRowFilterPolicyItems(rowFilterItems);
try {
svcStore.updatePolicy(rangerPolicy);
} catch (Throwable excp) {
logger.error("updatePolicy(" + rangerPolicy + ") failed", excp);
restErrorUtil.createRESTException(excp.getMessage());
}
}
if (CollectionUtils.isNotEmpty(xXGroupPermissions)) {
for (XXGroupPermission xXGroupPermission : xXGroupPermissions) {
if (xXGroupPermission != null) {
XXModuleDef xXModuleDef = daoManager.getXXModuleDef().findByModuleId(xXGroupPermission.getModuleId());
if (xXModuleDef != null) {
logger.warn("Deleting '" + xXModuleDef.getModule() + "' module permission for group '" + xXGroup.getName() + "'");
}
xXGroupPermissionDao.remove(xXGroupPermission.getId());
}
}
}
// delete group from audit filter configs
svcStore.updateServiceAuditConfig(vXGroup.getName(), REMOVE_REF_TYPE.GROUP);
// delete XXGroup
xXGroupDao.remove(id);
// Create XXTrxLog
List<XXTrxLog> xXTrxLogsXXGroup = xGroupService.getTransactionLog(xGroupService.populateViewBean(xXGroup), "delete");
xaBizUtil.createTrxLog(xXTrxLogsXXGroup);
} else {
boolean hasReferences = false;
if (vxGroupUserList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && CollectionUtils.isNotEmpty(xXPolicyList)) {
hasReferences = true;
}
if (hasReferences == false && vXPermMapList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && vXAuditMapList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && CollectionUtils.isNotEmpty(xXGroupGroups)) {
hasReferences = true;
}
if (hasReferences == false && CollectionUtils.isNotEmpty(xXGroupPermissions)) {
hasReferences = true;
}
if (hasReferences) {
// change visibility to Hidden
if (vXGroup.getIsVisible() == RangerCommonEnums.IS_VISIBLE) {
vXGroup.setIsVisible(RangerCommonEnums.IS_HIDDEN);
xGroupService.updateResource(vXGroup);
}
} else {
// delete XXGroup
xXGroupDao.remove(id);
// Create XXTrxLog
List<XXTrxLog> xXTrxLogsXXGroup = xGroupService.getTransactionLog(xGroupService.populateViewBean(xXGroup), "delete");
xaBizUtil.createTrxLog(xXTrxLogsXXGroup);
}
}
}
Also used :
XXUser(org.apache.ranger.entity.XXUser)
XXGroupPermissionDao(org.apache.ranger.db.XXGroupPermissionDao)
XXUserDao(org.apache.ranger.db.XXUserDao)
XXPolicy(org.apache.ranger.entity.XXPolicy)
XXGroupUserDao(org.apache.ranger.db.XXGroupUserDao)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
XXModuleDef(org.apache.ranger.entity.XXModuleDef)
XXPermMapDao(org.apache.ranger.db.XXPermMapDao)
XXGroupGroupDao(org.apache.ranger.db.XXGroupGroupDao)
XXResourceDao(org.apache.ranger.db.XXResourceDao)
XXGroupPermission(org.apache.ranger.entity.XXGroupPermission)
XXResource(org.apache.ranger.entity.XXResource)
XXAuditMapDao(org.apache.ranger.db.XXAuditMapDao)
RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)
XXTrxLog(org.apache.ranger.entity.XXTrxLog)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
XXGroup(org.apache.ranger.entity.XXGroup)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
XXPolicyDao(org.apache.ranger.db.XXPolicyDao)
XXGroupDao(org.apache.ranger.db.XXGroupDao)
XXGroupGroup(org.apache.ranger.entity.XXGroupGroup)
Example 3 with RangerDataMaskPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem in project ranger by apache.
the class XUserMgr method deleteXUser.
public synchronized void deleteXUser(Long id, boolean force) {
checkAdminAccess();
xaBizUtil.blockAuditorRoleUser();
XXUserDao xXUserDao = daoManager.getXXUser();
XXUser xXUser = xXUserDao.getById(id);
VXUser vXUser = xUserService.populateViewBean(xXUser);
if (vXUser == null || StringUtils.isEmpty(vXUser.getName())) {
throw restErrorUtil.createRESTException("No user found with id=" + id);
}
XXPortalUserDao xXPortalUserDao = daoManager.getXXPortalUser();
XXPortalUser xXPortalUser = xXPortalUserDao.findByLoginId(vXUser.getName().trim());
VXPortalUser vXPortalUser = null;
if (xXPortalUser != null) {
vXPortalUser = xPortalUserService.populateViewBean(xXPortalUser);
}
if (vXPortalUser == null || StringUtils.isEmpty(vXPortalUser.getLoginId())) {
throw restErrorUtil.createRESTException("No user found with id=" + id);
}
if (logger.isDebugEnabled()) {
logger.debug("Force delete status=" + force + " for user=" + vXUser.getName());
}
restrictSelfAccountDeletion(vXUser.getName().trim());
blockIfZoneUser(id);
this.blockIfRoleUser(id);
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xUserId", id);
VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria);
searchCriteria = new SearchCriteria();
searchCriteria.addParam("userId", id);
VXPermMapList vXPermMapList = searchXPermMaps(searchCriteria);
searchCriteria = new SearchCriteria();
searchCriteria.addParam("userId", id);
VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria);
long xXPortalUserId = 0;
xXPortalUserId = vXPortalUser.getId();
XXAuthSessionDao xXAuthSessionDao = daoManager.getXXAuthSession();
XXUserPermissionDao xXUserPermissionDao = daoManager.getXXUserPermission();
XXPortalUserRoleDao xXPortalUserRoleDao = daoManager.getXXPortalUserRole();
List<XXAuthSession> xXAuthSessions = xXAuthSessionDao.getAuthSessionByUserId(xXPortalUserId);
List<XXUserPermission> xXUserPermissions = xXUserPermissionDao.findByUserPermissionId(xXPortalUserId);
List<XXPortalUserRole> xXPortalUserRoles = xXPortalUserRoleDao.findByUserId(xXPortalUserId);
XXPolicyDao xXPolicyDao = daoManager.getXXPolicy();
List<XXPolicy> xXPolicyList = xXPolicyDao.findByUserId(id);
logger.warn("Deleting User : " + vXUser.getName());
if (force) {
// delete XXGroupUser mapping
XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser();
for (VXGroupUser groupUser : vxGroupUserList.getList()) {
if (groupUser != null) {
logger.warn("Removing user '" + vXUser.getName() + "' from group '" + groupUser.getName() + "'");
xGroupUserDao.remove(groupUser.getId());
}
}
// delete XXPermMap records of user
XXPermMapDao xXPermMapDao = daoManager.getXXPermMap();
for (VXPermMap vXPermMap : vXPermMapList.getList()) {
if (vXPermMap != null) {
logger.warn("Deleting '" + AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()) + "' permission from policy ID='" + vXPermMap.getResourceId() + "' for user '" + vXPermMap.getUserName() + "'");
xXPermMapDao.remove(vXPermMap.getId());
}
}
// delete XXAuditMap records of user
XXAuditMapDao xXAuditMapDao = daoManager.getXXAuditMap();
for (VXAuditMap vXAuditMap : vXAuditMapList.getList()) {
if (vXAuditMap != null) {
xXAuditMapDao.remove(vXAuditMap.getId());
}
}
// delete XXPortalUser references
if (vXPortalUser != null) {
xPortalUserService.updateXXPortalUserReferences(xXPortalUserId);
if (xXAuthSessions != null && xXAuthSessions.size() > 0) {
logger.warn("Deleting " + xXAuthSessions.size() + " login session records for user '" + vXPortalUser.getLoginId() + "'");
}
for (XXAuthSession xXAuthSession : xXAuthSessions) {
xXAuthSessionDao.remove(xXAuthSession.getId());
}
for (XXUserPermission xXUserPermission : xXUserPermissions) {
if (xXUserPermission != null) {
XXModuleDef xXModuleDef = daoManager.getXXModuleDef().findByModuleId(xXUserPermission.getModuleId());
if (xXModuleDef != null) {
logger.warn("Deleting '" + xXModuleDef.getModule() + "' module permission for user '" + vXPortalUser.getLoginId() + "'");
}
xXUserPermissionDao.remove(xXUserPermission.getId());
}
}
for (XXPortalUserRole xXPortalUserRole : xXPortalUserRoles) {
if (xXPortalUserRole != null) {
logger.warn("Deleting '" + xXPortalUserRole.getUserRole() + "' role for user '" + vXPortalUser.getLoginId() + "'");
xXPortalUserRoleDao.remove(xXPortalUserRole.getId());
}
}
}
// delete XXPolicyItemUserPerm records of user
for (XXPolicy xXPolicy : xXPolicyList) {
RangerPolicy rangerPolicy = policyService.getPopulatedViewObject(xXPolicy);
List<RangerPolicyItem> policyItems = rangerPolicy.getPolicyItems();
removeUserGroupReferences(policyItems, vXUser.getName(), null);
rangerPolicy.setPolicyItems(policyItems);
List<RangerPolicyItem> denyPolicyItems = rangerPolicy.getDenyPolicyItems();
removeUserGroupReferences(denyPolicyItems, vXUser.getName(), null);
rangerPolicy.setDenyPolicyItems(denyPolicyItems);
List<RangerPolicyItem> allowExceptions = rangerPolicy.getAllowExceptions();
removeUserGroupReferences(allowExceptions, vXUser.getName(), null);
rangerPolicy.setAllowExceptions(allowExceptions);
List<RangerPolicyItem> denyExceptions = rangerPolicy.getDenyExceptions();
removeUserGroupReferences(denyExceptions, vXUser.getName(), null);
rangerPolicy.setDenyExceptions(denyExceptions);
List<RangerDataMaskPolicyItem> dataMaskItems = rangerPolicy.getDataMaskPolicyItems();
removeUserGroupReferences(dataMaskItems, vXUser.getName(), null);
rangerPolicy.setDataMaskPolicyItems(dataMaskItems);
List<RangerRowFilterPolicyItem> rowFilterItems = rangerPolicy.getRowFilterPolicyItems();
removeUserGroupReferences(rowFilterItems, vXUser.getName(), null);
rangerPolicy.setRowFilterPolicyItems(rowFilterItems);
try {
svcStore.updatePolicy(rangerPolicy);
} catch (Throwable excp) {
logger.error("updatePolicy(" + rangerPolicy + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
}
// delete user from audit filter configs
svcStore.updateServiceAuditConfig(vXUser.getName(), REMOVE_REF_TYPE.USER);
// delete XXUser entry of user
xXUserDao.remove(id);
// delete XXPortal entry of user
logger.warn("Deleting Portal User : " + vXPortalUser.getLoginId());
xXPortalUserDao.remove(xXPortalUserId);
List<XXTrxLog> trxLogList = xUserService.getTransactionLog(xUserService.populateViewBean(xXUser), "delete");
xaBizUtil.createTrxLog(trxLogList);
if (xXPortalUser != null) {
trxLogList = xPortalUserService.getTransactionLog(xPortalUserService.populateViewBean(xXPortalUser), "delete");
xaBizUtil.createTrxLog(trxLogList);
}
} else {
boolean hasReferences = false;
if (vxGroupUserList != null && vxGroupUserList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && xXPolicyList != null && xXPolicyList.size() > 0) {
hasReferences = true;
}
if (hasReferences == false && vXPermMapList != null && vXPermMapList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && vXAuditMapList != null && vXAuditMapList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && xXAuthSessions != null && xXAuthSessions.size() > 0) {
hasReferences = true;
}
if (hasReferences == false && xXUserPermissions != null && xXUserPermissions.size() > 0) {
hasReferences = true;
}
if (hasReferences == false && xXPortalUserRoles != null && xXPortalUserRoles.size() > 0) {
hasReferences = true;
}
if (hasReferences) {
if (vXUser.getIsVisible() != RangerCommonEnums.IS_HIDDEN) {
logger.info("Updating visibility of user '" + vXUser.getName() + "' to Hidden!");
vXUser.setIsVisible(RangerCommonEnums.IS_HIDDEN);
xUserService.updateResource(vXUser);
}
} else {
xPortalUserService.updateXXPortalUserReferences(xXPortalUserId);
// delete XXUser entry of user
xXUserDao.remove(id);
// delete XXPortal entry of user
logger.warn("Deleting Portal User : " + vXPortalUser.getLoginId());
xXPortalUserDao.remove(xXPortalUserId);
List<XXTrxLog> trxLogList = xUserService.getTransactionLog(xUserService.populateViewBean(xXUser), "delete");
xaBizUtil.createTrxLog(trxLogList);
trxLogList = xPortalUserService.getTransactionLog(xPortalUserService.populateViewBean(xXPortalUser), "delete");
xaBizUtil.createTrxLog(trxLogList);
}
}
}
Also used :
XXUser(org.apache.ranger.entity.XXUser)
XXUserDao(org.apache.ranger.db.XXUserDao)
XXPolicy(org.apache.ranger.entity.XXPolicy)
XXAuthSessionDao(org.apache.ranger.db.XXAuthSessionDao)
XXPortalUserRoleDao(org.apache.ranger.db.XXPortalUserRoleDao)
XXGroupUserDao(org.apache.ranger.db.XXGroupUserDao)
XXModuleDef(org.apache.ranger.entity.XXModuleDef)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
XXPermMapDao(org.apache.ranger.db.XXPermMapDao)
XXPortalUserRole(org.apache.ranger.entity.XXPortalUserRole)
XXUserPermissionDao(org.apache.ranger.db.XXUserPermissionDao)
XXAuditMapDao(org.apache.ranger.db.XXAuditMapDao)
RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)
XXTrxLog(org.apache.ranger.entity.XXTrxLog)
XXAuthSession(org.apache.ranger.entity.XXAuthSession)
XXUserPermission(org.apache.ranger.entity.XXUserPermission)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
XXPortalUser(org.apache.ranger.entity.XXPortalUser)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
XXPortalUserDao(org.apache.ranger.db.XXPortalUserDao)
XXPolicyDao(org.apache.ranger.db.XXPolicyDao)
Example 4 with RangerDataMaskPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem in project ranger by apache.
the class RangerDefaultPolicyEvaluator method createPolicyACLSummary.
private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) {
PolicyACLSummary ret = null;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_ACLSUMMARY_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_ACLSUMMARY_LOG, "RangerPolicyEvaluator.init.ACLSummary(" + perfTag + ")");
}
RangerPolicy policy;
if (!disableRoleResolution && hasRoles(getPolicy())) {
policy = getPolicyWithRolesResolved(getPolicy());
} else {
policy = getPolicy();
}
final boolean hasNonPublicGroupOrConditionsInAllowExceptions = hasNonPublicGroupOrConditions(policy.getAllowExceptions());
final boolean hasNonPublicGroupOrConditionsInDenyExceptions = hasNonPublicGroupOrConditions(policy.getDenyExceptions());
final boolean hasPublicGroupInAllowAndUsersInAllowExceptions = hasPublicGroupAndUserInException(policy.getPolicyItems(), policy.getAllowExceptions());
final boolean hasPublicGroupInDenyAndUsersInDenyExceptions = hasPublicGroupAndUserInException(policy.getDenyPolicyItems(), policy.getDenyExceptions());
final boolean hasContextSensitiveSpecification = hasContextSensitiveSpecification();
final boolean hasRoles = hasRoles(policy);
final boolean isUsableForEvaluation = !hasNonPublicGroupOrConditionsInAllowExceptions && !hasNonPublicGroupOrConditionsInDenyExceptions && !hasPublicGroupInAllowAndUsersInAllowExceptions && !hasPublicGroupInDenyAndUsersInDenyExceptions && !hasContextSensitiveSpecification && !hasRoles;
if (isUsableForEvaluation || isCreationForced) {
ret = new PolicyACLSummary();
for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, hasNonPublicGroupOrConditionsInDenyExceptions || hasPublicGroupInDenyAndUsersInDenyExceptions);
}
if (!hasNonPublicGroupOrConditionsInDenyExceptions && !hasPublicGroupInDenyAndUsersInDenyExceptions) {
for (RangerPolicyItem policyItem : policy.getDenyExceptions()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS, false);
}
}
for (RangerPolicyItem policyItem : policy.getPolicyItems()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW, hasNonPublicGroupOrConditionsInAllowExceptions || hasPublicGroupInAllowAndUsersInAllowExceptions);
}
if (!hasNonPublicGroupOrConditionsInAllowExceptions && !hasPublicGroupInAllowAndUsersInAllowExceptions) {
for (RangerPolicyItem policyItem : policy.getAllowExceptions()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS, false);
}
}
for (RangerRowFilterPolicyItem policyItem : policy.getRowFilterPolicyItems()) {
ret.processRowFilterPolicyItem(policyItem);
}
for (RangerDataMaskPolicyItem policyItem : policy.getDataMaskPolicyItems()) {
ret.processDataMaskPolicyItem(policyItem);
}
final boolean isDenyAllElse = Boolean.TRUE.equals(policy.getIsDenyAllElse());
final Set<String> allAccessTypeNames;
if (isDenyAllElse) {
allAccessTypeNames = new HashSet<>();
RangerServiceDef serviceDef = getServiceDef();
for (RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
if (!StringUtils.equalsIgnoreCase(accessTypeDef.getName(), "all")) {
allAccessTypeNames.add(accessTypeDef.getName());
}
}
} else {
allAccessTypeNames = Collections.EMPTY_SET;
}
ret.finalizeAcls(isDenyAllElse, allAccessTypeNames);
}
RangerPerfTracer.logAlways(perf);
return ret;
}
Also used :
RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Example 5 with RangerDataMaskPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem in project ranger by apache.
the class RangerDefaultPolicyEvaluator method getPolicyWithRolesResolved.
private RangerPolicy getPolicyWithRolesResolved(final RangerPolicy policy) {
// Create new policy with no roles in it
// For each policyItem, expand roles into users and groups; and replace all policyItems with expanded roles - TBD
RangerPolicy ret = new RangerPolicy();
ret.updateFrom(policy);
ret.setId(policy.getId());
ret.setGuid(policy.getGuid());
ret.setVersion(policy.getVersion());
List<RangerPolicyItem> policyItems = new ArrayList<>();
List<RangerPolicyItem> denyPolicyItems = new ArrayList<>();
List<RangerPolicyItem> allowExceptions = new ArrayList<>();
List<RangerPolicyItem> denyExceptions = new ArrayList<>();
List<RangerDataMaskPolicyItem> dataMaskPolicyItems = new ArrayList<>();
List<RangerRowFilterPolicyItem> rowFilterPolicyItems = new ArrayList<>();
for (RangerPolicyItem policyItem : policy.getPolicyItems()) {
RangerPolicyItem newPolicyItem = new RangerPolicyItem(policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
policyItems.add(newPolicyItem);
}
ret.setPolicyItems(policyItems);
for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) {
RangerPolicyItem newPolicyItem = new RangerPolicyItem(policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
denyPolicyItems.add(newPolicyItem);
}
ret.setDenyPolicyItems(denyPolicyItems);
for (RangerPolicyItem policyItem : policy.getAllowExceptions()) {
RangerPolicyItem newPolicyItem = new RangerPolicyItem(policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
allowExceptions.add(newPolicyItem);
}
ret.setAllowExceptions(allowExceptions);
for (RangerPolicyItem policyItem : policy.getDenyExceptions()) {
RangerPolicyItem newPolicyItem = new RangerPolicyItem(policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
denyExceptions.add(newPolicyItem);
}
ret.setDenyExceptions(denyExceptions);
for (RangerDataMaskPolicyItem policyItem : policy.getDataMaskPolicyItems()) {
RangerDataMaskPolicyItem newPolicyItem = new RangerDataMaskPolicyItem(policyItem.getAccesses(), policyItem.getDataMaskInfo(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
dataMaskPolicyItems.add(newPolicyItem);
}
ret.setDataMaskPolicyItems(dataMaskPolicyItems);
for (RangerRowFilterPolicyItem policyItem : policy.getRowFilterPolicyItems()) {
RangerRowFilterPolicyItem newPolicyItem = new RangerRowFilterPolicyItem(policyItem.getRowFilterInfo(), policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
rowFilterPolicyItems.add(newPolicyItem);
}
ret.setRowFilterPolicyItems(rowFilterPolicyItems);
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
ArrayList(java.util.ArrayList)
RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Aggregations
RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)13
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)7
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)7
RangerRowFilterPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)7
ArrayList (java.util.ArrayList)4
IOException (java.io.IOException)3
XXDataMaskTypeDef (org.apache.ranger.entity.XXDataMaskTypeDef)3
XXService (org.apache.ranger.entity.XXService)3
XXTrxLog (org.apache.ranger.entity.XXTrxLog)3
RangerPolicyItemDataMaskInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)3
UnknownHostException (java.net.UnknownHostException)2
List (java.util.List)2
XXAuditMapDao (org.apache.ranger.db.XXAuditMapDao)2
XXGroupUserDao (org.apache.ranger.db.XXGroupUserDao)2
XXPermMapDao (org.apache.ranger.db.XXPermMapDao)2
XXPolicyDao (org.apache.ranger.db.XXPolicyDao)2
XXUserDao (org.apache.ranger.db.XXUserDao)2
XXModuleDef (org.apache.ranger.entity.XXModuleDef)2
XXPolicy (org.apache.ranger.entity.XXPolicy)2
XXServiceDef (org.apache.ranger.entity.XXServiceDef)2
