Example 31 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class RangerServiceAtlas method getSearchFeaturePolicyItem.
private List<RangerPolicyItem> getSearchFeaturePolicyItem() {
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
accesses.add(new RangerPolicyItemAccess(ACCESS_TYPE_ENTITY_READ));
accesses.add(new RangerPolicyItemAccess(ACCESS_TYPE_ENTITY_CREATE));
accesses.add(new RangerPolicyItemAccess(ACCESS_TYPE_ENTITY_UPDATE));
accesses.add(new RangerPolicyItemAccess(ACCESS_TYPE_ENTITY_DELETE));
RangerPolicyItem item = new RangerPolicyItem(accesses, Arrays.asList(RangerPolicyEngine.USER_CURRENT), null, null, null, false);
return Collections.singletonList(item);
}
Also used :
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Example 32 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class RangerServiceKnox method getDefaultRangerPolicies.
@Override
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceKnox.getDefaultRangerPolicies()");
}
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
for (RangerPolicy defaultPolicy : ret) {
if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_ALLOW)));
policyItemForLookupUser.setDelegateAdmin(false);
defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceKnox.getDefaultRangerPolicies()");
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Example 33 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestServiceDBStore method test26createPolicy.
@Test
public void test26createPolicy() throws Exception {
setup();
XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
XXPolicy xPolicy = Mockito.mock(XXPolicy.class);
XXPolicyDao xPolicyDao = Mockito.mock(XXPolicyDao.class);
XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
XXService xService = Mockito.mock(XXService.class);
XXServiceDef xServiceDef = serviceDef();
Map<String, String> configs = new HashMap<String, String>();
configs.put("username", "servicemgr");
configs.put("password", "servicemgr");
configs.put("namenode", "servicemgr");
configs.put("hadoop.security.authorization", "No");
configs.put("hadoop.security.authentication", "Simple");
configs.put("hadoop.security.auth_to_local", "");
configs.put("dfs.datanode.kerberos.principal", "");
configs.put("dfs.namenode.kerberos.principal", "");
configs.put("dfs.secondary.namenode.kerberos.principal", "");
configs.put("hadoop.rpc.protection", "Privacy");
configs.put("commonNameForCertificate", "");
RangerService rangerService = new RangerService();
rangerService.setId(Id);
rangerService.setConfigs(configs);
rangerService.setCreateTime(new Date());
rangerService.setDescription("service policy");
rangerService.setGuid("1427365526516_835_0");
rangerService.setIsEnabled(true);
rangerService.setName("HDFS_1");
rangerService.setPolicyUpdateTime(new Date());
rangerService.setType("1");
rangerService.setUpdatedBy("Admin");
String policyName = "HDFS_1-1-20150316062345";
String name = "HDFS_1-1-20150316062453";
List<RangerPolicyItemAccess> accessesList = new ArrayList<RangerPolicyItemAccess>();
RangerPolicyItemAccess policyItemAccess = new RangerPolicyItemAccess();
policyItemAccess.setIsAllowed(true);
policyItemAccess.setType("1");
List<String> usersList = new ArrayList<String>();
List<String> groupsList = new ArrayList<String>();
List<String> rolesList = new ArrayList<String>();
List<String> policyLabels = new ArrayList<String>();
List<RangerPolicyItemCondition> conditionsList = new ArrayList<RangerPolicyItemCondition>();
RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition();
policyItemCondition.setType("1");
policyItemCondition.setValues(usersList);
conditionsList.add(policyItemCondition);
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setDelegateAdmin(false);
rangerPolicyItem.setAccesses(accessesList);
rangerPolicyItem.setConditions(conditionsList);
rangerPolicyItem.setGroups(groupsList);
rangerPolicyItem.setUsers(usersList);
policyItems.add(rangerPolicyItem);
List<RangerPolicyItem> policyItemsSet = new ArrayList<RangerPolicy.RangerPolicyItem>();
RangerPolicyItem paramPolicyItem = new RangerPolicyItem(accessesList, usersList, groupsList, rolesList, conditionsList, false);
paramPolicyItem.setDelegateAdmin(false);
paramPolicyItem.setAccesses(accessesList);
paramPolicyItem.setConditions(conditionsList);
paramPolicyItem.setGroups(groupsList);
rangerPolicyItem.setUsers(usersList);
policyItemsSet.add(paramPolicyItem);
XXPolicyItem xPolicyItem = new XXPolicyItem();
xPolicyItem.setDelegateAdmin(false);
xPolicyItem.setAddedByUserId(null);
xPolicyItem.setCreateTime(new Date());
xPolicyItem.setGUID(null);
xPolicyItem.setId(Id);
xPolicyItem.setOrder(null);
xPolicyItem.setPolicyId(Id);
xPolicyItem.setUpdatedByUserId(null);
xPolicyItem.setUpdateTime(new Date());
XXPolicy xxPolicy = new XXPolicy();
xxPolicy.setId(Id);
xxPolicy.setName(name);
xxPolicy.setAddedByUserId(Id);
xxPolicy.setCreateTime(new Date());
xxPolicy.setDescription("test");
xxPolicy.setIsAuditEnabled(true);
xxPolicy.setIsEnabled(true);
xxPolicy.setService(1L);
xxPolicy.setUpdatedByUserId(Id);
xxPolicy.setUpdateTime(new Date());
List<XXServiceConfigDef> xServiceConfigDefList = new ArrayList<XXServiceConfigDef>();
XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef();
serviceConfigDefObj.setId(Id);
xServiceConfigDefList.add(serviceConfigDefObj);
List<XXServiceConfigMap> xConfMapList = new ArrayList<XXServiceConfigMap>();
XXServiceConfigMap xConfMap = new XXServiceConfigMap();
xConfMap.setAddedByUserId(null);
xConfMap.setConfigkey(name);
xConfMap.setConfigvalue(name);
xConfMap.setCreateTime(new Date());
xConfMap.setServiceId(null);
xConfMap.setId(Id);
xConfMap.setUpdatedByUserId(null);
xConfMap.setUpdateTime(new Date());
xConfMapList.add(xConfMap);
List<String> users = new ArrayList<String>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValue("1");
rangerPolicyResource.setValues(users);
Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
policyResource.put(name, rangerPolicyResource);
policyResource.put(policyName, rangerPolicyResource);
RangerPolicy rangerPolicy = new RangerPolicy();
rangerPolicy.setId(Id);
rangerPolicy.setCreateTime(new Date());
rangerPolicy.setDescription("policy");
rangerPolicy.setGuid("policyguid");
rangerPolicy.setIsEnabled(true);
rangerPolicy.setName("HDFS_1-1-20150316062453");
rangerPolicy.setUpdatedBy("Admin");
rangerPolicy.setUpdateTime(new Date());
rangerPolicy.setService("HDFS_1-1-20150316062453");
rangerPolicy.setIsAuditEnabled(true);
rangerPolicy.setPolicyItems(policyItems);
rangerPolicy.setResources(policyResource);
rangerPolicy.setPolicyLabels(policyLabels);
XXPolicyResource xPolicyResource = new XXPolicyResource();
xPolicyResource.setAddedByUserId(Id);
xPolicyResource.setCreateTime(new Date());
xPolicyResource.setId(Id);
xPolicyResource.setIsExcludes(true);
xPolicyResource.setIsRecursive(true);
xPolicyResource.setPolicyId(Id);
xPolicyResource.setResDefId(Id);
xPolicyResource.setUpdatedByUserId(Id);
xPolicyResource.setUpdateTime(new Date());
List<XXPolicyConditionDef> policyConditionDefList = new ArrayList<XXPolicyConditionDef>();
XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef();
policyConditionDefObj.setAddedByUserId(Id);
policyConditionDefObj.setCreateTime(new Date());
policyConditionDefObj.setDefid(Id);
policyConditionDefObj.setDescription("policy");
policyConditionDefObj.setId(Id);
policyConditionDefObj.setName("country");
policyConditionDefObj.setOrder(0);
policyConditionDefObj.setUpdatedByUserId(Id);
policyConditionDefObj.setUpdateTime(new Date());
policyConditionDefList.add(policyConditionDefObj);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.findByName(name)).thenReturn(xService);
Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn(rangerService);
Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
Mockito.when(xServiceDefDao.findByName(rangerService.getType())).thenReturn(xServiceDef);
Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
Mockito.when(policyService.create(rangerPolicy, true)).thenReturn(rangerPolicy);
Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
Mockito.when(xPolicyDao.getById(Id)).thenReturn(xPolicy);
Mockito.doNothing().when(policyRefUpdater).createNewPolMappingForRefTable(rangerPolicy, xPolicy, xServiceDef);
Mockito.when(policyService.getPopulatedViewObject(xPolicy)).thenReturn(rangerPolicy);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
RangerPolicyResourceSignature signature = Mockito.mock(RangerPolicyResourceSignature.class);
Mockito.when(factory.createPolicyResourceSignature(rangerPolicy)).thenReturn(signature);
Mockito.when(!bizUtil.hasAccess(xService, null)).thenReturn(true);
RangerPolicy dbRangerPolicy = serviceDBStore.createPolicy(rangerPolicy);
Assert.assertNotNull(dbRangerPolicy);
Assert.assertEquals(Id, dbRangerPolicy.getId());
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Date(java.util.Date)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Test(org.junit.Test)
Example 34 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestServiceDBStore method rangerPolicy.
private RangerPolicy rangerPolicy() {
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
List<String> users = new ArrayList<String>();
List<String> groups = new ArrayList<String>();
List<String> policyLabels = new ArrayList<String>();
List<RangerPolicyItemCondition> conditions = new ArrayList<RangerPolicyItemCondition>();
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setAccesses(accesses);
rangerPolicyItem.setConditions(conditions);
rangerPolicyItem.setGroups(groups);
rangerPolicyItem.setUsers(users);
rangerPolicyItem.setDelegateAdmin(false);
policyItems.add(rangerPolicyItem);
Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValue("1");
rangerPolicyResource.setValues(users);
RangerPolicy policy = new RangerPolicy();
policy.setId(Id);
policy.setCreateTime(new Date());
policy.setDescription("policy");
policy.setGuid("policyguid");
policy.setIsEnabled(true);
policy.setName("HDFS_1-1-20150316062453");
policy.setUpdatedBy("Admin");
policy.setUpdateTime(new Date());
policy.setService("HDFS_1-1-20150316062453");
policy.setIsAuditEnabled(true);
policy.setPolicyItems(policyItems);
policy.setResources(policyResource);
policy.setPolicyLabels(policyLabels);
return policy;
}
Also used :
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Date(java.util.Date)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Example 35 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class RangerDefaultPolicyEvaluator method createPolicyACLSummary.
private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) {
PolicyACLSummary ret = null;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_ACLSUMMARY_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_ACLSUMMARY_LOG, "RangerPolicyEvaluator.init.ACLSummary(" + perfTag + ")");
}
RangerPolicy policy;
if (!disableRoleResolution && hasRoles(getPolicy())) {
policy = getPolicyWithRolesResolved(getPolicy());
} else {
policy = getPolicy();
}
final boolean hasNonPublicGroupOrConditionsInAllowExceptions = hasNonPublicGroupOrConditions(policy.getAllowExceptions());
final boolean hasNonPublicGroupOrConditionsInDenyExceptions = hasNonPublicGroupOrConditions(policy.getDenyExceptions());
final boolean hasPublicGroupInAllowAndUsersInAllowExceptions = hasPublicGroupAndUserInException(policy.getPolicyItems(), policy.getAllowExceptions());
final boolean hasPublicGroupInDenyAndUsersInDenyExceptions = hasPublicGroupAndUserInException(policy.getDenyPolicyItems(), policy.getDenyExceptions());
final boolean hasContextSensitiveSpecification = hasContextSensitiveSpecification();
final boolean hasRoles = hasRoles(policy);
final boolean isUsableForEvaluation = !hasNonPublicGroupOrConditionsInAllowExceptions && !hasNonPublicGroupOrConditionsInDenyExceptions && !hasPublicGroupInAllowAndUsersInAllowExceptions && !hasPublicGroupInDenyAndUsersInDenyExceptions && !hasContextSensitiveSpecification && !hasRoles;
if (isUsableForEvaluation || isCreationForced) {
ret = new PolicyACLSummary();
for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, hasNonPublicGroupOrConditionsInDenyExceptions || hasPublicGroupInDenyAndUsersInDenyExceptions);
}
if (!hasNonPublicGroupOrConditionsInDenyExceptions && !hasPublicGroupInDenyAndUsersInDenyExceptions) {
for (RangerPolicyItem policyItem : policy.getDenyExceptions()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS, false);
}
}
for (RangerPolicyItem policyItem : policy.getPolicyItems()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW, hasNonPublicGroupOrConditionsInAllowExceptions || hasPublicGroupInAllowAndUsersInAllowExceptions);
}
if (!hasNonPublicGroupOrConditionsInAllowExceptions && !hasPublicGroupInAllowAndUsersInAllowExceptions) {
for (RangerPolicyItem policyItem : policy.getAllowExceptions()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS, false);
}
}
for (RangerRowFilterPolicyItem policyItem : policy.getRowFilterPolicyItems()) {
ret.processRowFilterPolicyItem(policyItem);
}
for (RangerDataMaskPolicyItem policyItem : policy.getDataMaskPolicyItems()) {
ret.processDataMaskPolicyItem(policyItem);
}
final boolean isDenyAllElse = Boolean.TRUE.equals(policy.getIsDenyAllElse());
final Set<String> allAccessTypeNames;
if (isDenyAllElse) {
allAccessTypeNames = new HashSet<>();
RangerServiceDef serviceDef = getServiceDef();
for (RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
if (!StringUtils.equalsIgnoreCase(accessTypeDef.getName(), "all")) {
allAccessTypeNames.add(accessTypeDef.getName());
}
}
} else {
allAccessTypeNames = Collections.EMPTY_SET;
}
ret.finalizeAcls(isDenyAllElse, allAccessTypeNames);
}
RangerPerfTracer.logAlways(perf);
return ret;
}
Also used :
RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Aggregations
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)85
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)65
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)56
ArrayList (java.util.ArrayList)52
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)35
HashMap (java.util.HashMap)34
Test (org.junit.Test)24
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)21
VXString (org.apache.ranger.view.VXString)17
Date (java.util.Date)15
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)14
RangerService (org.apache.ranger.plugin.model.RangerService)11
LinkedHashMap (java.util.LinkedHashMap)8
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8
RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)7
XXServiceDef (org.apache.ranger.entity.XXServiceDef)6
IOException (java.io.IOException)5
List (java.util.List)5
XXService (org.apache.ranger.entity.XXService)5
RangerRowFilterPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)5
