Example 36 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class RangerDefaultPolicyEvaluator method preprocessPolicyItems.
protected void preprocessPolicyItems(List<? extends RangerPolicyItem> policyItems, Map<String, Collection<String>> impliedAccessGrants) {
for (RangerPolicyItem policyItem : policyItems) {
if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
continue;
}
// multi-level impliedGrants: given admin=>write; write=>read: must imply admin=>read,write
for (Map.Entry<String, Collection<String>> e : impliedAccessGrants.entrySet()) {
String accessType = e.getKey();
Collection<String> impliedGrants = e.getValue();
RangerPolicyItemAccess access = getAccess(policyItem, accessType);
if (access == null) {
continue;
}
for (String impliedGrant : impliedGrants) {
RangerPolicyItemAccess impliedAccess = getAccess(policyItem, impliedGrant);
if (impliedAccess == null) {
impliedAccess = new RangerPolicyItemAccess(impliedGrant, access.getIsAllowed());
policyItem.getAccesses().add(impliedAccess);
} else {
if (!impliedAccess.getIsAllowed()) {
impliedAccess.setIsAllowed(access.getIsAllowed());
}
}
}
}
}
}
Also used :
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
Collection(java.util.Collection)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 37 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class RangerDefaultPolicyEvaluator method getPolicyWithRolesResolved.
private RangerPolicy getPolicyWithRolesResolved(final RangerPolicy policy) {
// Create new policy with no roles in it
// For each policyItem, expand roles into users and groups; and replace all policyItems with expanded roles - TBD
RangerPolicy ret = new RangerPolicy();
ret.updateFrom(policy);
ret.setId(policy.getId());
ret.setGuid(policy.getGuid());
ret.setVersion(policy.getVersion());
List<RangerPolicyItem> policyItems = new ArrayList<>();
List<RangerPolicyItem> denyPolicyItems = new ArrayList<>();
List<RangerPolicyItem> allowExceptions = new ArrayList<>();
List<RangerPolicyItem> denyExceptions = new ArrayList<>();
List<RangerDataMaskPolicyItem> dataMaskPolicyItems = new ArrayList<>();
List<RangerRowFilterPolicyItem> rowFilterPolicyItems = new ArrayList<>();
for (RangerPolicyItem policyItem : policy.getPolicyItems()) {
RangerPolicyItem newPolicyItem = new RangerPolicyItem(policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
policyItems.add(newPolicyItem);
}
ret.setPolicyItems(policyItems);
for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) {
RangerPolicyItem newPolicyItem = new RangerPolicyItem(policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
denyPolicyItems.add(newPolicyItem);
}
ret.setDenyPolicyItems(denyPolicyItems);
for (RangerPolicyItem policyItem : policy.getAllowExceptions()) {
RangerPolicyItem newPolicyItem = new RangerPolicyItem(policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
allowExceptions.add(newPolicyItem);
}
ret.setAllowExceptions(allowExceptions);
for (RangerPolicyItem policyItem : policy.getDenyExceptions()) {
RangerPolicyItem newPolicyItem = new RangerPolicyItem(policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
denyExceptions.add(newPolicyItem);
}
ret.setDenyExceptions(denyExceptions);
for (RangerDataMaskPolicyItem policyItem : policy.getDataMaskPolicyItems()) {
RangerDataMaskPolicyItem newPolicyItem = new RangerDataMaskPolicyItem(policyItem.getAccesses(), policyItem.getDataMaskInfo(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
dataMaskPolicyItems.add(newPolicyItem);
}
ret.setDataMaskPolicyItems(dataMaskPolicyItems);
for (RangerRowFilterPolicyItem policyItem : policy.getRowFilterPolicyItems()) {
RangerRowFilterPolicyItem newPolicyItem = new RangerRowFilterPolicyItem(policyItem.getRowFilterInfo(), policyItem.getAccesses(), policyItem.getUsers(), policyItem.getGroups(), policyItem.getRoles(), policyItem.getConditions(), policyItem.getDelegateAdmin());
getPolicyItemWithRolesResolved(newPolicyItem, policyItem);
rowFilterPolicyItems.add(newPolicyItem);
}
ret.setRowFilterPolicyItems(rowFilterPolicyItems);
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
ArrayList(java.util.ArrayList)
RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Example 38 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class ServiceDBStore method createDefaultPolicyUsersAndGroups.
void createDefaultPolicyUsersAndGroups(List<RangerPolicy> defaultPolicies) {
Set<String> defaultPolicyUsers = new HashSet<String>();
Set<String> defaultPolicyGroups = new HashSet<String>();
for (RangerPolicy defaultPolicy : defaultPolicies) {
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getPolicyItems()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getAllowExceptions()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDenyPolicyItems()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDenyExceptions()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDataMaskPolicyItems()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getRowFilterPolicyItems()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
}
for (String policyUser : defaultPolicyUsers) {
if (LOG.isDebugEnabled()) {
LOG.debug("Checking policyUser:[" + policyUser + "] for existence");
}
if (StringUtils.isNotBlank(policyUser) && !StringUtils.equals(policyUser, RangerPolicyEngine.USER_CURRENT) && !StringUtils.equals(policyUser, RangerPolicyEngine.RESOURCE_OWNER)) {
String userName = stringUtil.getValidUserName(policyUser);
XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
if (xxUser == null) {
UserSessionBase usb = ContextUtil.getCurrentUserSession();
if (usb != null && !usb.isKeyAdmin() && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
throw restErrorUtil.createRESTException("User does not exist with given username: [" + policyUser + "] please use existing user", MessageEnums.OPER_NO_PERMISSION);
}
xUserMgr.createServiceConfigUser(userName);
}
}
}
for (String policyGroup : defaultPolicyGroups) {
if (LOG.isDebugEnabled()) {
LOG.debug("Checking policyGroup:[" + policyGroup + "] for existence");
}
if (StringUtils.isNotBlank(policyGroup)) {
XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(policyGroup);
if (xxGroup == null) {
UserSessionBase usb = ContextUtil.getCurrentUserSession();
if (usb != null && !usb.isKeyAdmin() && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
throw restErrorUtil.createRESTException("Group does not exist with given groupname: [" + policyGroup + "] please use existing group", MessageEnums.OPER_NO_PERMISSION);
}
VXGroup vXGroup = new VXGroup();
vXGroup.setName(policyGroup);
vXGroup.setDescription(policyGroup);
vXGroup.setGroupSource(RangerCommonEnums.GROUP_INTERNAL);
vXGroup.setIsVisible(RangerCommonEnums.IS_VISIBLE);
VXGroup createdVXGrp = xGroupService.createResource(vXGroup);
List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(createdVXGrp, "create");
bizUtil.createTrxLog(trxLogList);
}
}
}
}
Also used :
XXUser(org.apache.ranger.entity.XXUser)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
XXGroup(org.apache.ranger.entity.XXGroup)
VXString(org.apache.ranger.view.VXString)
XXTrxLog(org.apache.ranger.entity.XXTrxLog)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
VXGroup(org.apache.ranger.view.VXGroup)
HashSet(java.util.HashSet)
UserSessionBase(org.apache.ranger.common.UserSessionBase)
Example 39 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestServiceUtil method testToRangerPolicyForPermGroup.
@Test
public void testToRangerPolicyForPermGroup() {
RangerPolicyItemCondition rpic = new RangerPolicyItemCondition();
List<String> valuesList = new ArrayList<String>();
valuesList.add("10.129.25.56");
rpic.setType("ipaddress");
rpic.setValues(valuesList);
List<String> usersList = new ArrayList<String>();
usersList.add("rangerAdmin");
List<String> groupList = new ArrayList<String>();
List<RangerPolicyItemCondition> listRPIC = new ArrayList<RangerPolicy.RangerPolicyItemCondition>();
listRPIC.add(rpic);
RangerPolicyItemAccess rpia = new RangerPolicyItemAccess();
rpia.setIsAllowed(true);
rpia.setType("drop");
List<RangerPolicyItemAccess> listRPIA = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
listRPIA.add(rpia);
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setConditions(listRPIC);
rangerPolicyItem.setAccesses(listRPIA);
rangerPolicyItem.setDelegateAdmin(false);
rangerPolicyItem.setUsers(usersList);
rangerPolicyItem.setGroups(groupList);
List<RangerPolicyItem> listRangerPolicyItem = new ArrayList<RangerPolicy.RangerPolicyItem>();
listRangerPolicyItem.add(rangerPolicyItem);
RangerPolicy expectedRangerPolicy = new RangerPolicy();
expectedRangerPolicy.setId(1L);
expectedRangerPolicy.setName("hive Policy");
expectedRangerPolicy.setService("hive");
expectedRangerPolicy.setDescription("hive policy description");
expectedRangerPolicy.setPolicyItems(listRangerPolicyItem);
VXPermMap vXPermMap = new VXPermMap();
vXPermMap.setId(5L);
vXPermMap.setGroupName("myGroup");
vXPermMap.setPermGroup("permGroup");
vXPermMap.setUserName("rangerAdmin");
vXPermMap.setPermType(12);
vXPermMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
vXPermMap.setIpAddress("10.129.25.56");
List<VXPermMap> vXPermMapList = new ArrayList<VXPermMap>();
vXPermMapList.add(vXPermMap);
VXAuditMap vXAuditMap = new VXAuditMap();
vXAuditMap.setId(1L);
vXAuditMap.setOwner("rangerAdmin");
List<VXAuditMap> vXAuditMapList = new ArrayList<VXAuditMap>();
vXAuditMapList.add(vXAuditMap);
RangerService rangerService = new RangerService();
rangerService.setName("hive");
rangerService.setType("hive");
VXResource resource = new VXResource();
resource.setId(1L);
resource.setUpdateDate(new Date());
resource.setCreateDate(new Date());
resource.setOwner("rangerAdmin");
resource.setUpdatedBy("rangerAdmin");
resource.setPolicyName("hive Policy");
resource.setDescription("hive policy description");
resource.setResourceStatus(RangerCommonEnums.STATUS_ENABLED);
resource.setIsRecursive(1);
resource.setTableType(1);
resource.setColumnType(1);
resource.setPermMapList(vXPermMapList);
RangerPolicy actualRangerPolicy = serviceUtil.toRangerPolicy(resource, rangerService);
Assert.assertNotNull(actualRangerPolicy);
Assert.assertEquals(expectedRangerPolicy.getId(), actualRangerPolicy.getId());
Assert.assertEquals(expectedRangerPolicy.getName(), actualRangerPolicy.getName());
Assert.assertEquals(expectedRangerPolicy.getService(), actualRangerPolicy.getService());
Assert.assertEquals(expectedRangerPolicy.getDescription(), actualRangerPolicy.getDescription());
Assert.assertEquals(expectedRangerPolicy.getPolicyItems(), actualRangerPolicy.getPolicyItems());
}
Also used :
VXPermMap(org.apache.ranger.view.VXPermMap)
ArrayList(java.util.ArrayList)
VXResource(org.apache.ranger.view.VXResource)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Date(java.util.Date)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
VXAuditMap(org.apache.ranger.view.VXAuditMap)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerService(org.apache.ranger.plugin.model.RangerService)
Test(org.junit.Test)
Example 40 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestServiceUtil method testToRangerPolicy.
@Test
public void testToRangerPolicy() {
Date date = new Date();
List<String> userList = new ArrayList<String>();
userList.add("rangerAdmin");
List<String> groupList = new ArrayList<String>();
groupList.add("rangerGroup");
List<String> permObjList = new ArrayList<String>();
permObjList.add("Admin");
Map<String, RangerPolicyResource> resourceMap = new HashMap<String, RangerPolicyResource>();
List<String> valuesList = new ArrayList<String>();
valuesList.add("resource");
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(false);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValues(valuesList);
resourceMap.put("path", rangerPolicyResource);
List<RangerPolicyItem> rangerPolicyItemList = new ArrayList<RangerPolicy.RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setUsers(userList);
rangerPolicyItem.setGroups(groupList);
List<RangerPolicyItemCondition> rangerPolicyItemConditionList = new ArrayList<RangerPolicy.RangerPolicyItemCondition>();
RangerPolicyItemCondition rangerPolicyItemCondition = new RangerPolicyItemCondition();
rangerPolicyItemCondition.setType("ipaddress");
List<String> conditionValueList = new ArrayList<String>();
conditionValueList.add("10.129.35.86");
rangerPolicyItemCondition.setValues(conditionValueList);
rangerPolicyItemConditionList.add(rangerPolicyItemCondition);
rangerPolicyItem.setConditions(rangerPolicyItemConditionList);
rangerPolicyItem.setDelegateAdmin(true);
rangerPolicyItemList.add(rangerPolicyItem);
RangerPolicy expectedRangerPolicy = new RangerPolicy();
expectedRangerPolicy.setId(1L);
expectedRangerPolicy.setName("hdfs");
expectedRangerPolicy.setCreatedBy("rangerAdmin");
expectedRangerPolicy.setCreateTime(date);
expectedRangerPolicy.setDescription("hdfs policy description");
expectedRangerPolicy.setIsAuditEnabled(true);
expectedRangerPolicy.setResources(resourceMap);
expectedRangerPolicy.setPolicyItems(rangerPolicyItemList);
VXPolicy vXPolicy = new VXPolicy();
vXPolicy.setId(1L);
vXPolicy.setCreateDate(date);
vXPolicy.setUpdateDate(date);
vXPolicy.setOwner("rangerAdmin");
vXPolicy.setUpdatedBy("rangerAdmin");
vXPolicy.setPolicyName("hdfs");
vXPolicy.setDescription("hdfs policy description");
vXPolicy.setIsEnabled(true);
vXPolicy.setIsAuditEnabled(true);
vXPolicy.setIsRecursive(true);
vXPolicy.setResourceName("resource");
RangerService service = new RangerService();
service.setId(1L);
service.setName("hdfsService");
service.setType("hdfs");
List<VXPermObj> vXPermObjList = new ArrayList<VXPermObj>();
VXPermObj vXPermObj = new VXPermObj();
vXPermObj.setUserList(userList);
vXPermObj.setGroupList(groupList);
vXPermObj.setPermList(permObjList);
vXPermObj.setIpAddress("10.129.35.86");
vXPermObjList.add(vXPermObj);
vXPolicy.setPermMapList(vXPermObjList);
RangerPolicy actualRangerPolicy = serviceUtil.toRangerPolicy(vXPolicy, service);
Assert.assertNotNull(actualRangerPolicy);
Assert.assertEquals(expectedRangerPolicy.getId(), actualRangerPolicy.getId());
Assert.assertEquals(expectedRangerPolicy.getName(), actualRangerPolicy.getName());
Assert.assertEquals(expectedRangerPolicy.getDescription(), actualRangerPolicy.getDescription());
Assert.assertEquals(expectedRangerPolicy.getCreatedBy(), actualRangerPolicy.getCreatedBy());
Assert.assertTrue(actualRangerPolicy.getIsAuditEnabled());
Assert.assertEquals(expectedRangerPolicy.getResources(), actualRangerPolicy.getResources());
Assert.assertEquals(expectedRangerPolicy.getPolicyItems(), actualRangerPolicy.getPolicyItems());
}
Also used :
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
VXPolicy(org.apache.ranger.view.VXPolicy)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
VXPermObj(org.apache.ranger.view.VXPermObj)
Date(java.util.Date)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerService(org.apache.ranger.plugin.model.RangerService)
Test(org.junit.Test)
Aggregations
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)85
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)65
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)56
ArrayList (java.util.ArrayList)52
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)35
HashMap (java.util.HashMap)34
Test (org.junit.Test)24
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)21
VXString (org.apache.ranger.view.VXString)17
Date (java.util.Date)15
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)14
RangerService (org.apache.ranger.plugin.model.RangerService)11
LinkedHashMap (java.util.LinkedHashMap)8
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8
RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)7
XXServiceDef (org.apache.ranger.entity.XXServiceDef)6
IOException (java.io.IOException)5
List (java.util.List)5
XXService (org.apache.ranger.entity.XXService)5
RangerRowFilterPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)5
