use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class TestRangerPolicyValidator method test_isValidPolicyItemAccess_failures.
@Test
public void test_isValidPolicyItemAccess_failures() {
Set<String> validAccesses = Sets.newHashSet(new String[] { "anAccess", "anotherAccess" });
// null/empty names are invalid
RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
// valid since null == true
when(access.getIsAllowed()).thenReturn(null);
for (String type : new String[] { null, " " }) {
// invalid
when(access.getType()).thenReturn(type);
// null/empty validAccess set skips all checks
Assert.assertTrue(_validator.isValidPolicyItemAccess(access, _failures, null));
Assert.assertTrue(_validator.isValidPolicyItemAccess(access, _failures, new HashSet<String>()));
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItemAccess(access, _failures, validAccesses));
_utils.checkFailureForMissingValue(_failures, "policy item access type");
}
// valid
when(access.getType()).thenReturn("anAccess");
// invalid
when(access.getIsAllowed()).thenReturn(false);
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItemAccess(access, _failures, validAccesses));
_utils.checkFailureForSemanticError(_failures, "policy item access type allowed");
// invalid
when(access.getType()).thenReturn("newAccessType");
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItemAccess(access, _failures, validAccesses));
_utils.checkFailureForSemanticError(_failures, "policy item access type");
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class ValidationTestUtils method createItemAccess.
List<RangerPolicyItemAccess> createItemAccess(Object[][] data) {
List<RangerPolicyItemAccess> accesses = new ArrayList<>();
for (Object[] row : data) {
RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
when(access.getType()).thenReturn((String) row[0]);
when(access.getIsAllowed()).thenReturn((Boolean) row[1]);
accesses.add(access);
}
return accesses;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class RangerDefaultPolicyEvaluator method preprocessPolicyItems.
private void preprocessPolicyItems(List<? extends RangerPolicyItem> policyItems, Map<String, Collection<String>> impliedAccessGrants) {
for (RangerPolicyItem policyItem : policyItems) {
if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
continue;
}
// multi-level impliedGrants: given admin=>write; write=>read: must imply admin=>read,write
for (Map.Entry<String, Collection<String>> e : impliedAccessGrants.entrySet()) {
String accessType = e.getKey();
Collection<String> impliedGrants = e.getValue();
RangerPolicyItemAccess access = getAccess(policyItem, accessType);
if (access == null) {
continue;
}
for (String impliedGrant : impliedGrants) {
RangerPolicyItemAccess impliedAccess = getAccess(policyItem, impliedGrant);
if (impliedAccess == null) {
impliedAccess = new RangerPolicyItemAccess(impliedGrant, access.getIsAllowed());
policyItem.getAccesses().add(impliedAccess);
} else {
if (!impliedAccess.getIsAllowed()) {
impliedAccess.setIsAllowed(access.getIsAllowed());
}
}
}
}
}
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class RangerPolicyValidator method isValidAccessTypeDef.
boolean isValidAccessTypeDef(RangerPolicy policy, final List<ValidationFailureDetails> failures, Action action, boolean isAdmin, final RangerServiceDef serviceDef) {
boolean valid = true;
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
}
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
// row filter policy
if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
List<String> rowFilterAccessTypeDefNames = new ArrayList<String>();
if (serviceDef != null && serviceDef.getRowFilterDef() != null) {
if (!CollectionUtils.isEmpty(serviceDef.getRowFilterDef().getAccessTypes())) {
for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getRowFilterDef().getAccessTypes()) {
rowFilterAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
}
}
}
if (!CollectionUtils.isEmpty(policy.getRowFilterPolicyItems())) {
for (RangerRowFilterPolicyItem rangerRowFilterPolicyItem : policy.getRowFilterPolicyItems()) {
if (!CollectionUtils.isEmpty(rangerRowFilterPolicyItem.getAccesses())) {
for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerRowFilterPolicyItem.getAccesses()) {
if (!rowFilterAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
failures.add(new ValidationFailureDetailsBuilder().field("row filter policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), rowFilterAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
}
}
// data mask policy
if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
List<String> dataMaskAccessTypeDefNames = new ArrayList<String>();
if (serviceDef != null && serviceDef.getDataMaskDef() != null) {
if (!CollectionUtils.isEmpty(serviceDef.getDataMaskDef().getAccessTypes())) {
for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getDataMaskDef().getAccessTypes()) {
dataMaskAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
}
}
}
if (!CollectionUtils.isEmpty(policy.getDataMaskPolicyItems())) {
for (RangerDataMaskPolicyItem rangerDataMaskPolicyItem : policy.getDataMaskPolicyItems()) {
if (!CollectionUtils.isEmpty(rangerDataMaskPolicyItem.getAccesses())) {
for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerDataMaskPolicyItem.getAccesses()) {
if (!dataMaskAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
failures.add(new ValidationFailureDetailsBuilder().field("data masking policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), dataMaskAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
}
return valid;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class ServiceREST method grantAccess.
@POST
@Path("/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + ")");
}
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
if (grantRequest != null) {
if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")");
}
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
VXUser vxUser = xUserService.getXUserByUserName(userName);
if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
VXResponse vXResponse = new VXResponse();
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + vxUser.getId() + " ,isn't permitted to perform the action.");
throw restErrorUtil.generateRESTException(vXResponse);
}
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
if (!isAdmin) {
throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
}
RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
if (policy != null) {
boolean policyUpdated = false;
policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
if (policyUpdated) {
svcStore.updatePolicy(policy);
} else {
LOG.error("processGrantRequest processing failed");
throw new Exception("processGrantRequest processing failed");
}
} else {
policy = new RangerPolicy();
policy.setService(serviceName);
// TODO: better policy name
policy.setName("grant-" + System.currentTimeMillis());
policy.setDescription("created by grant");
policy.setIsAuditEnabled(grantRequest.getEnableAudit());
policy.setCreatedBy(userName);
Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
Set<String> resourceNames = resource.getKeys();
if (!CollectionUtils.isEmpty(resourceNames)) {
for (String resourceName : resourceNames) {
RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
}
}
policy.setResources(policyResources);
RangerPolicyItem policyItem = new RangerPolicyItem();
policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
policyItem.getUsers().addAll(grantRequest.getUsers());
policyItem.getGroups().addAll(grantRequest.getGroups());
for (String accessType : grantRequest.getAccessTypes()) {
policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
}
policy.getPolicyItems().add(policyItem);
svcStore.createPolicy(policy);
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
}
return ret;
}
Aggregations