Search in sources :

Example 6 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class TestRangerPolicyValidator method test_isValidPolicyItemAccess_failures.

@Test
public void test_isValidPolicyItemAccess_failures() {
    Set<String> validAccesses = Sets.newHashSet(new String[] { "anAccess", "anotherAccess" });
    // null/empty names are invalid
    RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
    // valid since null == true
    when(access.getIsAllowed()).thenReturn(null);
    for (String type : new String[] { null, " 	" }) {
        // invalid
        when(access.getType()).thenReturn(type);
        // null/empty validAccess set skips all checks
        Assert.assertTrue(_validator.isValidPolicyItemAccess(access, _failures, null));
        Assert.assertTrue(_validator.isValidPolicyItemAccess(access, _failures, new HashSet<String>()));
        _failures.clear();
        Assert.assertFalse(_validator.isValidPolicyItemAccess(access, _failures, validAccesses));
        _utils.checkFailureForMissingValue(_failures, "policy item access type");
    }
    // valid
    when(access.getType()).thenReturn("anAccess");
    // invalid
    when(access.getIsAllowed()).thenReturn(false);
    _failures.clear();
    Assert.assertFalse(_validator.isValidPolicyItemAccess(access, _failures, validAccesses));
    _utils.checkFailureForSemanticError(_failures, "policy item access type allowed");
    // invalid
    when(access.getType()).thenReturn("newAccessType");
    _failures.clear();
    Assert.assertFalse(_validator.isValidPolicyItemAccess(access, _failures, validAccesses));
    _utils.checkFailureForSemanticError(_failures, "policy item access type");
}
Also used : RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 7 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class ValidationTestUtils method createItemAccess.

List<RangerPolicyItemAccess> createItemAccess(Object[][] data) {
    List<RangerPolicyItemAccess> accesses = new ArrayList<>();
    for (Object[] row : data) {
        RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
        when(access.getType()).thenReturn((String) row[0]);
        when(access.getIsAllowed()).thenReturn((Boolean) row[1]);
        accesses.add(access);
    }
    return accesses;
}
Also used : RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) ArrayList(java.util.ArrayList)

Example 8 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class RangerDefaultPolicyEvaluator method preprocessPolicyItems.

private void preprocessPolicyItems(List<? extends RangerPolicyItem> policyItems, Map<String, Collection<String>> impliedAccessGrants) {
    for (RangerPolicyItem policyItem : policyItems) {
        if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
            continue;
        }
        // multi-level impliedGrants: given admin=>write; write=>read: must imply admin=>read,write
        for (Map.Entry<String, Collection<String>> e : impliedAccessGrants.entrySet()) {
            String accessType = e.getKey();
            Collection<String> impliedGrants = e.getValue();
            RangerPolicyItemAccess access = getAccess(policyItem, accessType);
            if (access == null) {
                continue;
            }
            for (String impliedGrant : impliedGrants) {
                RangerPolicyItemAccess impliedAccess = getAccess(policyItem, impliedGrant);
                if (impliedAccess == null) {
                    impliedAccess = new RangerPolicyItemAccess(impliedGrant, access.getIsAllowed());
                    policyItem.getAccesses().add(impliedAccess);
                } else {
                    if (!impliedAccess.getIsAllowed()) {
                        impliedAccess.setIsAllowed(access.getIsAllowed());
                    }
                }
            }
        }
    }
}
Also used : RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) Collection(java.util.Collection) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) HashMap(java.util.HashMap) Map(java.util.Map)

Example 9 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class RangerPolicyValidator method isValidAccessTypeDef.

boolean isValidAccessTypeDef(RangerPolicy policy, final List<ValidationFailureDetails> failures, Action action, boolean isAdmin, final RangerServiceDef serviceDef) {
    boolean valid = true;
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("==> RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
    }
    int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
    // row filter policy
    if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
        List<String> rowFilterAccessTypeDefNames = new ArrayList<String>();
        if (serviceDef != null && serviceDef.getRowFilterDef() != null) {
            if (!CollectionUtils.isEmpty(serviceDef.getRowFilterDef().getAccessTypes())) {
                for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getRowFilterDef().getAccessTypes()) {
                    rowFilterAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
                }
            }
        }
        if (!CollectionUtils.isEmpty(policy.getRowFilterPolicyItems())) {
            for (RangerRowFilterPolicyItem rangerRowFilterPolicyItem : policy.getRowFilterPolicyItems()) {
                if (!CollectionUtils.isEmpty(rangerRowFilterPolicyItem.getAccesses())) {
                    for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerRowFilterPolicyItem.getAccesses()) {
                        if (!rowFilterAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
                            ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
                            failures.add(new ValidationFailureDetailsBuilder().field("row filter policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), rowFilterAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
                            valid = false;
                        }
                    }
                }
            }
        }
    }
    // data mask policy
    if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
        List<String> dataMaskAccessTypeDefNames = new ArrayList<String>();
        if (serviceDef != null && serviceDef.getDataMaskDef() != null) {
            if (!CollectionUtils.isEmpty(serviceDef.getDataMaskDef().getAccessTypes())) {
                for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getDataMaskDef().getAccessTypes()) {
                    dataMaskAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
                }
            }
        }
        if (!CollectionUtils.isEmpty(policy.getDataMaskPolicyItems())) {
            for (RangerDataMaskPolicyItem rangerDataMaskPolicyItem : policy.getDataMaskPolicyItems()) {
                if (!CollectionUtils.isEmpty(rangerDataMaskPolicyItem.getAccesses())) {
                    for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerDataMaskPolicyItem.getAccesses()) {
                        if (!dataMaskAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
                            ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
                            failures.add(new ValidationFailureDetailsBuilder().field("data masking policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), dataMaskAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
                            valid = false;
                        }
                    }
                }
            }
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("<== RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
    }
    return valid;
}
Also used : RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef) RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem) RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)

Example 10 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class ServiceREST method grantAccess.

@POST
@Path("/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    if (grantRequest != null) {
        if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(grantRequest);
                String userName = grantRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
                VXUser vxUser = xUserService.getXUserByUserName(userName);
                if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
                    VXResponse vXResponse = new VXResponse();
                    vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
                    vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + vxUser.getId() + " ,isn't permitted to perform the action.");
                    throw restErrorUtil.generateRESTException(vXResponse);
                }
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                if (!isAdmin) {
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
                }
                RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                if (policy != null) {
                    boolean policyUpdated = false;
                    policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
                    if (policyUpdated) {
                        svcStore.updatePolicy(policy);
                    } else {
                        LOG.error("processGrantRequest processing failed");
                        throw new Exception("processGrantRequest processing failed");
                    }
                } else {
                    policy = new RangerPolicy();
                    policy.setService(serviceName);
                    // TODO: better policy name
                    policy.setName("grant-" + System.currentTimeMillis());
                    policy.setDescription("created by grant");
                    policy.setIsAuditEnabled(grantRequest.getEnableAudit());
                    policy.setCreatedBy(userName);
                    Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
                    Set<String> resourceNames = resource.getKeys();
                    if (!CollectionUtils.isEmpty(resourceNames)) {
                        for (String resourceName : resourceNames) {
                            RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
                            policyResource.setIsRecursive(grantRequest.getIsRecursive());
                            policyResources.put(resourceName, policyResource);
                        }
                    }
                    policy.setResources(policyResources);
                    RangerPolicyItem policyItem = new RangerPolicyItem();
                    policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
                    policyItem.getUsers().addAll(grantRequest.getUsers());
                    policyItem.getGroups().addAll(grantRequest.getGroups());
                    for (String accessType : grantRequest.getAccessTypes()) {
                        policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
                    }
                    policy.getPolicyItems().add(policyItem);
                    svcStore.createPolicy(policy);
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
    }
    return ret;
}
Also used : VXResponse(org.apache.ranger.view.VXResponse) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) VXString(org.apache.ranger.view.VXString) VXUser(org.apache.ranger.view.VXUser) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Aggregations

RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)39 ArrayList (java.util.ArrayList)30 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)28 HashMap (java.util.HashMap)27 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)27 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)25 Test (org.junit.Test)17 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)13 VXString (org.apache.ranger.view.VXString)12 Date (java.util.Date)9 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8 IOException (java.io.IOException)3 XXService (org.apache.ranger.entity.XXService)3 XXServiceDef (org.apache.ranger.entity.XXServiceDef)3 VXPermMap (org.apache.ranger.view.VXPermMap)3 JsonSyntaxException (com.google.gson.JsonSyntaxException)2 LinkedHashMap (java.util.LinkedHashMap)2 List (java.util.List)2 Map (java.util.Map)2