use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class TestServiceREST method test42grant.
@Test
public void test42grant() {
RangerPolicy existingPolicy = rangerPolicy();
List<RangerPolicyItem> policyItem = new ArrayList<RangerPolicyItem>();
existingPolicy.setPolicyItems(policyItem);
Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource("/tmp");
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
policyResources.put("path", rangerPolicyResource);
existingPolicy.setResources(policyResources);
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true));
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true));
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true));
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true));
rangerPolicyItem.getGroups().add("group1");
rangerPolicyItem.getGroups().add("group2");
rangerPolicyItem.getUsers().add("user1");
rangerPolicyItem.getUsers().add("user2");
rangerPolicyItem.setDelegateAdmin(true);
existingPolicy.getPolicyItems().add(rangerPolicyItem);
rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true));
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true));
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true));
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true));
rangerPolicyItem.getGroups().add("group3");
rangerPolicyItem.getUsers().add("user3");
rangerPolicyItem.setDelegateAdmin(true);
existingPolicy.getPolicyItems().add(rangerPolicyItem);
rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true));
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true));
rangerPolicyItem.getGroups().add("group1");
rangerPolicyItem.getGroups().add("group2");
rangerPolicyItem.getUsers().add("user1");
rangerPolicyItem.getUsers().add("user2");
rangerPolicyItem.setDelegateAdmin(false);
existingPolicy.getAllowExceptions().add(rangerPolicyItem);
rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true));
rangerPolicyItem.getGroups().add("group2");
rangerPolicyItem.getUsers().add("user2");
rangerPolicyItem.setDelegateAdmin(false);
existingPolicy.getDenyPolicyItems().add(rangerPolicyItem);
rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("index", true));
rangerPolicyItem.getGroups().add("public");
rangerPolicyItem.getUsers().add("user");
rangerPolicyItem.setDelegateAdmin(false);
existingPolicy.getDenyPolicyItems().add(rangerPolicyItem);
GrantRevokeRequest grantRequestObj = new GrantRevokeRequest();
Map<String, String> resource = new HashMap<String, String>();
resource.put("path", "/tmp");
grantRequestObj.setResource(resource);
grantRequestObj.getUsers().add("user1");
grantRequestObj.getGroups().add("group1");
grantRequestObj.getAccessTypes().add("delete");
grantRequestObj.getAccessTypes().add("index");
grantRequestObj.setDelegateAdmin(true);
grantRequestObj.setEnableAudit(true);
grantRequestObj.setIsRecursive(true);
grantRequestObj.setGrantor("test42Grant");
String existingPolicyStr = existingPolicy.toString();
System.out.println("existingPolicy=" + existingPolicyStr);
ServiceRESTUtil.processGrantRequest(existingPolicy, grantRequestObj);
String resultPolicyStr = existingPolicy.toString();
System.out.println("resultPolicy=" + resultPolicyStr);
assert (true);
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class ServiceUtil method toRangerPolicy.
public RangerPolicy toRangerPolicy(VXPolicy vXPolicy, RangerService service) {
if (vXPolicy == null || service == null || toAssetType(service.getType()) == null) {
return null;
}
RangerPolicy ret = new RangerPolicy();
ret = (RangerPolicy) dataObjectToRangerObject(vXPolicy, ret);
ret.setService(service.getName());
ret.setName(StringUtils.trim(vXPolicy.getPolicyName()));
ret.setDescription(vXPolicy.getDescription());
ret.setIsEnabled(vXPolicy.getIsEnabled() == true);
ret.setIsAuditEnabled(vXPolicy.getIsAuditEnabled());
Integer assetType = toAssetType(service.getType());
Boolean isRecursive = Boolean.FALSE;
if (assetType == RangerCommonEnums.ASSET_HDFS && vXPolicy.getIsRecursive() != null) {
isRecursive = vXPolicy.getIsRecursive();
}
Boolean isTableExcludes = Boolean.FALSE;
if (vXPolicy.getTableType() != null) {
isTableExcludes = vXPolicy.getTableType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION));
}
Boolean isColumnExcludes = Boolean.FALSE;
if (vXPolicy.getColumnType() != null) {
isColumnExcludes = vXPolicy.getColumnType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION));
}
if (assetType == RangerCommonEnums.ASSET_HDFS && vXPolicy.getResourceName() != null) {
toRangerResourceList(vXPolicy.getResourceName(), "path", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getTables() != null) {
toRangerResourceList(vXPolicy.getTables(), "table", isTableExcludes, isRecursive, ret.getResources());
}
if (vXPolicy.getColumnFamilies() != null) {
toRangerResourceList(vXPolicy.getColumnFamilies(), "column-family", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getColumns() != null) {
toRangerResourceList(vXPolicy.getColumns(), "column", isColumnExcludes, isRecursive, ret.getResources());
}
if (vXPolicy.getDatabases() != null) {
toRangerResourceList(vXPolicy.getDatabases(), "database", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getUdfs() != null) {
toRangerResourceList(vXPolicy.getUdfs(), "udf", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getTopologies() != null) {
toRangerResourceList(vXPolicy.getTopologies(), "topology", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getServices() != null) {
toRangerResourceList(vXPolicy.getServices(), "service", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getPermMapList() != null) {
List<VXPermObj> vXPermObjList = vXPolicy.getPermMapList();
for (VXPermObj vXPermObj : vXPermObjList) {
List<String> userList = new ArrayList<String>();
List<String> groupList = new ArrayList<String>();
List<RangerPolicyItemAccess> accessList = new ArrayList<RangerPolicyItemAccess>();
String ipAddress = null;
boolean delegatedAdmin = false;
if (vXPermObj.getUserList() != null) {
for (String user : vXPermObj.getUserList()) {
if (user.contains(getUserName(user))) {
userList.add(user);
}
}
}
if (vXPermObj.getGroupList() != null) {
for (String group : vXPermObj.getGroupList()) {
if (group.contains(getGroupName(group))) {
groupList.add(group);
}
}
}
if (vXPermObj.getPermList() != null) {
for (String perm : vXPermObj.getPermList()) {
if (AppConstants.getEnumFor_XAPermType(perm) != 0) {
if ("Admin".equalsIgnoreCase(perm)) {
delegatedAdmin = true;
if (assetType != RangerCommonEnums.ASSET_HBASE) {
continue;
}
}
accessList.add(new RangerPolicyItemAccess(perm));
}
}
}
if (vXPermObj.getIpAddress() != null) {
ipAddress = vXPermObj.getIpAddress();
}
RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
policyItem.setUsers(userList);
policyItem.setGroups(groupList);
policyItem.setAccesses(accessList);
if (delegatedAdmin) {
policyItem.setDelegateAdmin(Boolean.TRUE);
} else {
policyItem.setDelegateAdmin(Boolean.FALSE);
}
if (ipAddress != null && !ipAddress.isEmpty()) {
RangerPolicy.RangerPolicyItemCondition ipCondition = new RangerPolicy.RangerPolicyItemCondition("ipaddress", Collections.singletonList(ipAddress));
policyItem.getConditions().add(ipCondition);
}
ret.getPolicyItems().add(policyItem);
}
}
return ret;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class ServiceUtil method getVXPermMapList.
public List<VXPermMap> getVXPermMapList(RangerPolicy policy) {
List<VXPermMap> permMapList = new ArrayList<VXPermMap>();
int permGroup = 0;
for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
String ipAddress = null;
for (RangerPolicy.RangerPolicyItemCondition condition : policyItem.getConditions()) {
if (condition.getType() == "ipaddress") {
List<String> values = condition.getValues();
if (CollectionUtils.isNotEmpty(values)) {
// TODO changes this to properly deal with collection for now just returning 1st item
ipAddress = values.get(0);
}
}
if (ipAddress != null && !ipAddress.isEmpty()) {
// only 1 IP-address per permMap
break;
}
}
for (String userName : policyItem.getUsers()) {
for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
if (!access.getIsAllowed()) {
continue;
}
VXPermMap permMap = new VXPermMap();
permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
permMap.setPermGroup(Integer.valueOf(permGroup).toString());
permMap.setUserName(userName);
permMap.setUserId(getUserId(userName));
permMap.setPermType(toPermType(access.getType()));
permMap.setIpAddress(ipAddress);
permMapList.add(permMap);
}
if (policyItem.getDelegateAdmin()) {
VXPermMap permMap = new VXPermMap();
permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
permMap.setPermGroup(Integer.valueOf(permGroup).toString());
permMap.setUserName(userName);
permMap.setUserId(getUserId(userName));
permMap.setPermType(toPermType("Admin"));
permMap.setIpAddress(ipAddress);
permMapList.add(permMap);
}
}
permGroup++;
for (String groupName : policyItem.getGroups()) {
for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
if (!access.getIsAllowed()) {
continue;
}
VXPermMap permMap = new VXPermMap();
permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
permMap.setPermGroup(Integer.valueOf(permGroup).toString());
permMap.setGroupName(groupName);
permMap.setGroupId(getGroupId(groupName));
permMap.setPermType(toPermType(access.getType()));
permMap.setIpAddress(ipAddress);
permMapList.add(permMap);
}
if (policyItem.getDelegateAdmin()) {
VXPermMap permMap = new VXPermMap();
permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
permMap.setPermGroup(Integer.valueOf(permGroup).toString());
permMap.setGroupName(groupName);
permMap.setGroupId(getGroupId(groupName));
permMap.setPermType(toPermType("Admin"));
permMap.setIpAddress(ipAddress);
permMapList.add(permMap);
}
}
permGroup++;
}
return permMapList;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class ServiceUtil method toRangerPolicy.
public RangerPolicy toRangerPolicy(VXResource resource, RangerService service) {
if (resource == null) {
return null;
}
RangerPolicy ret = new RangerPolicy();
dataObjectToRangerObject(resource, ret);
if (service != null) {
ret.setService(service.getName());
} else {
ret.setService(resource.getAssetName());
}
ret.setName(StringUtils.trim(resource.getPolicyName()));
ret.setDescription(resource.getDescription());
ret.setIsEnabled(resource.getResourceStatus() == RangerCommonEnums.STATUS_ENABLED);
ret.setIsAuditEnabled(resource.getAuditList() != null && !resource.getAuditList().isEmpty());
Boolean isPathRecursive = resource.getIsRecursive() == RangerCommonEnums.BOOL_TRUE;
Boolean isTableExcludes = resource.getTableType() == RangerCommonEnums.POLICY_EXCLUSION;
Boolean isColumnExcludes = resource.getColumnType() == RangerCommonEnums.POLICY_EXCLUSION;
toRangerResourceList(resource.getName(), "path", Boolean.FALSE, isPathRecursive, ret.getResources());
toRangerResourceList(resource.getTables(), "table", isTableExcludes, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getColumnFamilies(), "column-family", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getColumns(), "column", isColumnExcludes, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getDatabases(), "database", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getUdfs(), "udf", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getTopologies(), "topology", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getServices(), "service", Boolean.FALSE, Boolean.FALSE, ret.getResources());
HashMap<String, List<VXPermMap>> sortedPermMap = new HashMap<String, List<VXPermMap>>();
// re-group the list with permGroup as the key
if (resource.getPermMapList() != null) {
for (VXPermMap permMap : resource.getPermMapList()) {
String permGrp = permMap.getPermGroup();
List<VXPermMap> sortedList = sortedPermMap.get(permGrp);
if (sortedList == null) {
sortedList = new ArrayList<VXPermMap>();
sortedPermMap.put(permGrp, sortedList);
}
sortedList.add(permMap);
}
}
Integer assetType = getAssetType(service, ret.getService());
for (Entry<String, List<VXPermMap>> entry : sortedPermMap.entrySet()) {
List<String> userList = new ArrayList<String>();
List<String> groupList = new ArrayList<String>();
List<RangerPolicyItemAccess> accessList = new ArrayList<RangerPolicyItemAccess>();
String ipAddress = null;
RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
for (VXPermMap permMap : entry.getValue()) {
if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_USER) {
String userName = getUserName(permMap);
if (!userList.contains(userName)) {
userList.add(userName);
}
} else if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) {
String groupName = getGroupName(permMap);
if (!groupList.contains(groupName)) {
groupList.add(groupName);
}
}
String accessType = toAccessType(permMap.getPermType());
if (StringUtils.equalsIgnoreCase(accessType, "Admin")) {
policyItem.setDelegateAdmin(Boolean.TRUE);
if (assetType != null && assetType == RangerCommonEnums.ASSET_HBASE) {
accessList.add(new RangerPolicyItemAccess(accessType));
}
} else {
accessList.add(new RangerPolicyItemAccess(accessType));
}
ipAddress = permMap.getIpAddress();
}
policyItem.setUsers(userList);
policyItem.setGroups(groupList);
policyItem.setAccesses(accessList);
if (ipAddress != null && !ipAddress.isEmpty()) {
RangerPolicy.RangerPolicyItemCondition ipCondition = new RangerPolicy.RangerPolicyItemCondition("ipaddress", Collections.singletonList(ipAddress));
policyItem.getConditions().add(ipCondition);
}
ret.getPolicyItems().add(policyItem);
}
return ret;
}
Aggregations