Search in sources :

Example 36 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class TestServiceREST method test42grant.

@Test
public void test42grant() {
    RangerPolicy existingPolicy = rangerPolicy();
    List<RangerPolicyItem> policyItem = new ArrayList<RangerPolicyItem>();
    existingPolicy.setPolicyItems(policyItem);
    Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
    RangerPolicyResource rangerPolicyResource = new RangerPolicyResource("/tmp");
    rangerPolicyResource.setIsExcludes(true);
    rangerPolicyResource.setIsRecursive(true);
    policyResources.put("path", rangerPolicyResource);
    existingPolicy.setResources(policyResources);
    RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true));
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true));
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true));
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true));
    rangerPolicyItem.getGroups().add("group1");
    rangerPolicyItem.getGroups().add("group2");
    rangerPolicyItem.getUsers().add("user1");
    rangerPolicyItem.getUsers().add("user2");
    rangerPolicyItem.setDelegateAdmin(true);
    existingPolicy.getPolicyItems().add(rangerPolicyItem);
    rangerPolicyItem = new RangerPolicyItem();
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("read", true));
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("write", true));
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true));
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true));
    rangerPolicyItem.getGroups().add("group3");
    rangerPolicyItem.getUsers().add("user3");
    rangerPolicyItem.setDelegateAdmin(true);
    existingPolicy.getPolicyItems().add(rangerPolicyItem);
    rangerPolicyItem = new RangerPolicyItem();
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true));
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("lock", true));
    rangerPolicyItem.getGroups().add("group1");
    rangerPolicyItem.getGroups().add("group2");
    rangerPolicyItem.getUsers().add("user1");
    rangerPolicyItem.getUsers().add("user2");
    rangerPolicyItem.setDelegateAdmin(false);
    existingPolicy.getAllowExceptions().add(rangerPolicyItem);
    rangerPolicyItem = new RangerPolicyItem();
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("delete", true));
    rangerPolicyItem.getGroups().add("group2");
    rangerPolicyItem.getUsers().add("user2");
    rangerPolicyItem.setDelegateAdmin(false);
    existingPolicy.getDenyPolicyItems().add(rangerPolicyItem);
    rangerPolicyItem = new RangerPolicyItem();
    rangerPolicyItem.getAccesses().add(new RangerPolicyItemAccess("index", true));
    rangerPolicyItem.getGroups().add("public");
    rangerPolicyItem.getUsers().add("user");
    rangerPolicyItem.setDelegateAdmin(false);
    existingPolicy.getDenyPolicyItems().add(rangerPolicyItem);
    GrantRevokeRequest grantRequestObj = new GrantRevokeRequest();
    Map<String, String> resource = new HashMap<String, String>();
    resource.put("path", "/tmp");
    grantRequestObj.setResource(resource);
    grantRequestObj.getUsers().add("user1");
    grantRequestObj.getGroups().add("group1");
    grantRequestObj.getAccessTypes().add("delete");
    grantRequestObj.getAccessTypes().add("index");
    grantRequestObj.setDelegateAdmin(true);
    grantRequestObj.setEnableAudit(true);
    grantRequestObj.setIsRecursive(true);
    grantRequestObj.setGrantor("test42Grant");
    String existingPolicyStr = existingPolicy.toString();
    System.out.println("existingPolicy=" + existingPolicyStr);
    ServiceRESTUtil.processGrantRequest(existingPolicy, grantRequestObj);
    String resultPolicyStr = existingPolicy.toString();
    System.out.println("resultPolicy=" + resultPolicyStr);
    assert (true);
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) ArrayList(java.util.ArrayList) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) VXString(org.apache.ranger.view.VXString) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest) Test(org.junit.Test)

Example 37 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class ServiceUtil method toRangerPolicy.

public RangerPolicy toRangerPolicy(VXPolicy vXPolicy, RangerService service) {
    if (vXPolicy == null || service == null || toAssetType(service.getType()) == null) {
        return null;
    }
    RangerPolicy ret = new RangerPolicy();
    ret = (RangerPolicy) dataObjectToRangerObject(vXPolicy, ret);
    ret.setService(service.getName());
    ret.setName(StringUtils.trim(vXPolicy.getPolicyName()));
    ret.setDescription(vXPolicy.getDescription());
    ret.setIsEnabled(vXPolicy.getIsEnabled() == true);
    ret.setIsAuditEnabled(vXPolicy.getIsAuditEnabled());
    Integer assetType = toAssetType(service.getType());
    Boolean isRecursive = Boolean.FALSE;
    if (assetType == RangerCommonEnums.ASSET_HDFS && vXPolicy.getIsRecursive() != null) {
        isRecursive = vXPolicy.getIsRecursive();
    }
    Boolean isTableExcludes = Boolean.FALSE;
    if (vXPolicy.getTableType() != null) {
        isTableExcludes = vXPolicy.getTableType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION));
    }
    Boolean isColumnExcludes = Boolean.FALSE;
    if (vXPolicy.getColumnType() != null) {
        isColumnExcludes = vXPolicy.getColumnType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION));
    }
    if (assetType == RangerCommonEnums.ASSET_HDFS && vXPolicy.getResourceName() != null) {
        toRangerResourceList(vXPolicy.getResourceName(), "path", Boolean.FALSE, isRecursive, ret.getResources());
    }
    if (vXPolicy.getTables() != null) {
        toRangerResourceList(vXPolicy.getTables(), "table", isTableExcludes, isRecursive, ret.getResources());
    }
    if (vXPolicy.getColumnFamilies() != null) {
        toRangerResourceList(vXPolicy.getColumnFamilies(), "column-family", Boolean.FALSE, isRecursive, ret.getResources());
    }
    if (vXPolicy.getColumns() != null) {
        toRangerResourceList(vXPolicy.getColumns(), "column", isColumnExcludes, isRecursive, ret.getResources());
    }
    if (vXPolicy.getDatabases() != null) {
        toRangerResourceList(vXPolicy.getDatabases(), "database", Boolean.FALSE, isRecursive, ret.getResources());
    }
    if (vXPolicy.getUdfs() != null) {
        toRangerResourceList(vXPolicy.getUdfs(), "udf", Boolean.FALSE, isRecursive, ret.getResources());
    }
    if (vXPolicy.getTopologies() != null) {
        toRangerResourceList(vXPolicy.getTopologies(), "topology", Boolean.FALSE, isRecursive, ret.getResources());
    }
    if (vXPolicy.getServices() != null) {
        toRangerResourceList(vXPolicy.getServices(), "service", Boolean.FALSE, isRecursive, ret.getResources());
    }
    if (vXPolicy.getPermMapList() != null) {
        List<VXPermObj> vXPermObjList = vXPolicy.getPermMapList();
        for (VXPermObj vXPermObj : vXPermObjList) {
            List<String> userList = new ArrayList<String>();
            List<String> groupList = new ArrayList<String>();
            List<RangerPolicyItemAccess> accessList = new ArrayList<RangerPolicyItemAccess>();
            String ipAddress = null;
            boolean delegatedAdmin = false;
            if (vXPermObj.getUserList() != null) {
                for (String user : vXPermObj.getUserList()) {
                    if (user.contains(getUserName(user))) {
                        userList.add(user);
                    }
                }
            }
            if (vXPermObj.getGroupList() != null) {
                for (String group : vXPermObj.getGroupList()) {
                    if (group.contains(getGroupName(group))) {
                        groupList.add(group);
                    }
                }
            }
            if (vXPermObj.getPermList() != null) {
                for (String perm : vXPermObj.getPermList()) {
                    if (AppConstants.getEnumFor_XAPermType(perm) != 0) {
                        if ("Admin".equalsIgnoreCase(perm)) {
                            delegatedAdmin = true;
                            if (assetType != RangerCommonEnums.ASSET_HBASE) {
                                continue;
                            }
                        }
                        accessList.add(new RangerPolicyItemAccess(perm));
                    }
                }
            }
            if (vXPermObj.getIpAddress() != null) {
                ipAddress = vXPermObj.getIpAddress();
            }
            RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
            policyItem.setUsers(userList);
            policyItem.setGroups(groupList);
            policyItem.setAccesses(accessList);
            if (delegatedAdmin) {
                policyItem.setDelegateAdmin(Boolean.TRUE);
            } else {
                policyItem.setDelegateAdmin(Boolean.FALSE);
            }
            if (ipAddress != null && !ipAddress.isEmpty()) {
                RangerPolicy.RangerPolicyItemCondition ipCondition = new RangerPolicy.RangerPolicyItemCondition("ipaddress", Collections.singletonList(ipAddress));
                policyItem.getConditions().add(ipCondition);
            }
            ret.getPolicyItems().add(policyItem);
        }
    }
    return ret;
}
Also used : ArrayList(java.util.ArrayList) VXPermObj(org.apache.ranger.view.VXPermObj) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)

Example 38 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class ServiceUtil method getVXPermMapList.

public List<VXPermMap> getVXPermMapList(RangerPolicy policy) {
    List<VXPermMap> permMapList = new ArrayList<VXPermMap>();
    int permGroup = 0;
    for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
        String ipAddress = null;
        for (RangerPolicy.RangerPolicyItemCondition condition : policyItem.getConditions()) {
            if (condition.getType() == "ipaddress") {
                List<String> values = condition.getValues();
                if (CollectionUtils.isNotEmpty(values)) {
                    // TODO changes this to properly deal with collection for now just returning 1st item
                    ipAddress = values.get(0);
                }
            }
            if (ipAddress != null && !ipAddress.isEmpty()) {
                // only 1 IP-address per permMap
                break;
            }
        }
        for (String userName : policyItem.getUsers()) {
            for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
                if (!access.getIsAllowed()) {
                    continue;
                }
                VXPermMap permMap = new VXPermMap();
                permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
                permMap.setPermGroup(Integer.valueOf(permGroup).toString());
                permMap.setUserName(userName);
                permMap.setUserId(getUserId(userName));
                permMap.setPermType(toPermType(access.getType()));
                permMap.setIpAddress(ipAddress);
                permMapList.add(permMap);
            }
            if (policyItem.getDelegateAdmin()) {
                VXPermMap permMap = new VXPermMap();
                permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
                permMap.setPermGroup(Integer.valueOf(permGroup).toString());
                permMap.setUserName(userName);
                permMap.setUserId(getUserId(userName));
                permMap.setPermType(toPermType("Admin"));
                permMap.setIpAddress(ipAddress);
                permMapList.add(permMap);
            }
        }
        permGroup++;
        for (String groupName : policyItem.getGroups()) {
            for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
                if (!access.getIsAllowed()) {
                    continue;
                }
                VXPermMap permMap = new VXPermMap();
                permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
                permMap.setPermGroup(Integer.valueOf(permGroup).toString());
                permMap.setGroupName(groupName);
                permMap.setGroupId(getGroupId(groupName));
                permMap.setPermType(toPermType(access.getType()));
                permMap.setIpAddress(ipAddress);
                permMapList.add(permMap);
            }
            if (policyItem.getDelegateAdmin()) {
                VXPermMap permMap = new VXPermMap();
                permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
                permMap.setPermGroup(Integer.valueOf(permGroup).toString());
                permMap.setGroupName(groupName);
                permMap.setGroupId(getGroupId(groupName));
                permMap.setPermType(toPermType("Admin"));
                permMap.setIpAddress(ipAddress);
                permMapList.add(permMap);
            }
        }
        permGroup++;
    }
    return permMapList;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) VXPermMap(org.apache.ranger.view.VXPermMap) ArrayList(java.util.ArrayList) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)

Example 39 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class ServiceUtil method toRangerPolicy.

public RangerPolicy toRangerPolicy(VXResource resource, RangerService service) {
    if (resource == null) {
        return null;
    }
    RangerPolicy ret = new RangerPolicy();
    dataObjectToRangerObject(resource, ret);
    if (service != null) {
        ret.setService(service.getName());
    } else {
        ret.setService(resource.getAssetName());
    }
    ret.setName(StringUtils.trim(resource.getPolicyName()));
    ret.setDescription(resource.getDescription());
    ret.setIsEnabled(resource.getResourceStatus() == RangerCommonEnums.STATUS_ENABLED);
    ret.setIsAuditEnabled(resource.getAuditList() != null && !resource.getAuditList().isEmpty());
    Boolean isPathRecursive = resource.getIsRecursive() == RangerCommonEnums.BOOL_TRUE;
    Boolean isTableExcludes = resource.getTableType() == RangerCommonEnums.POLICY_EXCLUSION;
    Boolean isColumnExcludes = resource.getColumnType() == RangerCommonEnums.POLICY_EXCLUSION;
    toRangerResourceList(resource.getName(), "path", Boolean.FALSE, isPathRecursive, ret.getResources());
    toRangerResourceList(resource.getTables(), "table", isTableExcludes, Boolean.FALSE, ret.getResources());
    toRangerResourceList(resource.getColumnFamilies(), "column-family", Boolean.FALSE, Boolean.FALSE, ret.getResources());
    toRangerResourceList(resource.getColumns(), "column", isColumnExcludes, Boolean.FALSE, ret.getResources());
    toRangerResourceList(resource.getDatabases(), "database", Boolean.FALSE, Boolean.FALSE, ret.getResources());
    toRangerResourceList(resource.getUdfs(), "udf", Boolean.FALSE, Boolean.FALSE, ret.getResources());
    toRangerResourceList(resource.getTopologies(), "topology", Boolean.FALSE, Boolean.FALSE, ret.getResources());
    toRangerResourceList(resource.getServices(), "service", Boolean.FALSE, Boolean.FALSE, ret.getResources());
    HashMap<String, List<VXPermMap>> sortedPermMap = new HashMap<String, List<VXPermMap>>();
    // re-group the list with permGroup as the key
    if (resource.getPermMapList() != null) {
        for (VXPermMap permMap : resource.getPermMapList()) {
            String permGrp = permMap.getPermGroup();
            List<VXPermMap> sortedList = sortedPermMap.get(permGrp);
            if (sortedList == null) {
                sortedList = new ArrayList<VXPermMap>();
                sortedPermMap.put(permGrp, sortedList);
            }
            sortedList.add(permMap);
        }
    }
    Integer assetType = getAssetType(service, ret.getService());
    for (Entry<String, List<VXPermMap>> entry : sortedPermMap.entrySet()) {
        List<String> userList = new ArrayList<String>();
        List<String> groupList = new ArrayList<String>();
        List<RangerPolicyItemAccess> accessList = new ArrayList<RangerPolicyItemAccess>();
        String ipAddress = null;
        RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
        for (VXPermMap permMap : entry.getValue()) {
            if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_USER) {
                String userName = getUserName(permMap);
                if (!userList.contains(userName)) {
                    userList.add(userName);
                }
            } else if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) {
                String groupName = getGroupName(permMap);
                if (!groupList.contains(groupName)) {
                    groupList.add(groupName);
                }
            }
            String accessType = toAccessType(permMap.getPermType());
            if (StringUtils.equalsIgnoreCase(accessType, "Admin")) {
                policyItem.setDelegateAdmin(Boolean.TRUE);
                if (assetType != null && assetType == RangerCommonEnums.ASSET_HBASE) {
                    accessList.add(new RangerPolicyItemAccess(accessType));
                }
            } else {
                accessList.add(new RangerPolicyItemAccess(accessType));
            }
            ipAddress = permMap.getIpAddress();
        }
        policyItem.setUsers(userList);
        policyItem.setGroups(groupList);
        policyItem.setAccesses(accessList);
        if (ipAddress != null && !ipAddress.isEmpty()) {
            RangerPolicy.RangerPolicyItemCondition ipCondition = new RangerPolicy.RangerPolicyItemCondition("ipaddress", Collections.singletonList(ipAddress));
            policyItem.getConditions().add(ipCondition);
        }
        ret.getPolicyItems().add(policyItem);
    }
    return ret;
}
Also used : VXPermMap(org.apache.ranger.view.VXPermMap) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) ArrayList(java.util.ArrayList) VXPolicyList(org.apache.ranger.view.VXPolicyList) List(java.util.List) VXRepositoryList(org.apache.ranger.view.VXRepositoryList)

Aggregations

RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)39 ArrayList (java.util.ArrayList)30 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)28 HashMap (java.util.HashMap)27 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)27 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)25 Test (org.junit.Test)17 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)13 VXString (org.apache.ranger.view.VXString)12 Date (java.util.Date)9 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8 IOException (java.io.IOException)3 XXService (org.apache.ranger.entity.XXService)3 XXServiceDef (org.apache.ranger.entity.XXServiceDef)3 VXPermMap (org.apache.ranger.view.VXPermMap)3 JsonSyntaxException (com.google.gson.JsonSyntaxException)2 LinkedHashMap (java.util.LinkedHashMap)2 List (java.util.List)2 Map (java.util.Map)2