Example 11 with RangerPolicyItemCondition
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition in project ranger by apache.
the class ServiceDBStore method createNewPolicyItemForPolicy.
private XXPolicyItem createNewPolicyItemForPolicy(RangerPolicy policy, XXPolicy xPolicy, RangerPolicyItem policyItem, XXServiceDef xServiceDef, int itemOrder, int policyItemType) throws Exception {
XXPolicyItem xPolicyItem = new XXPolicyItem();
xPolicyItem = rangerAuditFields.populateAuditFields(xPolicyItem, xPolicy);
xPolicyItem.setDelegateAdmin(policyItem.getDelegateAdmin());
xPolicyItem.setItemType(policyItemType);
xPolicyItem.setIsEnabled(Boolean.TRUE);
xPolicyItem.setComments(null);
xPolicyItem.setPolicyId(policy.getId());
xPolicyItem.setOrder(itemOrder);
xPolicyItem = daoMgr.getXXPolicyItem().create(xPolicyItem);
List<RangerPolicyItemAccess> accesses = policyItem.getAccesses();
for (int i = 0; i < accesses.size(); i++) {
RangerPolicyItemAccess access = accesses.get(i);
XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(access.getType(), xPolicy.getService());
if (xAccTypeDef == null) {
throw new Exception(access.getType() + ": is not a valid access-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyItemAccess xPolItemAcc = new XXPolicyItemAccess();
xPolItemAcc = (XXPolicyItemAccess) rangerAuditFields.populateAuditFields(xPolItemAcc, xPolicyItem);
xPolItemAcc.setIsAllowed(access.getIsAllowed());
xPolItemAcc.setType(xAccTypeDef.getId());
xPolItemAcc.setPolicyitemid(xPolicyItem.getId());
xPolItemAcc.setOrder(i);
daoMgr.getXXPolicyItemAccess().create(xPolItemAcc);
}
List<String> users = policyItem.getUsers();
for (int i = 0; i < users.size(); i++) {
String user = users.get(i);
if (StringUtils.isBlank(user)) {
continue;
}
XXUser xUser = daoMgr.getXXUser().findByUserName(user);
if (xUser == null) {
throw new Exception(user + ": user does not exist. policy='" + policy.getName() + "' service='" + policy.getService() + "' user='" + user + "'");
}
XXPolicyItemUserPerm xUserPerm = new XXPolicyItemUserPerm();
xUserPerm = rangerAuditFields.populateAuditFields(xUserPerm, xPolicyItem);
xUserPerm.setUserId(xUser.getId());
xUserPerm.setPolicyItemId(xPolicyItem.getId());
xUserPerm.setOrder(i);
xUserPerm = daoMgr.getXXPolicyItemUserPerm().create(xUserPerm);
}
List<String> groups = policyItem.getGroups();
for (int i = 0; i < groups.size(); i++) {
String group = groups.get(i);
if (StringUtils.isBlank(group)) {
continue;
}
XXGroup xGrp = daoMgr.getXXGroup().findByGroupName(group);
if (xGrp == null) {
throw new Exception(group + ": group does not exist. policy='" + policy.getName() + "' service='" + policy.getService() + "' group='" + group + "'");
}
XXPolicyItemGroupPerm xGrpPerm = new XXPolicyItemGroupPerm();
xGrpPerm = rangerAuditFields.populateAuditFields(xGrpPerm, xPolicyItem);
xGrpPerm.setGroupId(xGrp.getId());
xGrpPerm.setPolicyItemId(xPolicyItem.getId());
xGrpPerm.setOrder(i);
xGrpPerm = daoMgr.getXXPolicyItemGroupPerm().create(xGrpPerm);
}
List<RangerPolicyItemCondition> conditions = policyItem.getConditions();
for (RangerPolicyItemCondition condition : conditions) {
XXPolicyConditionDef xPolCond = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition.getType());
if (xPolCond == null) {
throw new Exception(condition.getType() + ": is not a valid condition-type. policy='" + xPolicy.getName() + "' service='" + xPolicy.getService() + "'");
}
for (int i = 0; i < condition.getValues().size(); i++) {
String value = condition.getValues().get(i);
XXPolicyItemCondition xPolItemCond = new XXPolicyItemCondition();
xPolItemCond = rangerAuditFields.populateAuditFields(xPolItemCond, xPolicyItem);
xPolItemCond.setPolicyItemId(xPolicyItem.getId());
xPolItemCond.setType(xPolCond.getId());
xPolItemCond.setValue(value);
xPolItemCond.setOrder(i);
daoMgr.getXXPolicyItemCondition().create(xPolItemCond);
}
}
return xPolicyItem;
}
Also used :
XXUser(org.apache.ranger.entity.XXUser)
XXPolicyItemGroupPerm(org.apache.ranger.entity.XXPolicyItemGroupPerm)
XXPolicyItemUserPerm(org.apache.ranger.entity.XXPolicyItemUserPerm)
VXString(org.apache.ranger.view.VXString)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
JSONException(org.codehaus.jettison.json.JSONException)
XXPolicyItemCondition(org.apache.ranger.entity.XXPolicyItemCondition)
XXPolicyItem(org.apache.ranger.entity.XXPolicyItem)
XXPolicyItemAccess(org.apache.ranger.entity.XXPolicyItemAccess)
XXGroup(org.apache.ranger.entity.XXGroup)
XXPolicyConditionDef(org.apache.ranger.entity.XXPolicyConditionDef)
XXAccessTypeDef(org.apache.ranger.entity.XXAccessTypeDef)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Example 12 with RangerPolicyItemCondition
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition in project ranger by apache.
the class ServiceDBStore method writeBookForPolicyItems.
private void writeBookForPolicyItems(RangerPolicy policy, RangerPolicyItem policyItem, RangerDataMaskPolicyItem dataMaskPolicyItem, RangerRowFilterPolicyItem rowFilterPolicyItem, Row row, String policyConditionType) {
if (LOG.isDebugEnabled()) {
// To avoid PMD violation
LOG.debug("policyConditionType:[" + policyConditionType + "]");
}
List<String> groups = new ArrayList<String>();
List<String> users = new ArrayList<String>();
String groupNames = "";
String policyConditionTypeValue = "";
String userNames = "";
String policyLabelNames = "";
String accessType = "";
String policyStatus = "";
String policyType = "";
Boolean delegateAdmin = false;
String isRecursive = "";
String isExcludes = "";
String serviceName = "";
String description = "";
Boolean isAuditEnabled = true;
isAuditEnabled = policy.getIsAuditEnabled();
String isExcludesValue = "";
Cell cell = row.createCell(0);
cell.setCellValue(policy.getId());
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
List<RangerPolicyItemCondition> conditionsList = new ArrayList<RangerPolicyItemCondition>();
String conditionKeyValue = "";
List<String> policyLabels = new ArrayList<String>();
String resValue = "";
String resourceKeyVal = "";
String isRecursiveValue = "";
String resKey = "";
StringBuffer sb = new StringBuffer();
StringBuffer sbIsRecursive = new StringBuffer();
StringBuffer sbIsExcludes = new StringBuffer();
Map<String, RangerPolicyResource> resources = policy.getResources();
RangerPolicyItemDataMaskInfo dataMaskInfo = new RangerPolicyItemDataMaskInfo();
RangerPolicyItemRowFilterInfo filterInfo = new RangerPolicyItemRowFilterInfo();
cell = row.createCell(1);
cell.setCellValue(policy.getName());
cell = row.createCell(2);
if (resources != null) {
for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
resKey = resource.getKey();
RangerPolicyResource policyResource = resource.getValue();
List<String> resvalueList = policyResource.getValues();
isExcludes = policyResource.getIsExcludes().toString();
isRecursive = policyResource.getIsRecursive().toString();
resValue = resvalueList.toString();
sb = sb.append(resourceKeyVal).append("; ").append(resKey).append("=").append(resValue);
sbIsExcludes = sbIsExcludes.append(resourceKeyVal).append("; ").append(resKey).append("=[").append(isExcludes).append("]");
sbIsRecursive = sbIsRecursive.append(resourceKeyVal).append("; ").append(resKey).append("=[").append(isRecursive).append("]");
}
isExcludesValue = sbIsExcludes.toString();
isExcludesValue = isExcludesValue.substring(1);
isRecursiveValue = sbIsRecursive.toString();
isRecursiveValue = isRecursiveValue.substring(1);
resourceKeyVal = sb.toString();
resourceKeyVal = resourceKeyVal.substring(1);
cell.setCellValue(resourceKeyVal);
if (policyItem != null && dataMaskPolicyItem == null && rowFilterPolicyItem == null) {
groups = policyItem.getGroups();
users = policyItem.getUsers();
accesses = policyItem.getAccesses();
delegateAdmin = policyItem.getDelegateAdmin();
conditionsList = policyItem.getConditions();
} else if (dataMaskPolicyItem != null && policyItem == null && rowFilterPolicyItem == null) {
groups = dataMaskPolicyItem.getGroups();
users = dataMaskPolicyItem.getUsers();
accesses = dataMaskPolicyItem.getAccesses();
delegateAdmin = dataMaskPolicyItem.getDelegateAdmin();
conditionsList = dataMaskPolicyItem.getConditions();
dataMaskInfo = dataMaskPolicyItem.getDataMaskInfo();
String dataMaskType = dataMaskInfo.getDataMaskType();
String conditionExpr = dataMaskInfo.getConditionExpr();
String valueExpr = dataMaskInfo.getValueExpr();
String maskingInfo = "dataMasktype=[" + dataMaskType + "]";
if (conditionExpr != null && !conditionExpr.isEmpty() && valueExpr != null && !valueExpr.isEmpty()) {
maskingInfo = maskingInfo + "; conditionExpr=[" + conditionExpr + "]";
}
cell = row.createCell(17);
cell.setCellValue(maskingInfo);
} else if (rowFilterPolicyItem != null && policyItem == null && dataMaskPolicyItem == null) {
groups = rowFilterPolicyItem.getGroups();
users = rowFilterPolicyItem.getUsers();
accesses = rowFilterPolicyItem.getAccesses();
delegateAdmin = rowFilterPolicyItem.getDelegateAdmin();
conditionsList = rowFilterPolicyItem.getConditions();
filterInfo = rowFilterPolicyItem.getRowFilterInfo();
String filterExpr = filterInfo.getFilterExpr();
cell = row.createCell(18);
cell.setCellValue(filterExpr);
}
if (CollectionUtils.isNotEmpty(accesses)) {
for (RangerPolicyItemAccess access : accesses) {
accessType = accessType + access.getType();
accessType = accessType + " ,";
}
accessType = accessType.substring(0, accessType.lastIndexOf(","));
}
if (CollectionUtils.isNotEmpty(groups)) {
groupNames = groupNames + groups.toString();
StringTokenizer groupToken = new StringTokenizer(groupNames, "[]");
groupNames = groupToken.nextToken().toString();
}
if (CollectionUtils.isNotEmpty(users)) {
userNames = userNames + users.toString();
StringTokenizer userToken = new StringTokenizer(userNames, "[]");
userNames = userToken.nextToken().toString();
}
String conditionValue = "";
for (RangerPolicyItemCondition conditions : conditionsList) {
String conditionType = conditions.getType();
List<String> conditionList = conditions.getValues();
conditionValue = conditionList.toString();
conditionKeyValue = conditionType + "=" + conditionValue;
}
cell = row.createCell(3);
cell.setCellValue(groupNames);
cell = row.createCell(4);
cell.setCellValue(userNames);
cell = row.createCell(5);
cell.setCellValue(accessType.trim());
cell = row.createCell(6);
XXService xxservice = daoMgr.getXXService().findByName(policy.getService());
String ServiceType = "";
if (xxservice != null) {
Long ServiceId = xxservice.getType();
XXServiceDef xxservDef = daoMgr.getXXServiceDef().getById(ServiceId);
if (xxservDef != null) {
ServiceType = xxservDef.getName();
}
}
if (policyConditionType != null) {
policyConditionTypeValue = policyConditionType;
}
if (policyConditionType == null && ServiceType.equalsIgnoreCase("tag")) {
policyConditionTypeValue = POLICY_ALLOW_INCLUDE;
} else if (policyConditionType == null) {
policyConditionTypeValue = "";
}
cell.setCellValue(ServiceType);
cell = row.createCell(7);
}
if (policy.getIsEnabled()) {
policyStatus = "Enabled";
} else {
policyStatus = "Disabled";
}
policyLabels = policy.getPolicyLabels();
if (CollectionUtils.isNotEmpty(policyLabels)) {
policyLabelNames = policyLabelNames + policyLabels.toString();
StringTokenizer policyLabelToken = new StringTokenizer(policyLabelNames, "[]");
policyLabelNames = policyLabelToken.nextToken().toString();
}
cell.setCellValue(policyStatus);
cell = row.createCell(8);
int policyTypeInt = policy.getPolicyType();
switch(policyTypeInt) {
case RangerPolicy.POLICY_TYPE_ACCESS:
policyType = POLICY_TYPE_ACCESS;
break;
case RangerPolicy.POLICY_TYPE_DATAMASK:
policyType = POLICY_TYPE_DATAMASK;
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
policyType = POLICY_TYPE_ROWFILTER;
break;
}
cell.setCellValue(policyType);
cell = row.createCell(9);
cell.setCellValue(delegateAdmin.toString().toUpperCase());
cell = row.createCell(10);
cell.setCellValue(isRecursiveValue);
cell = row.createCell(11);
cell.setCellValue(isExcludesValue);
cell = row.createCell(12);
serviceName = policy.getService();
cell.setCellValue(serviceName);
cell = row.createCell(13);
description = policy.getDescription();
cell.setCellValue(description);
cell = row.createCell(14);
cell.setCellValue(isAuditEnabled.toString().toUpperCase());
cell = row.createCell(15);
cell.setCellValue(conditionKeyValue.trim());
cell = row.createCell(16);
cell.setCellValue(policyConditionTypeValue);
cell = row.createCell(19);
cell.setCellValue(policyLabelNames);
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
StringTokenizer(java.util.StringTokenizer)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemRowFilterInfo(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
XXService(org.apache.ranger.entity.XXService)
Cell(org.apache.poi.ss.usermodel.Cell)
RangerPolicyItemDataMaskInfo(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)
Example 13 with RangerPolicyItemCondition
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition in project ranger by apache.
the class RangerSampleSimpleMatcherTest method test_firewallings.
@Test
public void test_firewallings() {
// create a request for some policyValue, say, country and use it to match against matcher initialized with all sorts of bad data
RangerAccessRequest request = createRequest("AB");
RangerSampleSimpleMatcher matcher = new RangerSampleSimpleMatcher();
// Matcher initialized with null policy should behave sensibly! It matches everything!
matcher.setConditionDef(null);
matcher.setPolicyItemCondition(null);
matcher.init();
Assert.assertTrue(matcher.isMatched(request));
RangerPolicyItemCondition policyItemCondition = Mockito.mock(RangerPolicyItemCondition.class);
matcher.setConditionDef(null);
matcher.setPolicyItemCondition(policyItemCondition);
matcher.init();
Assert.assertTrue(matcher.isMatched(request));
RangerPolicyConditionDef conditionDef = Mockito.mock(RangerPolicyConditionDef.class);
matcher.setConditionDef(conditionDef);
matcher.setPolicyItemCondition(null);
matcher.init();
Assert.assertTrue(matcher.isMatched(request));
// so should a policy item condition with initialized with null list of values
Mockito.when(policyItemCondition.getValues()).thenReturn(null);
matcher.setConditionDef(conditionDef);
matcher.setPolicyItemCondition(policyItemCondition);
matcher.init();
Assert.assertTrue(matcher.isMatched(request));
// not null item condition with empty condition list
List<String> values = new ArrayList<String>();
Mockito.when(policyItemCondition.getValues()).thenReturn(values);
matcher.setConditionDef(conditionDef);
matcher.setPolicyItemCondition(policyItemCondition);
matcher.init();
Assert.assertTrue(matcher.isMatched(request));
// values as sensible items in it, however, the conditionDef has null evaluator option, so that too suppresses any check
values.add("AB");
Mockito.when(policyItemCondition.getValues()).thenReturn(values);
Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(null);
matcher.setConditionDef(conditionDef);
matcher.setPolicyItemCondition(policyItemCondition);
matcher.init();
Assert.assertTrue(matcher.isMatched(request));
// If evaluator option on the condition def is non-null then it starts to evaluate for real
Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions);
matcher.setConditionDef(conditionDef);
matcher.setPolicyItemCondition(policyItemCondition);
matcher.init();
Assert.assertTrue(matcher.isMatched(request));
}
Also used :
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerPolicyConditionDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)
RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest)
Test(org.junit.Test)
Example 14 with RangerPolicyItemCondition
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition in project ranger by apache.
the class RangerIpMatcherTest method createMatcher.
RangerIpMatcher createMatcher(String[] ipArray) {
RangerIpMatcher matcher = new RangerIpMatcher();
if (ipArray == null) {
matcher.setConditionDef(null);
matcher.setPolicyItemCondition(null);
} else {
RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class);
List<String> addresses = Arrays.asList(ipArray);
when(condition.getValues()).thenReturn(addresses);
matcher.setConditionDef(null);
matcher.setPolicyItemCondition(condition);
}
matcher.init();
return matcher;
}
Also used :
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Example 15 with RangerPolicyItemCondition
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition in project ranger by apache.
the class TestRangerPolicy method test_02_PolicyItem_SetListMethods.
@Test
public void test_02_PolicyItem_SetListMethods() {
RangerPolicyItem policyItem = new RangerPolicyItem();
List<RangerPolicyItemAccess> accesses = getList(new RangerPolicyItemAccess());
List<String> users = getList("user");
List<String> groups = getList("group");
List<RangerPolicyItemCondition> conditions = getList(new RangerPolicyItemCondition());
Assert.assertEquals("RangerPolicyItem.getAccesses()", 0, policyItem.getAccesses().size());
policyItem.getAccesses().add(new RangerPolicyItemAccess());
Assert.assertEquals("RangerPolicyItem.getAccesses().add()", 1, policyItem.getAccesses().size());
policyItem.setAccesses(accesses);
Assert.assertEquals("RangerPolicyItem.setAccesses()", accesses.size(), policyItem.getAccesses().size());
Assert.assertEquals("RangerPolicyItem.getUsers()", 0, policyItem.getUsers().size());
policyItem.getUsers().add(new String());
Assert.assertEquals("RangerPolicyItem.getUsers().add()", 1, policyItem.getUsers().size());
policyItem.setUsers(users);
Assert.assertEquals("RangerPolicyItem.setUsers()", users.size(), policyItem.getUsers().size());
Assert.assertEquals("RangerPolicyItem.getGroups()", 0, policyItem.getGroups().size());
policyItem.getGroups().add(new String());
Assert.assertEquals("RangerPolicyItem.getGroups().add()", 1, policyItem.getGroups().size());
policyItem.setGroups(groups);
Assert.assertEquals("RangerPolicyItem.setGroups()", groups.size(), policyItem.getGroups().size());
Assert.assertEquals("RangerPolicyItem.getConditions()", 0, policyItem.getConditions().size());
policyItem.getConditions().add(new RangerPolicyItemCondition());
Assert.assertEquals("RangerPolicyItem.getConditions().add()", 1, policyItem.getConditions().size());
policyItem.setConditions(conditions);
Assert.assertEquals("RangerPolicyItem.setConditions()", conditions.size(), policyItem.getConditions().size());
}
Also used :
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Test(org.junit.Test)
Aggregations
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)21
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)14
ArrayList (java.util.ArrayList)12
Date (java.util.Date)11
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)11
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)11
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)11
HashMap (java.util.HashMap)9
VXString (org.apache.ranger.view.VXString)6
Test (org.junit.Test)6
RangerPolicyConditionDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)3
RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)3
Calendar (java.util.Calendar)2
GregorianCalendar (java.util.GregorianCalendar)2
XXService (org.apache.ranger.entity.XXService)2
XXServiceDef (org.apache.ranger.entity.XXServiceDef)2
RangerPolicyItemDataMaskInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)2
RangerPolicyItemRowFilterInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo)2
IOException (java.io.IOException)1
UnknownHostException (java.net.UnknownHostException)1
