Search in sources :

Example 76 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class AbstractPredicateUtil method addPredicateForIsRecursive.

private Predicate addPredicateForIsRecursive(final String isRecursiveStr, List<Predicate> predicates) {
    if (StringUtils.isEmpty(isRecursiveStr)) {
        return null;
    }
    final boolean isRecursive = Boolean.parseBoolean(isRecursiveStr);
    Predicate ret = new Predicate() {

        @Override
        public boolean evaluate(Object object) {
            if (object == null) {
                return false;
            }
            boolean ret = true;
            if (object instanceof RangerPolicy) {
                RangerPolicy policy = (RangerPolicy) object;
                if (!MapUtils.isEmpty(policy.getResources())) {
                    for (Map.Entry<String, RangerPolicyResource> e : policy.getResources().entrySet()) {
                        RangerPolicyResource resValue = e.getValue();
                        if (resValue.getIsRecursive() == null) {
                            ret = !isRecursive;
                        } else {
                            ret = resValue.getIsRecursive().booleanValue() == isRecursive;
                        }
                        if (ret) {
                            break;
                        }
                    }
                }
            }
            return ret;
        }
    };
    if (predicates != null) {
        predicates.add(ret);
    }
    return ret;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerBaseModelObject(org.apache.ranger.plugin.model.RangerBaseModelObject) HashMap(java.util.HashMap) Map(java.util.Map) Predicate(org.apache.commons.collections.Predicate)

Example 77 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class AbstractPredicateUtil method addPredicateForPolicyResource.

private Predicate addPredicateForPolicyResource(final String resourceValue, List<Predicate> predicates) {
    if (StringUtils.isEmpty(resourceValue)) {
        return null;
    }
    Predicate ret = new Predicate() {

        @Override
        public boolean evaluate(Object object) {
            if (object == null) {
                return false;
            }
            boolean ret = false;
            if (object instanceof RangerPolicy) {
                RangerPolicy policy = (RangerPolicy) object;
                Map<String, RangerPolicyResource> policyResources = policy.getResources();
                if (MapUtils.isNotEmpty(policyResources)) {
                    for (Map.Entry<String, RangerPolicyResource> entry : policyResources.entrySet()) {
                        RangerPolicyResource policyResource = entry.getValue();
                        if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
                            for (String policyResoureValue : policyResource.getValues()) {
                                if (StringUtils.containsIgnoreCase(policyResoureValue, resourceValue)) {
                                    ret = true;
                                    break;
                                }
                            }
                        }
                    }
                }
            } else {
                ret = true;
            }
            return ret;
        }
    };
    if (predicates != null) {
        predicates.add(ret);
    }
    return ret;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerBaseModelObject(org.apache.ranger.plugin.model.RangerBaseModelObject) HashMap(java.util.HashMap) Map(java.util.Map) Predicate(org.apache.commons.collections.Predicate)

Example 78 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class AtlasStormResourceMapper method buildResource.

@Override
public RangerServiceResource buildResource(final RangerAtlasEntity entity) throws Exception {
    String qualifiedName = (String) entity.getAttributes().get(AtlasResourceMapper.ENTITY_ATTRIBUTE_QUALIFIED_NAME);
    String topology = getResourceNameFromQualifiedName(qualifiedName);
    if (StringUtils.isEmpty(topology)) {
        throwExceptionWithMessage("topology not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "'");
    }
    String clusterName = getClusterNameFromQualifiedName(qualifiedName);
    if (StringUtils.isEmpty(clusterName)) {
        clusterName = defaultClusterName;
    }
    if (StringUtils.isEmpty(clusterName)) {
        throwExceptionWithMessage("attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "' not found in entity");
    }
    Map<String, RangerPolicyResource> elements = new HashMap<>();
    Boolean isExcludes = Boolean.FALSE;
    Boolean isRecursive = Boolean.TRUE;
    elements.put(RANGER_TYPE_STORM_TOPOLOGY, new RangerPolicyResource(topology, isExcludes, isRecursive));
    String entityGuid = entity.getGuid();
    String serviceName = getRangerServiceName(clusterName);
    return new RangerServiceResource(entityGuid, serviceName, elements);
}
Also used : HashMap(java.util.HashMap) RangerServiceResource(org.apache.ranger.plugin.model.RangerServiceResource) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)

Example 79 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class TestRangerPolicyValidator method test_isValidResourceNames_happyPath.

@Test
public final void test_isValidResourceNames_happyPath() {
    String serviceName = "a-service-def";
    // setup service-def
    Date now = new Date();
    when(_serviceDef.getName()).thenReturn(serviceName);
    when(_serviceDef.getUpdateTime()).thenReturn(now);
    List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData_multipleHierarchies);
    when(_serviceDef.getResources()).thenReturn(resourceDefs);
    // setup policy
    Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_goodMultipleHierarchies);
    when(_policy.getResources()).thenReturn(policyResources);
    Assert.assertTrue(_validator.isValidResourceNames(_policy, _failures, _serviceDef));
}
Also used : RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) Date(java.util.Date) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef) Test(org.junit.Test)

Example 80 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class TestRangerPolicyValidator method testIsValid_happyPath.

@Test
public final void testIsValid_happyPath() throws Exception {
    // valid policy has valid non-empty name and service name
    when(_policy.getService()).thenReturn("service-name");
    // service name exists
    RangerService service = mock(RangerService.class);
    when(service.getType()).thenReturn("service-type");
    when(service.getId()).thenReturn(2L);
    when(_store.getServiceByName("service-name")).thenReturn(service);
    // service points to a valid service-def
    _serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
    when(_serviceDef.getName()).thenReturn("service-type");
    when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
    // a matching policy should exist for create when checked by id and not exist when checked by name.
    when(_store.getPolicy(7L)).thenReturn(null);
    RangerPolicy existingPolicy = mock(RangerPolicy.class);
    when(existingPolicy.getId()).thenReturn(8L);
    when(existingPolicy.getService()).thenReturn("service-name");
    when(_store.getPolicy(8L)).thenReturn(existingPolicy);
    // a matching policy should not exist for update.
    // valid policy can have empty set of policy items if audit is turned on
    // null value for audit is treated as audit on.
    // for now we want to turn any resource related checking off
    when(_policy.getResources()).thenReturn(null);
    for (Action action : cu) {
        for (Boolean auditEnabled : new Boolean[] { null, true }) {
            for (boolean isAdmin : new boolean[] { true, false }) {
                when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
                if (action == Action.CREATE) {
                    when(_policy.getId()).thenReturn(7L);
                    when(_policy.getName()).thenReturn("policy-name-1");
                    when(_store.getPolicyId(service.getId(), _policy.getName(), _zoneId)).thenReturn(null);
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                } else {
                    // update should work both when by-name is found or not, since nothing found by-name means name is being updated.
                    when(_policy.getId()).thenReturn(8L);
                    when(_policy.getName()).thenReturn("policy-name-1");
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                    when(_policy.getName()).thenReturn("policy-name-2");
                    when(_store.getPolicyId(service.getId(), _policy.getName(), _zoneId)).thenReturn(null);
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                }
            }
        }
    }
    // if audit is disabled then policy should have policy items and all of them should be valid
    List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
    when(_policy.getPolicyItems()).thenReturn(policyItems);
    when(_policy.getIsAuditEnabled()).thenReturn(false);
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            if (action == Action.CREATE) {
                when(_policy.getId()).thenReturn(7L);
                when(_policy.getName()).thenReturn("policy-name-1");
            } else {
                when(_policy.getId()).thenReturn(8L);
                when(_policy.getName()).thenReturn("policy-name-2");
            }
            Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
            Assert.assertTrue(_failures.isEmpty());
        }
    }
    // above succeeded as service def did not have any resources on it, mandatory or otherwise.
    // policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
    List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
    when(_serviceDef.getResources()).thenReturn(resourceDefs);
    Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
    when(_policy.getResources()).thenReturn(resourceMap);
    // let's add some other policies in the store for this service that have a different signature
    // setup the signatures on the policies
    RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
    when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
    // setup the store to indicate that no other policy exists with matching signature
    when(policySignature.getSignature()).thenReturn("hash-1");
    when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
    // we are reusing the same policies collection here -- which is fine
    for (Action action : cu) {
        if (action == Action.CREATE) {
            when(_policy.getId()).thenReturn(7L);
            when(_policy.getName()).thenReturn("policy-name-1");
        } else {
            when(_policy.getId()).thenReturn(8L);
            when(_policy.getName()).thenReturn("policy-name-2");
        }
        // since policy resource has excludes admin privilages would be required
        Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
        Assert.assertTrue(_failures.isEmpty());
    }
}
Also used : Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature) RangerService(org.apache.ranger.plugin.model.RangerService) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef) Test(org.junit.Test)

Aggregations

RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)101 HashMap (java.util.HashMap)65 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)64 ArrayList (java.util.ArrayList)50 Test (org.junit.Test)43 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)35 RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)32 Date (java.util.Date)26 RangerService (org.apache.ranger.plugin.model.RangerService)23 VXString (org.apache.ranger.view.VXString)18 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)17 VXAuditMap (org.apache.ranger.view.VXAuditMap)15 VXResource (org.apache.ranger.view.VXResource)15 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)12 LinkedHashMap (java.util.LinkedHashMap)10 XXServiceDef (org.apache.ranger.entity.XXServiceDef)8 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)8 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8 RangerServiceResource (org.apache.ranger.plugin.model.RangerServiceResource)7