Search in sources :

Example 86 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class AtlasHbaseResourceMapper method buildResource.

@Override
public RangerServiceResource buildResource(final RangerAtlasEntity entity) throws Exception {
    String qualifiedName = (String) entity.getAttributes().get(AtlasResourceMapper.ENTITY_ATTRIBUTE_QUALIFIED_NAME);
    if (StringUtils.isEmpty(qualifiedName)) {
        throw new Exception("attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "' not found in entity");
    }
    String resourceStr = getResourceNameFromQualifiedName(qualifiedName);
    if (StringUtils.isEmpty(resourceStr)) {
        throwExceptionWithMessage("resource not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "': " + qualifiedName);
    }
    String clusterName = getClusterNameFromQualifiedName(qualifiedName);
    if (StringUtils.isEmpty(clusterName)) {
        throwExceptionWithMessage("cluster-name not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "': " + qualifiedName);
    }
    String entityType = entity.getTypeName();
    String entityGuid = entity.getGuid();
    String serviceName = getRangerServiceName(clusterName);
    Map<String, RangerPolicyResource> elements = new HashMap<String, RangerPolicyResource>();
    if (StringUtils.equals(entityType, ENTITY_TYPE_HBASE_NAMESPACE)) {
        if (StringUtils.isNotEmpty(resourceStr)) {
            String namespaceName = StringUtils.strip(resourceStr);
            if (StringUtils.isNotEmpty(namespaceName)) {
                elements.put(RANGER_TYPE_HBASE_TABLE, new RangerPolicyResource(namespaceName + RANGER_NAMESPACE_TABLE_DELIMITER + "*"));
            }
        }
    } else if (StringUtils.equals(entityType, ENTITY_TYPE_HBASE_TABLE)) {
        if (StringUtils.isNotEmpty(resourceStr)) {
            elements.put(RANGER_TYPE_HBASE_TABLE, new RangerPolicyResource(resourceStr));
        }
    } else if (StringUtils.equals(entityType, ENTITY_TYPE_HBASE_COLUMN_FAMILY)) {
        String[] resources = resourceStr.split(QUALIFIED_NAME_DELIMITER);
        String tblName = null;
        String familyName = null;
        if (resources.length == 2) {
            tblName = resources[0];
            familyName = resources[1];
        } else if (resources.length > 2) {
            StringBuilder tblNameBuf = new StringBuilder(resources[0]);
            for (int i = 1; i < resources.length - 1; i++) {
                tblNameBuf.append(QUALIFIED_NAME_DELIMITER_CHAR).append(resources[i]);
            }
            tblName = tblNameBuf.toString();
            familyName = resources[resources.length - 1];
        }
        if (StringUtils.isNotEmpty(tblName) && StringUtils.isNotEmpty(familyName)) {
            elements.put(RANGER_TYPE_HBASE_TABLE, new RangerPolicyResource(tblName));
            elements.put(RANGER_TYPE_HBASE_COLUMN_FAMILY, new RangerPolicyResource(familyName));
        }
    } else if (StringUtils.equals(entityType, ENTITY_TYPE_HBASE_COLUMN)) {
        String[] resources = resourceStr.split(QUALIFIED_NAME_DELIMITER);
        String tblName = null;
        String familyName = null;
        String colName = null;
        if (resources.length == 3) {
            tblName = resources[0];
            familyName = resources[1];
            colName = resources[2];
        } else if (resources.length > 3) {
            StringBuilder tblNameBuf = new StringBuilder(resources[0]);
            for (int i = 1; i < resources.length - 2; i++) {
                tblNameBuf.append(QUALIFIED_NAME_DELIMITER_CHAR).append(resources[i]);
            }
            tblName = tblNameBuf.toString();
            familyName = resources[resources.length - 2];
            colName = resources[resources.length - 1];
        }
        if (StringUtils.isNotEmpty(tblName) && StringUtils.isNotEmpty(familyName) && StringUtils.isNotEmpty(colName)) {
            elements.put(RANGER_TYPE_HBASE_TABLE, new RangerPolicyResource(tblName));
            elements.put(RANGER_TYPE_HBASE_COLUMN_FAMILY, new RangerPolicyResource(familyName));
            elements.put(RANGER_TYPE_HBASE_COLUMN, new RangerPolicyResource(colName));
        }
    } else {
        throwExceptionWithMessage("unrecognized entity-type: " + entityType);
    }
    if (elements.isEmpty()) {
        throwExceptionWithMessage("invalid qualifiedName for entity-type '" + entityType + "': " + qualifiedName);
    }
    return new RangerServiceResource(entityGuid, serviceName, elements);
}
Also used : HashMap(java.util.HashMap) RangerServiceResource(org.apache.ranger.plugin.model.RangerServiceResource) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)

Example 87 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class RangerDefaultPolicyResourceMatcher method isMatch.

@Override
public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) {
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()");
    }
    Map<String, RangerPolicyResource> resources = policy.getResources();
    if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) {
        List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet());
        if (CollectionUtils.isNotEmpty(hierarchy)) {
            MatchType matchType = MatchType.NONE;
            RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();
            accessResource.setServiceDef(serviceDef);
            // Build up accessResource resourceDef by resourceDef.
            // For each resourceDef,
            // examine policy-values one by one.
            // The first value that is acceptable, that is,
            // value matches in any way, is used for that resourceDef, and
            // next resourceDef is processed.
            // If none of the values matches, the policy as a whole definitely will not match,
            // therefore, the match is failed
            // After all resourceDefs are processed, and some match is achieved at every
            // level, the final matchType (which is for the entire policy) is checked against
            // requested scope to determine the match-result.
            // Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java
            // test_defaultpolicyresourcematcher_for_hdfs_policy.json, and
            // test_defaultpolicyresourcematcher_for_hive_policy.json, and
            // test_defaultPolicyResourceMatcher.json
            boolean skipped = false;
            for (RangerResourceDef resourceDef : hierarchy) {
                String name = resourceDef.getName();
                RangerPolicyResource policyResource = resources.get(name);
                if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
                    ret = false;
                    matchType = MatchType.NONE;
                    if (!skipped) {
                        for (String value : policyResource.getValues()) {
                            accessResource.setValue(name, value);
                            matchType = getMatchType(accessResource, evalContext);
                            if (matchType != MatchType.NONE) {
                                // One value for this resourceDef matched
                                ret = true;
                                break;
                            }
                        }
                    } else {
                        break;
                    }
                } else {
                    skipped = true;
                }
                if (!ret) {
                    // None of the values specified for this resourceDef matched, no point in continuing with next resourceDef
                    break;
                }
            }
            ret = ret && isMatch(scope, matchType);
        }
    }
    RangerPerfTracer.log(perf);
    return ret;
}
Also used : RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Example 88 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class RangerDefaultPolicyResourceMatcher method init.

@Override
public void init() {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyResourceMatcher.init()");
    }
    allMatchers = null;
    needsDynamicEval = false;
    validResourceHierarchy = null;
    isInitialized = false;
    String errorText = "";
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG, "RangerDefaultPolicyResourceMatcher.init()");
    }
    if (policyResources != null && !policyResources.isEmpty() && serviceDef != null) {
        serviceDefHelper = serviceDefHelper == null ? new RangerServiceDefHelper(serviceDef, false) : serviceDefHelper;
        Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, policyResources.keySet());
        int validHierarchiesCount = 0;
        for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
            if (isHierarchyValidForResources(resourceHierarchy, policyResources)) {
                validHierarchiesCount++;
                if (validHierarchiesCount == 1) {
                    validResourceHierarchy = resourceHierarchy;
                } else {
                    validResourceHierarchy = null;
                }
            } else {
                LOG.warn("RangerDefaultPolicyResourceMatcher.init(): gaps found in policyResources, skipping hierarchy:[" + resourceHierarchies + "]");
            }
        }
        if (validHierarchiesCount > 0) {
            allMatchers = new HashMap<>();
            for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
                for (RangerResourceDef resourceDef : resourceHierarchy) {
                    String resourceName = resourceDef.getName();
                    if (allMatchers.containsKey(resourceName)) {
                        continue;
                    }
                    RangerPolicyResource policyResource = policyResources.get(resourceName);
                    if (policyResource == null) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("RangerDefaultPolicyResourceMatcher.init(): no matcher created for " + resourceName + ". Continuing ...");
                        }
                        continue;
                    }
                    RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource);
                    if (matcher != null) {
                        if (!needsDynamicEval && matcher.getNeedsDynamicEval()) {
                            needsDynamicEval = true;
                        }
                        allMatchers.put(resourceName, matcher);
                    } else {
                        LOG.error("RangerDefaultPolicyResourceMatcher.init(): failed to find matcher for resource " + resourceName);
                        allMatchers = null;
                        errorText = "no matcher found for resource " + resourceName;
                        break;
                    }
                }
                if (allMatchers == null) {
                    break;
                }
            }
        } else {
            errorText = "policyResources elements are not part of any valid resourcedef hierarchy.";
        }
    } else {
        errorText = "policyResources is null or empty, or serviceDef is null.";
    }
    if (allMatchers == null && policyType != RangerPolicy.POLICY_TYPE_AUDIT) {
        serviceDefHelper = null;
        validResourceHierarchy = null;
        Set<String> policyResourceKeys = policyResources == null ? null : policyResources.keySet();
        String serviceDefName = serviceDef == null ? "" : serviceDef.getName();
        StringBuilder keysString = new StringBuilder();
        if (CollectionUtils.isNotEmpty(policyResourceKeys)) {
            for (String policyResourceKeyName : policyResourceKeys) {
                keysString.append(policyResourceKeyName).append(" ");
            }
        }
        LOG.error("RangerDefaultPolicyResourceMatcher.init() failed: " + errorText + " (serviceDef=" + serviceDefName + ", policyResourceKeys=" + keysString.toString());
    } else {
        isInitialized = true;
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyResourceMatcher.init(): ret=" + isInitialized);
    }
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper) RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher) List(java.util.List) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Example 89 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class RangerDefaultPolicyResourceMatcher method isMatch.

@Override
public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
    }
    /*
        * There is already API to get the delegateAdmin permissions for a map of policyResources.
        * That implementation should be reused for figuring out delegateAdmin permissions for a resource as well.
         */
    Map<String, RangerPolicyResource> policyResources = null;
    for (RangerResourceDef resourceDef : serviceDef.getResources()) {
        String resourceName = resourceDef.getName();
        Object resourceValue = resource.getValue(resourceName);
        if (resourceValue instanceof String) {
            String strValue = (String) resourceValue;
            if (policyResources == null) {
                policyResources = new HashMap<>();
            }
            policyResources.put(resourceName, new RangerPolicyResource(strValue));
        } else if (resourceValue != null) {
            // return false for any other type of resourceValue
            policyResources = null;
            break;
        }
    }
    final boolean ret = MapUtils.isNotEmpty(policyResources) && isMatch(policyResources, evalContext);
    RangerPerfTracer.log(perf);
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Example 90 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class RangerResourceTrie method buildTrie.

private TrieNode<T> buildTrie(RangerResourceDef resourceDef, List<T> evaluators, int builderThreadCount) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> buildTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ", isMultiThreaded=" + (builderThreadCount > 1) + ")");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_TRIE_INIT_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_TRIE_INIT_LOG, "RangerResourceTrie.init(resourceDef=" + resourceDef.getName() + ")");
    }
    TrieNode<T> ret = new TrieNode<>(null);
    final boolean isMultiThreaded = builderThreadCount > 1;
    final List<ResourceTrieBuilderThread> builderThreads;
    final Map<Character, Integer> builderThreadMap;
    final String resourceName = resourceDef.getName();
    int lastUsedThreadIndex = 0;
    if (isMultiThreaded) {
        builderThreads = new ArrayList<>();
        for (int i = 0; i < builderThreadCount; i++) {
            ResourceTrieBuilderThread t = new ResourceTrieBuilderThread();
            t.setDaemon(true);
            builderThreads.add(t);
            t.start();
        }
        builderThreadMap = new HashMap<>();
    } else {
        builderThreads = null;
        builderThreadMap = null;
    }
    for (T evaluator : evaluators) {
        Map<String, RangerPolicyResource> policyResources = evaluator.getPolicyResource();
        RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null;
        if (policyResource == null) {
            if (evaluator.isAncestorOf(resourceDef)) {
                addInheritedEvaluator(evaluator);
            }
            continue;
        }
        if (policyResource.getIsExcludes()) {
            addInheritedEvaluator(evaluator);
        } else {
            RangerResourceMatcher resourceMatcher = evaluator.getResourceMatcher(resourceName);
            if (resourceMatcher != null && (resourceMatcher.isMatchAny())) {
                ret.addWildcardEvaluator(evaluator);
            } else {
                if (CollectionUtils.isNotEmpty(policyResource.getValues())) {
                    for (String resource : policyResource.getValues()) {
                        if (!isMultiThreaded) {
                            insert(ret, resource, policyResource.getIsRecursive(), evaluator);
                        } else {
                            try {
                                lastUsedThreadIndex = insert(ret, resource, policyResource.getIsRecursive(), evaluator, builderThreadMap, builderThreads, lastUsedThreadIndex);
                            } catch (InterruptedException ex) {
                                LOG.error("Failed to dispatch " + resource + " to " + builderThreads.get(lastUsedThreadIndex));
                                LOG.error("Failing and retrying with one thread");
                                ret = null;
                                break;
                            }
                        }
                    }
                    if (ret == null) {
                        break;
                    }
                }
            }
        }
    }
    if (ret != null) {
        if (isMultiThreaded) {
            for (ResourceTrieBuilderThread t : builderThreads) {
                try {
                    // Send termination signal to each thread
                    t.add("", false, null);
                    // Wait for threads to finish work
                    t.join();
                    ret.getChildren().putAll(t.getSubtrees());
                } catch (InterruptedException ex) {
                    LOG.error("BuilderThread " + t + " was interrupted:", ex);
                    LOG.error("Failing and retrying with one thread");
                    ret = null;
                    break;
                }
            }
            cleanUpThreads(builderThreads);
        }
    }
    RangerPerfTracer.logAlways(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== buildTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ", isMultiThreaded=" + isMultiThreaded + ") :" + ret);
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)

Aggregations

RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)101 HashMap (java.util.HashMap)65 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)64 ArrayList (java.util.ArrayList)50 Test (org.junit.Test)43 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)35 RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)32 Date (java.util.Date)26 RangerService (org.apache.ranger.plugin.model.RangerService)23 VXString (org.apache.ranger.view.VXString)18 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)17 VXAuditMap (org.apache.ranger.view.VXAuditMap)15 VXResource (org.apache.ranger.view.VXResource)15 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)12 LinkedHashMap (java.util.LinkedHashMap)10 XXServiceDef (org.apache.ranger.entity.XXServiceDef)8 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)8 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8 RangerServiceResource (org.apache.ranger.plugin.model.RangerServiceResource)7