Example 86 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class AtlasHbaseResourceMapper method buildResource.
@Override
public RangerServiceResource buildResource(final RangerAtlasEntity entity) throws Exception {
String qualifiedName = (String) entity.getAttributes().get(AtlasResourceMapper.ENTITY_ATTRIBUTE_QUALIFIED_NAME);
if (StringUtils.isEmpty(qualifiedName)) {
throw new Exception("attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "' not found in entity");
}
String resourceStr = getResourceNameFromQualifiedName(qualifiedName);
if (StringUtils.isEmpty(resourceStr)) {
throwExceptionWithMessage("resource not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "': " + qualifiedName);
}
String clusterName = getClusterNameFromQualifiedName(qualifiedName);
if (StringUtils.isEmpty(clusterName)) {
throwExceptionWithMessage("cluster-name not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "': " + qualifiedName);
}
String entityType = entity.getTypeName();
String entityGuid = entity.getGuid();
String serviceName = getRangerServiceName(clusterName);
Map<String, RangerPolicyResource> elements = new HashMap<String, RangerPolicyResource>();
if (StringUtils.equals(entityType, ENTITY_TYPE_HBASE_NAMESPACE)) {
if (StringUtils.isNotEmpty(resourceStr)) {
String namespaceName = StringUtils.strip(resourceStr);
if (StringUtils.isNotEmpty(namespaceName)) {
elements.put(RANGER_TYPE_HBASE_TABLE, new RangerPolicyResource(namespaceName + RANGER_NAMESPACE_TABLE_DELIMITER + "*"));
}
}
} else if (StringUtils.equals(entityType, ENTITY_TYPE_HBASE_TABLE)) {
if (StringUtils.isNotEmpty(resourceStr)) {
elements.put(RANGER_TYPE_HBASE_TABLE, new RangerPolicyResource(resourceStr));
}
} else if (StringUtils.equals(entityType, ENTITY_TYPE_HBASE_COLUMN_FAMILY)) {
String[] resources = resourceStr.split(QUALIFIED_NAME_DELIMITER);
String tblName = null;
String familyName = null;
if (resources.length == 2) {
tblName = resources[0];
familyName = resources[1];
} else if (resources.length > 2) {
StringBuilder tblNameBuf = new StringBuilder(resources[0]);
for (int i = 1; i < resources.length - 1; i++) {
tblNameBuf.append(QUALIFIED_NAME_DELIMITER_CHAR).append(resources[i]);
}
tblName = tblNameBuf.toString();
familyName = resources[resources.length - 1];
}
if (StringUtils.isNotEmpty(tblName) && StringUtils.isNotEmpty(familyName)) {
elements.put(RANGER_TYPE_HBASE_TABLE, new RangerPolicyResource(tblName));
elements.put(RANGER_TYPE_HBASE_COLUMN_FAMILY, new RangerPolicyResource(familyName));
}
} else if (StringUtils.equals(entityType, ENTITY_TYPE_HBASE_COLUMN)) {
String[] resources = resourceStr.split(QUALIFIED_NAME_DELIMITER);
String tblName = null;
String familyName = null;
String colName = null;
if (resources.length == 3) {
tblName = resources[0];
familyName = resources[1];
colName = resources[2];
} else if (resources.length > 3) {
StringBuilder tblNameBuf = new StringBuilder(resources[0]);
for (int i = 1; i < resources.length - 2; i++) {
tblNameBuf.append(QUALIFIED_NAME_DELIMITER_CHAR).append(resources[i]);
}
tblName = tblNameBuf.toString();
familyName = resources[resources.length - 2];
colName = resources[resources.length - 1];
}
if (StringUtils.isNotEmpty(tblName) && StringUtils.isNotEmpty(familyName) && StringUtils.isNotEmpty(colName)) {
elements.put(RANGER_TYPE_HBASE_TABLE, new RangerPolicyResource(tblName));
elements.put(RANGER_TYPE_HBASE_COLUMN_FAMILY, new RangerPolicyResource(familyName));
elements.put(RANGER_TYPE_HBASE_COLUMN, new RangerPolicyResource(colName));
}
} else {
throwExceptionWithMessage("unrecognized entity-type: " + entityType);
}
if (elements.isEmpty()) {
throwExceptionWithMessage("invalid qualifiedName for entity-type '" + entityType + "': " + qualifiedName);
}
return new RangerServiceResource(entityGuid, serviceName, elements);
}
Also used :
HashMap(java.util.HashMap)
RangerServiceResource(org.apache.ranger.plugin.model.RangerServiceResource)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
Example 87 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) {
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()");
}
Map<String, RangerPolicyResource> resources = policy.getResources();
if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) {
List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet());
if (CollectionUtils.isNotEmpty(hierarchy)) {
MatchType matchType = MatchType.NONE;
RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();
accessResource.setServiceDef(serviceDef);
// Build up accessResource resourceDef by resourceDef.
// For each resourceDef,
// examine policy-values one by one.
// The first value that is acceptable, that is,
// value matches in any way, is used for that resourceDef, and
// next resourceDef is processed.
// If none of the values matches, the policy as a whole definitely will not match,
// therefore, the match is failed
// After all resourceDefs are processed, and some match is achieved at every
// level, the final matchType (which is for the entire policy) is checked against
// requested scope to determine the match-result.
// Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java
// test_defaultpolicyresourcematcher_for_hdfs_policy.json, and
// test_defaultpolicyresourcematcher_for_hive_policy.json, and
// test_defaultPolicyResourceMatcher.json
boolean skipped = false;
for (RangerResourceDef resourceDef : hierarchy) {
String name = resourceDef.getName();
RangerPolicyResource policyResource = resources.get(name);
if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
ret = false;
matchType = MatchType.NONE;
if (!skipped) {
for (String value : policyResource.getValues()) {
accessResource.setValue(name, value);
matchType = getMatchType(accessResource, evalContext);
if (matchType != MatchType.NONE) {
// One value for this resourceDef matched
ret = true;
break;
}
}
} else {
break;
}
} else {
skipped = true;
}
if (!ret) {
// None of the values specified for this resourceDef matched, no point in continuing with next resourceDef
break;
}
}
ret = ret && isMatch(scope, matchType);
}
}
RangerPerfTracer.log(perf);
return ret;
}
Also used :
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 88 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method init.
@Override
public void init() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.init()");
}
allMatchers = null;
needsDynamicEval = false;
validResourceHierarchy = null;
isInitialized = false;
String errorText = "";
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG, "RangerDefaultPolicyResourceMatcher.init()");
}
if (policyResources != null && !policyResources.isEmpty() && serviceDef != null) {
serviceDefHelper = serviceDefHelper == null ? new RangerServiceDefHelper(serviceDef, false) : serviceDefHelper;
Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, policyResources.keySet());
int validHierarchiesCount = 0;
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
if (isHierarchyValidForResources(resourceHierarchy, policyResources)) {
validHierarchiesCount++;
if (validHierarchiesCount == 1) {
validResourceHierarchy = resourceHierarchy;
} else {
validResourceHierarchy = null;
}
} else {
LOG.warn("RangerDefaultPolicyResourceMatcher.init(): gaps found in policyResources, skipping hierarchy:[" + resourceHierarchies + "]");
}
}
if (validHierarchiesCount > 0) {
allMatchers = new HashMap<>();
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
for (RangerResourceDef resourceDef : resourceHierarchy) {
String resourceName = resourceDef.getName();
if (allMatchers.containsKey(resourceName)) {
continue;
}
RangerPolicyResource policyResource = policyResources.get(resourceName);
if (policyResource == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerDefaultPolicyResourceMatcher.init(): no matcher created for " + resourceName + ". Continuing ...");
}
continue;
}
RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource);
if (matcher != null) {
if (!needsDynamicEval && matcher.getNeedsDynamicEval()) {
needsDynamicEval = true;
}
allMatchers.put(resourceName, matcher);
} else {
LOG.error("RangerDefaultPolicyResourceMatcher.init(): failed to find matcher for resource " + resourceName);
allMatchers = null;
errorText = "no matcher found for resource " + resourceName;
break;
}
}
if (allMatchers == null) {
break;
}
}
} else {
errorText = "policyResources elements are not part of any valid resourcedef hierarchy.";
}
} else {
errorText = "policyResources is null or empty, or serviceDef is null.";
}
if (allMatchers == null && policyType != RangerPolicy.POLICY_TYPE_AUDIT) {
serviceDefHelper = null;
validResourceHierarchy = null;
Set<String> policyResourceKeys = policyResources == null ? null : policyResources.keySet();
String serviceDefName = serviceDef == null ? "" : serviceDef.getName();
StringBuilder keysString = new StringBuilder();
if (CollectionUtils.isNotEmpty(policyResourceKeys)) {
for (String policyResourceKeyName : policyResourceKeys) {
keysString.append(policyResourceKeyName).append(" ");
}
}
LOG.error("RangerDefaultPolicyResourceMatcher.init() failed: " + errorText + " (serviceDef=" + serviceDefName + ", policyResourceKeys=" + keysString.toString());
} else {
isInitialized = true;
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.init(): ret=" + isInitialized);
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
List(java.util.List)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 89 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
}
/*
* There is already API to get the delegateAdmin permissions for a map of policyResources.
* That implementation should be reused for figuring out delegateAdmin permissions for a resource as well.
*/
Map<String, RangerPolicyResource> policyResources = null;
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
Object resourceValue = resource.getValue(resourceName);
if (resourceValue instanceof String) {
String strValue = (String) resourceValue;
if (policyResources == null) {
policyResources = new HashMap<>();
}
policyResources.put(resourceName, new RangerPolicyResource(strValue));
} else if (resourceValue != null) {
// return false for any other type of resourceValue
policyResources = null;
break;
}
}
final boolean ret = MapUtils.isNotEmpty(policyResources) && isMatch(policyResources, evalContext);
RangerPerfTracer.log(perf);
return ret;
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 90 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerResourceTrie method buildTrie.
private TrieNode<T> buildTrie(RangerResourceDef resourceDef, List<T> evaluators, int builderThreadCount) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> buildTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ", isMultiThreaded=" + (builderThreadCount > 1) + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_TRIE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_TRIE_INIT_LOG, "RangerResourceTrie.init(resourceDef=" + resourceDef.getName() + ")");
}
TrieNode<T> ret = new TrieNode<>(null);
final boolean isMultiThreaded = builderThreadCount > 1;
final List<ResourceTrieBuilderThread> builderThreads;
final Map<Character, Integer> builderThreadMap;
final String resourceName = resourceDef.getName();
int lastUsedThreadIndex = 0;
if (isMultiThreaded) {
builderThreads = new ArrayList<>();
for (int i = 0; i < builderThreadCount; i++) {
ResourceTrieBuilderThread t = new ResourceTrieBuilderThread();
t.setDaemon(true);
builderThreads.add(t);
t.start();
}
builderThreadMap = new HashMap<>();
} else {
builderThreads = null;
builderThreadMap = null;
}
for (T evaluator : evaluators) {
Map<String, RangerPolicyResource> policyResources = evaluator.getPolicyResource();
RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null;
if (policyResource == null) {
if (evaluator.isAncestorOf(resourceDef)) {
addInheritedEvaluator(evaluator);
}
continue;
}
if (policyResource.getIsExcludes()) {
addInheritedEvaluator(evaluator);
} else {
RangerResourceMatcher resourceMatcher = evaluator.getResourceMatcher(resourceName);
if (resourceMatcher != null && (resourceMatcher.isMatchAny())) {
ret.addWildcardEvaluator(evaluator);
} else {
if (CollectionUtils.isNotEmpty(policyResource.getValues())) {
for (String resource : policyResource.getValues()) {
if (!isMultiThreaded) {
insert(ret, resource, policyResource.getIsRecursive(), evaluator);
} else {
try {
lastUsedThreadIndex = insert(ret, resource, policyResource.getIsRecursive(), evaluator, builderThreadMap, builderThreads, lastUsedThreadIndex);
} catch (InterruptedException ex) {
LOG.error("Failed to dispatch " + resource + " to " + builderThreads.get(lastUsedThreadIndex));
LOG.error("Failing and retrying with one thread");
ret = null;
break;
}
}
}
if (ret == null) {
break;
}
}
}
}
}
if (ret != null) {
if (isMultiThreaded) {
for (ResourceTrieBuilderThread t : builderThreads) {
try {
// Send termination signal to each thread
t.add("", false, null);
// Wait for threads to finish work
t.join();
ret.getChildren().putAll(t.getSubtrees());
} catch (InterruptedException ex) {
LOG.error("BuilderThread " + t + " was interrupted:", ex);
LOG.error("Failing and retrying with one thread");
ret = null;
break;
}
}
cleanUpThreads(builderThreads);
}
}
RangerPerfTracer.logAlways(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== buildTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ", isMultiThreaded=" + isMultiThreaded + ") :" + ret);
}
return ret;
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
Aggregations
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)101
HashMap (java.util.HashMap)65
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)64
ArrayList (java.util.ArrayList)50
Test (org.junit.Test)43
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)35
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)32
Date (java.util.Date)26
RangerService (org.apache.ranger.plugin.model.RangerService)23
VXString (org.apache.ranger.view.VXString)18
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)17
VXAuditMap (org.apache.ranger.view.VXAuditMap)15
VXResource (org.apache.ranger.view.VXResource)15
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)12
LinkedHashMap (java.util.LinkedHashMap)10
XXServiceDef (org.apache.ranger.entity.XXServiceDef)8
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)8
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8
RangerServiceResource (org.apache.ranger.plugin.model.RangerServiceResource)7
