Example 66 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceREST method grantAccess.
@POST
@Path("/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + ")");
}
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
if (grantRequest != null) {
if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")");
}
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
VXUser vxUser = xUserService.getXUserByUserName(userName);
if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
VXResponse vXResponse = new VXResponse();
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + vxUser.getId() + " ,isn't permitted to perform the action.");
throw restErrorUtil.generateRESTException(vXResponse);
}
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
if (!isAdmin) {
throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
}
RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
if (policy != null) {
boolean policyUpdated = false;
policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
if (policyUpdated) {
svcStore.updatePolicy(policy);
} else {
LOG.error("processGrantRequest processing failed");
throw new Exception("processGrantRequest processing failed");
}
} else {
policy = new RangerPolicy();
policy.setService(serviceName);
// TODO: better policy name
policy.setName("grant-" + System.currentTimeMillis());
policy.setDescription("created by grant");
policy.setIsAuditEnabled(grantRequest.getEnableAudit());
policy.setCreatedBy(userName);
Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
Set<String> resourceNames = resource.getKeys();
if (!CollectionUtils.isEmpty(resourceNames)) {
for (String resourceName : resourceNames) {
RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
}
}
policy.setResources(policyResources);
RangerPolicyItem policyItem = new RangerPolicyItem();
policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
policyItem.getUsers().addAll(grantRequest.getUsers());
policyItem.getGroups().addAll(grantRequest.getGroups());
for (String accessType : grantRequest.getAccessTypes()) {
policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
}
policy.getPolicyItems().add(policyItem);
svcStore.createPolicy(policy);
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
}
return ret;
}
Also used :
VXResponse(org.apache.ranger.view.VXResponse)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
VXString(org.apache.ranger.view.VXString)
VXUser(org.apache.ranger.view.VXUser)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
WebApplicationException(javax.ws.rs.WebApplicationException)
IOException(java.io.IOException)
JsonSyntaxException(com.google.gson.JsonSyntaxException)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
Example 67 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceREST method countPolicies.
@GET
@Path("/policies/count")
@Produces({ "application/json", "application/xml" })
public Long countPolicies(@Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.countPolicies():");
}
Long ret = null;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countPolicies()");
}
List<RangerPolicy> policies = getPolicies(request).getPolicies();
policies = applyAdminAccessFilter(policies);
ret = Long.valueOf(policies == null ? 0 : policies.size());
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("countPolicies() failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.countPolicies(): " + ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 68 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceREST method toRangerPolicyList.
private RangerPolicyList toRangerPolicyList(List<RangerPolicy> policyList, SearchFilter filter) {
RangerPolicyList ret = new RangerPolicyList();
if (CollectionUtils.isNotEmpty(policyList)) {
int totalCount = policyList.size();
int startIndex = filter.getStartIndex();
int pageSize = filter.getMaxRows();
int toIndex = Math.min(startIndex + pageSize, totalCount);
String sortType = filter.getSortType();
String sortBy = filter.getSortBy();
List<RangerPolicy> retList = new ArrayList<RangerPolicy>();
for (int i = startIndex; i < toIndex; i++) {
retList.add(policyList.get(i));
}
ret.setPolicies(retList);
ret.setPageSize(pageSize);
ret.setResultSize(retList.size());
ret.setStartIndex(startIndex);
ret.setTotalCount(totalCount);
ret.setSortBy(sortBy);
ret.setSortType(sortType);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
RangerPolicyList(org.apache.ranger.view.RangerPolicyList)
Example 69 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceREST method getExactMatchPolicyForResource.
private RangerPolicy getExactMatchPolicyForResource(String serviceName, Map<String, RangerPolicyResource> resources, String user) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resources + ", " + user + ")");
}
RangerPolicy ret = null;
RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
Map<String, Object> evalContext = new HashMap<String, Object>();
RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resources, evalContext) : null;
if (CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
ret = svcStore.getPolicy(policies.get(0).getId());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resources + ", " + user + "): " + ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
VXString(org.apache.ranger.view.VXString)
Example 70 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceREST method getAllFilteredPolicyList.
private List<RangerPolicy> getAllFilteredPolicyList(SearchFilter filter, HttpServletRequest request, List<RangerPolicy> policyLists) {
String serviceNames = null;
String serviceType = null;
List<String> serviceNameList = null;
List<String> serviceTypeList = null;
List<String> serviceNameInServiceTypeList = new ArrayList<String>();
boolean isServiceExists = false;
if (request.getParameter(PARAM_SERVICE_NAME) != null) {
serviceNames = request.getParameter(PARAM_SERVICE_NAME);
}
if (StringUtils.isNotEmpty(serviceNames)) {
serviceNameList = new ArrayList<String>(Arrays.asList(serviceNames.split(",")));
}
if (request.getParameter(PARAM_SERVICE_TYPE) != null) {
serviceType = request.getParameter(PARAM_SERVICE_TYPE);
}
if (StringUtils.isNotEmpty(serviceType)) {
serviceTypeList = new ArrayList<String>(Arrays.asList(serviceType.split(",")));
}
List<RangerPolicy> policyList = new ArrayList<RangerPolicy>();
List<RangerPolicy> policyListByServiceName = new ArrayList<RangerPolicy>();
if (filter != null) {
filter.setStartIndex(0);
filter.setMaxRows(Integer.MAX_VALUE);
if (!CollectionUtils.isEmpty(serviceTypeList)) {
for (String s : serviceTypeList) {
filter.removeParam(PARAM_SERVICE_TYPE);
if (request.getParameter(PARAM_SERVICE_NAME) != null) {
filter.removeParam(PARAM_SERVICE_NAME);
}
filter.setParam(PARAM_SERVICE_TYPE, s.trim());
policyList = getPolicies(filter);
policyLists.addAll(policyList);
}
if (!CollectionUtils.sizeIsEmpty(policyLists)) {
for (RangerPolicy rangerPolicy : policyLists) {
if (StringUtils.isNotEmpty(rangerPolicy.getService())) {
serviceNameInServiceTypeList.add(rangerPolicy.getService());
}
}
}
}
if (!CollectionUtils.isEmpty(serviceNameList) && !CollectionUtils.isEmpty(serviceTypeList)) {
isServiceExists = serviceNameInServiceTypeList.containsAll(serviceNameList);
if (isServiceExists) {
for (String s : serviceNameList) {
filter.removeParam(PARAM_SERVICE_NAME);
filter.removeParam(PARAM_SERVICE_TYPE);
filter.setParam(PARAM_SERVICE_NAME, s.trim());
policyList = getPolicies(filter);
policyListByServiceName.addAll(policyList);
}
policyLists = policyListByServiceName;
} else {
policyLists = new ArrayList<RangerPolicy>();
}
} else if (CollectionUtils.isEmpty(serviceNameList) && CollectionUtils.isEmpty(serviceTypeList)) {
policyLists = getPolicies(filter);
}
if (!CollectionUtils.isEmpty(serviceNameList) && CollectionUtils.isEmpty(serviceTypeList)) {
for (String s : serviceNameList) {
filter.removeParam(PARAM_SERVICE_NAME);
filter.setParam(PARAM_SERVICE_NAME, s.trim());
policyList = getPolicies(filter);
policyLists.addAll(policyList);
}
}
}
if (StringUtils.isNotEmpty(request.getParameter("resourceMatch")) && "full".equalsIgnoreCase(request.getParameter("resourceMatch"))) {
policyLists = serviceUtil.getMatchingPoliciesForResource(request, policyLists);
}
Map<Long, RangerPolicy> orderedPolicies = new TreeMap<Long, RangerPolicy>();
if (!CollectionUtils.isEmpty(policyLists)) {
for (RangerPolicy policy : policyLists) {
if (policy != null) {
orderedPolicies.put(policy.getId(), policy);
}
}
if (!orderedPolicies.isEmpty()) {
policyLists.clear();
policyLists.addAll(orderedPolicies.values());
}
}
return policyLists;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
TreeMap(java.util.TreeMap)
Aggregations
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)196
ArrayList (java.util.ArrayList)78
Test (org.junit.Test)73
RangerService (org.apache.ranger.plugin.model.RangerService)52
VXString (org.apache.ranger.view.VXString)48
HashMap (java.util.HashMap)38
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)36
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)33
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)30
WebApplicationException (javax.ws.rs.WebApplicationException)29
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)27
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)26
Path (javax.ws.rs.Path)23
Produces (javax.ws.rs.Produces)22
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)20
Date (java.util.Date)19
IOException (java.io.IOException)18
XXService (org.apache.ranger.entity.XXService)18
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)16
RangerPolicyList (org.apache.ranger.view.RangerPolicyList)15
