Example 71 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceREST method getServicePolicies.
private RangerPolicyList getServicePolicies(String serviceName, SearchFilter filter) {
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceName=" + serviceName + ")");
}
if (isAdminUserWithNoFilterParams(filter)) {
PList<RangerPolicy> policies = svcStore.getPaginatedServicePolicies(serviceName, filter);
return toRangerPolicyList(policies);
} else {
// get all policies from the store; pick the page to return after applying filter
int savedStartIndex = filter == null ? 0 : filter.getStartIndex();
int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows();
if (filter != null) {
filter.setStartIndex(0);
filter.setMaxRows(Integer.MAX_VALUE);
}
List<RangerPolicy> servicePolicies = svcStore.getServicePolicies(serviceName, filter);
if (filter != null) {
filter.setStartIndex(savedStartIndex);
filter.setMaxRows(savedMaxRows);
}
servicePolicies = applyAdminAccessFilter(servicePolicies);
return toRangerPolicyList(servicePolicies, filter);
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("getServicePolicies(" + serviceName + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Example 72 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceRESTUtil method processRevokeRequest.
public static boolean processRevokeRequest(RangerPolicy existingRangerPolicy, GrantRevokeRequest revokeRequest) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.processRevokeRequest()");
}
boolean policyUpdated = false;
// remove all existing privileges for users and groups
if (revokeRequest.getReplaceExistingPermissions()) {
policyUpdated = removeUsersAndGroupsFromPolicy(existingRangerPolicy, revokeRequest.getUsers(), revokeRequest.getGroups());
} else {
// Build a policy and set up policyItem in it to mimic revoke request
RangerPolicy appliedRangerPolicy = new RangerPolicy();
RangerPolicy.RangerPolicyItem appliedRangerPolicyItem = new RangerPolicy.RangerPolicyItem();
appliedRangerPolicyItem.setDelegateAdmin(revokeRequest.getDelegateAdmin());
appliedRangerPolicyItem.getUsers().addAll(revokeRequest.getUsers());
appliedRangerPolicyItem.getGroups().addAll(revokeRequest.getGroups());
List<RangerPolicy.RangerPolicyItemAccess> appliedRangerPolicyItemAccess = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
Set<String> appliedPolicyItemAccessType = revokeRequest.getAccessTypes();
for (String accessType : appliedPolicyItemAccessType) {
appliedRangerPolicyItemAccess.add(new RangerPolicy.RangerPolicyItemAccess(accessType, false));
}
appliedRangerPolicyItem.setAccesses(appliedRangerPolicyItemAccess);
appliedRangerPolicy.getPolicyItems().add(appliedRangerPolicyItem);
List<RangerPolicy.RangerPolicyItem> appliedRangerPolicyItems = appliedRangerPolicy.getPolicyItems();
// processApplyPolicyForItemType(existingRangerPolicy, appliedRangerPolicy, POLICYITEM_TYPE.ALLOW);
if (CollectionUtils.isNotEmpty(appliedRangerPolicyItems)) {
Set<String> users = new HashSet<String>();
Set<String> groups = new HashSet<String>();
Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();
Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();
// Extract users and groups specified in appliedPolicy items
extractUsersAndGroups(appliedRangerPolicyItems, users, groups);
// Split existing policyItems for users and groups extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems
splitExistingPolicyItems(existingRangerPolicy, users, userPolicyItems, groups, groupPolicyItems);
for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) {
List<String> appliedPolicyItemsUser = tempPolicyItem.getUsers();
for (String user : appliedPolicyItemsUser) {
RangerPolicy.RangerPolicyItem[] rangerPolicyItems = userPolicyItems.get(user);
if (rangerPolicyItems != null && rangerPolicyItems.length > 0) {
if (rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()] != null) {
removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses());
if (!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())) {
rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin());
} else {
rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE);
}
}
if (rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] != null) {
removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses());
rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE);
}
}
}
}
for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) {
List<String> appliedPolicyItemsGroup = tempPolicyItem.getGroups();
for (String group : appliedPolicyItemsGroup) {
RangerPolicy.RangerPolicyItem[] rangerPolicyItems = groupPolicyItems.get(group);
if (rangerPolicyItems != null && rangerPolicyItems.length > 0) {
if (rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()] != null) {
removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses());
if (!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())) {
rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin());
} else {
rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE);
}
}
if (rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] != null) {
removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses());
rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE);
}
}
}
}
// Add modified/new policyItems back to existing policy
mergeProcessedPolicyItems(existingRangerPolicy, userPolicyItems, groupPolicyItems);
compactPolicy(existingRangerPolicy);
}
policyUpdated = true;
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.processRevokeRequest() : " + policyUpdated);
}
return policyUpdated;
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
HashSet(java.util.HashSet)
Example 73 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class RangerPolicyRetriever method getPolicy.
public RangerPolicy getPolicy(XXPolicy xPolicy, XXService xService) {
Long policyId = xPolicy == null ? null : xPolicy.getId();
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRetriever.getPolicy(" + policyId + ")");
}
RangerPolicy ret = null;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerPolicyRetriever.getPolicy(policyId=" + policyId + ")");
}
if (xPolicy != null && xService != null) {
RetrieverContext ctx = new RetrieverContext(xPolicy, xService);
ret = ctx.getNextPolicy();
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyRetriever.getPolicy(xPolicy=" + xPolicy + ", xService=" + xService + "): invalid parameter(s)");
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRetriever.getPolicy(" + policyId + "): " + ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Example 74 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceDBStore method createDefaultPolicyUsersAndGroups.
void createDefaultPolicyUsersAndGroups(List<RangerPolicy> defaultPolicies) {
Set<String> defaultPolicyUsers = new HashSet<String>();
Set<String> defaultPolicyGroups = new HashSet<String>();
for (RangerPolicy defaultPolicy : defaultPolicies) {
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getPolicyItems()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getAllowExceptions()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDenyPolicyItems()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDenyExceptions()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDataMaskPolicyItems()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getRowFilterPolicyItems()) {
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
}
}
for (String policyUser : defaultPolicyUsers) {
if (LOG.isDebugEnabled()) {
LOG.debug("Checking policyUser:[" + policyUser + "] for existence");
}
if (StringUtils.isNotBlank(policyUser) && !StringUtils.equals(policyUser, RangerPolicyEngine.USER_CURRENT) && !StringUtils.equals(policyUser, RangerPolicyEngine.RESOURCE_OWNER)) {
XXUser xxUser = daoMgr.getXXUser().findByUserName(policyUser);
if (xxUser == null) {
UserSessionBase usb = ContextUtil.getCurrentUserSession();
if (usb != null && !usb.isKeyAdmin() && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
throw restErrorUtil.createRESTException("User does not exist with given username: [" + policyUser + "] please use existing user", MessageEnums.OPER_NO_PERMISSION);
}
xUserMgr.createServiceConfigUser(policyUser);
}
}
}
for (String policyGroup : defaultPolicyGroups) {
if (LOG.isDebugEnabled()) {
LOG.debug("Checking policyGroup:[" + policyGroup + "] for existence");
}
if (StringUtils.isNotBlank(policyGroup)) {
XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(policyGroup);
if (xxGroup == null) {
UserSessionBase usb = ContextUtil.getCurrentUserSession();
if (usb != null && !usb.isKeyAdmin() && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
throw restErrorUtil.createRESTException("Group does not exist with given groupname: [" + policyGroup + "] please use existing group", MessageEnums.OPER_NO_PERMISSION);
}
VXGroup vXGroup = new VXGroup();
vXGroup.setName(policyGroup);
vXGroup.setDescription(policyGroup);
vXGroup.setGroupSource(RangerCommonEnums.GROUP_INTERNAL);
vXGroup.setIsVisible(RangerCommonEnums.IS_VISIBLE);
xGroupService.createResource(vXGroup);
}
}
}
}
Also used :
XXUser(org.apache.ranger.entity.XXUser)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
XXGroup(org.apache.ranger.entity.XXGroup)
VXString(org.apache.ranger.view.VXString)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
VXGroup(org.apache.ranger.view.VXGroup)
LinkedHashSet(java.util.LinkedHashSet)
HashSet(java.util.HashSet)
UserSessionBase(org.apache.ranger.common.UserSessionBase)
Example 75 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServiceDBStore method getPoliciesByResourceSignature.
@Override
public List<RangerPolicy> getPoliciesByResourceSignature(String serviceName, String policySignature, Boolean isPolicyEnabled) throws Exception {
List<XXPolicy> xxPolicies = daoMgr.getXXPolicy().findByResourceSignatureByPolicyStatus(serviceName, policySignature, isPolicyEnabled);
List<RangerPolicy> policies = new ArrayList<RangerPolicy>(xxPolicies.size());
for (XXPolicy xxPolicy : xxPolicies) {
RangerPolicy policy = policyService.getPopulatedViewObject(xxPolicy);
policies.add(policy);
}
return policies;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
ArrayList(java.util.ArrayList)
XXPolicy(org.apache.ranger.entity.XXPolicy)
Aggregations
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)196
ArrayList (java.util.ArrayList)78
Test (org.junit.Test)73
RangerService (org.apache.ranger.plugin.model.RangerService)52
VXString (org.apache.ranger.view.VXString)48
HashMap (java.util.HashMap)38
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)36
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)33
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)30
WebApplicationException (javax.ws.rs.WebApplicationException)29
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)27
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)26
Path (javax.ws.rs.Path)23
Produces (javax.ws.rs.Produces)22
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)20
Date (java.util.Date)19
IOException (java.io.IOException)18
XXService (org.apache.ranger.entity.XXService)18
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)16
RangerPolicyList (org.apache.ranger.view.RangerPolicyList)15
