Example 36 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class ServicePredicateUtil method addPredicateForServiceId.
private Predicate addPredicateForServiceId(final String serviceId, List<Predicate> predicates) {
if (StringUtils.isEmpty(serviceId)) {
return null;
}
Predicate ret = new Predicate() {
@Override
public boolean evaluate(Object object) {
if (object == null) {
return false;
}
boolean ret = false;
if (object instanceof RangerPolicy) {
RangerPolicy policy = (RangerPolicy) object;
Long svcId = getServiceId(policy.getService());
if (svcId != null) {
ret = StringUtils.equals(serviceId, svcId.toString());
}
} else if (object instanceof RangerService) {
RangerService service = (RangerService) object;
if (service.getId() != null) {
ret = StringUtils.equals(serviceId, service.getId().toString());
}
} else {
ret = true;
}
return ret;
}
};
if (predicates != null) {
predicates.add(ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerService(org.apache.ranger.plugin.model.RangerService)
Predicate(org.apache.commons.collections.Predicate)
Example 37 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class RangerPolicyValidator method isValid.
boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s, %s)", policy, action, isAdmin, failures));
}
if (!(action == Action.CREATE || action == Action.UPDATE)) {
throw new IllegalArgumentException("isValid(RangerPolicy, ...) is only supported for create/update");
}
boolean valid = true;
if (policy == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_OBJECT;
failures.add(new ValidationFailureDetailsBuilder().field("policy").isMissing().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
} else {
Integer priority = policy.getPolicyPriority();
if (priority != null) {
if (priority < RangerPolicy.POLICY_PRIORITY_NORMAL || priority > RangerPolicy.POLICY_PRIORITY_OVERRIDE) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_INVALID_PRIORITY;
failures.add(new ValidationFailureDetailsBuilder().field("policyPriority").isSemanticallyIncorrect().becauseOf(error.getMessage("out of range")).errorCode(error.getErrorCode()).build());
valid = false;
}
}
Long id = policy.getId();
RangerPolicy existingPolicy = null;
if (action == Action.UPDATE) {
// id is ignored for CREATE
if (id == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("id").isMissing().becauseOf(error.getMessage("id")).errorCode(error.getErrorCode()).build());
valid = false;
}
existingPolicy = getPolicy(id);
if (existingPolicy == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_POLICY_ID;
failures.add(new ValidationFailureDetailsBuilder().field("id").isSemanticallyIncorrect().becauseOf(error.getMessage(id)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
String policyName = policy.getName();
String serviceName = policy.getService();
if (StringUtils.isBlank(policyName)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("name").isMissing().becauseOf(error.getMessage("name")).errorCode(error.getErrorCode()).build());
valid = false;
} else {
List<RangerPolicy> policies = getPolicies(serviceName, policyName);
if (CollectionUtils.isNotEmpty(policies)) {
if (policies.size() > 1) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_MULTIPLE_POLICIES_WITH_SAME_NAME;
failures.add(new ValidationFailureDetailsBuilder().field("name").isAnInternalError().becauseOf(error.getMessage(policyName)).errorCode(error.getErrorCode()).build());
valid = false;
} else if (action == Action.CREATE) {
// size == 1
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT;
failures.add(new ValidationFailureDetailsBuilder().field("policy name").isSemanticallyIncorrect().becauseOf(error.getMessage(policies.iterator().next().getId(), serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else if (!policies.iterator().next().getId().equals(id)) {
// size == 1 && action == UPDATE
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT;
failures.add(new ValidationFailureDetailsBuilder().field("id/name").isSemanticallyIncorrect().becauseOf(error.getMessage(policies.iterator().next().getId(), serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
RangerService service = null;
boolean serviceNameValid = false;
if (StringUtils.isBlank(serviceName)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isMissing().becauseOf(error.getMessage("service name")).errorCode(error.getErrorCode()).build());
valid = false;
} else {
service = getService(serviceName);
if (service == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_SERVICE_NAME;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isSemanticallyIncorrect().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else {
serviceNameValid = true;
}
}
if (existingPolicy != null) {
if (!StringUtils.equalsIgnoreCase(existingPolicy.getService(), policy.getService())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_UPDATE_MOVE_SERVICE_NOT_ALLOWED;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isSemanticallyIncorrect().becauseOf(error.getMessage(policy.getId(), existingPolicy.getService(), policy.getService())).errorCode(error.getErrorCode()).build());
valid = false;
}
int existingPolicyType = existingPolicy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : existingPolicy.getPolicyType();
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
if (existingPolicyType != policyType) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_TYPE_CHANGE_NOT_ALLOWED;
failures.add(new ValidationFailureDetailsBuilder().field("policy type").isSemanticallyIncorrect().becauseOf(error.getMessage(policy.getId(), existingPolicyType, policyType)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
boolean isAuditEnabled = getIsAuditEnabled(policy);
String serviceDefName = null;
RangerServiceDef serviceDef = null;
int policyItemsCount = 0;
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
switch(policyType) {
case RangerPolicy.POLICY_TYPE_DATAMASK:
if (CollectionUtils.isNotEmpty(policy.getDataMaskPolicyItems())) {
policyItemsCount += policy.getDataMaskPolicyItems().size();
}
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
if (CollectionUtils.isNotEmpty(policy.getRowFilterPolicyItems())) {
policyItemsCount += policy.getRowFilterPolicyItems().size();
}
break;
default:
if (CollectionUtils.isNotEmpty(policy.getPolicyItems())) {
policyItemsCount += policy.getPolicyItems().size();
}
if (CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())) {
policyItemsCount += policy.getDenyPolicyItems().size();
}
break;
}
if (policyItemsCount == 0 && !isAuditEnabled) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_POLICY_ITEMS;
failures.add(new ValidationFailureDetailsBuilder().field("policy items").isMissing().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
} else if (service != null) {
serviceDefName = service.getType();
serviceDef = getServiceDef(serviceDefName);
if (serviceDef == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_SERVICE_DEF;
failures.add(new ValidationFailureDetailsBuilder().field("policy service def").isAnInternalError().becauseOf(error.getMessage(serviceDefName, serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else {
valid = isValidPolicyItems(policy.getPolicyItems(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getDenyPolicyItems(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getAllowExceptions(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getDenyExceptions(), failures, serviceDef) && valid;
}
}
if (serviceNameValid) {
// resource checks can't be done meaningfully otherwise
valid = isValidValiditySchedule(policy, failures, action) && valid;
valid = isValidResources(policy, failures, action, isAdmin, serviceDef) && valid;
valid = isValidAccessTypeDef(policy, failures, action, isAdmin, serviceDef) && valid;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s, %s): %s", policy, action, isAdmin, failures, valid));
}
return valid;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerService(org.apache.ranger.plugin.model.RangerService)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 38 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class RangerServiceKMS method getDefaultRangerPolicies.
@Override
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceKMS.getDefaultRangerPolicies() ");
}
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
String adminPrincipal = RangerConfiguration.getInstance().get(ADMIN_USER_PRINCIPAL);
String adminKeytab = RangerConfiguration.getInstance().get(ADMIN_USER_KEYTAB);
String authType = RangerConfiguration.getInstance().get(RANGER_AUTH_TYPE, "simple");
String adminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
// Add default policies for HDFS & HIVE users.
List<RangerServiceDef.RangerAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
List<RangerServiceDef.RangerAccessTypeDef> hiveAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
hdfsAccessTypeDefs.add(accessTypeDef);
hiveAccessTypeDefs.add(accessTypeDef);
} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
hdfsAccessTypeDefs.add(accessTypeDef);
} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
hiveAccessTypeDefs.add(accessTypeDef);
}
}
for (RangerPolicy defaultPolicy : ret) {
List<RangerPolicy.RangerPolicyItem> policyItems = defaultPolicy.getPolicyItems();
for (RangerPolicy.RangerPolicyItem item : policyItems) {
List<String> users = item.getUsers();
if (StringUtils.isNotBlank(adminUser)) {
users.add(adminUser);
}
item.setUsers(users);
}
String hdfsUser = RangerConfiguration.getInstance().get("ranger.kms.service.user.hdfs", "hdfs");
if (hdfsUser != null && !hdfsUser.isEmpty()) {
LOG.info("Creating default KMS policy item for " + hdfsUser);
List<String> users = new ArrayList<String>();
users.add(hdfsUser);
RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(hdfsAccessTypeDefs, users);
policyItems.add(policyItem);
}
String hiveUser = RangerConfiguration.getInstance().get("ranger.kms.service.user.hive", "hive");
if (hiveUser != null && !hiveUser.isEmpty()) {
LOG.info("Creating default KMS policy item for " + hiveUser);
List<String> users = new ArrayList<String>();
users.add(hiveUser);
RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(hiveAccessTypeDefs, users);
policyItems.add(policyItem);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceKMS.getDefaultRangerPolicies() : " + ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
ArrayList(java.util.ArrayList)
Example 39 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class RangerDataHistService method createObjectDataHistory.
public void createObjectDataHistory(RangerBaseModelObject baseModelObj, String action) {
if (baseModelObj == null || action == null) {
throw restErrorUtil.createRESTException("Error while creating DataHistory. " + "Object or Action can not be null.", MessageEnums.DATA_NOT_FOUND);
}
Integer classType = null;
String objectName = null;
String content = null;
Long objectId = baseModelObj.getId();
String objectGuid = baseModelObj.getGuid();
Date currentDate = DateUtil.getUTCDate();
XXDataHist xDataHist = new XXDataHist();
xDataHist.setObjectId(baseModelObj.getId());
xDataHist.setObjectGuid(objectGuid);
xDataHist.setCreateTime(currentDate);
xDataHist.setAction(action);
xDataHist.setVersion(baseModelObj.getVersion());
xDataHist.setUpdateTime(currentDate);
xDataHist.setFromTime(currentDate);
if (baseModelObj instanceof RangerServiceDef) {
RangerServiceDef serviceDef = (RangerServiceDef) baseModelObj;
objectName = serviceDef.getName();
classType = AppConstants.CLASS_TYPE_XA_SERVICE_DEF;
content = writeObjectAsString(serviceDef);
} else if (baseModelObj instanceof RangerService) {
RangerService service = (RangerService) baseModelObj;
objectName = service.getName();
classType = AppConstants.CLASS_TYPE_XA_SERVICE;
content = writeObjectAsString(service);
} else if (baseModelObj instanceof RangerPolicy) {
RangerPolicy policy = (RangerPolicy) baseModelObj;
objectName = policy.getName();
classType = AppConstants.CLASS_TYPE_RANGER_POLICY;
XXService xXService = daoMgr.getXXService().findByName(policy.getService());
XXServiceDef xxServiceDef = null;
if (xXService != null) {
xxServiceDef = daoMgr.getXXServiceDef().getById(xXService.getType());
}
if (xxServiceDef != null) {
policy.setServiceType(xxServiceDef.getName());
}
content = writeObjectAsString(policy);
}
xDataHist.setObjectClassType(classType);
xDataHist.setObjectName(objectName);
xDataHist.setContent(content);
xDataHist = daoMgr.getXXDataHist().create(xDataHist);
if (ACTION_UPDATE.equalsIgnoreCase(action) || ACTION_DELETE.equalsIgnoreCase(action)) {
XXDataHist prevHist = daoMgr.getXXDataHist().findLatestByObjectClassTypeAndObjectId(classType, objectId);
if (prevHist == null) {
throw restErrorUtil.createRESTException("Error updating DataHistory Object. ObjectName: " + objectName, MessageEnums.DATA_NOT_UPDATABLE);
}
prevHist.setUpdateTime(currentDate);
prevHist.setToTime(currentDate);
prevHist.setObjectName(objectName);
prevHist = daoMgr.getXXDataHist().update(prevHist);
}
}
Also used :
XXDataHist(org.apache.ranger.entity.XXDataHist)
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerService(org.apache.ranger.plugin.model.RangerService)
XXService(org.apache.ranger.entity.XXService)
Date(java.util.Date)
Example 40 with RangerPolicy
use of org.apache.ranger.plugin.model.RangerPolicy in project ranger by apache.
the class RangerPolicyService method populateViewBean.
@Override
protected RangerPolicy populateViewBean(XXPolicy xPolicy) {
RangerPolicyRetriever retriever = new RangerPolicyRetriever(daoMgr);
RangerPolicy vPolicy = retriever.getPolicy(xPolicy);
return vPolicy;
}
Also used :
RangerPolicyRetriever(org.apache.ranger.biz.RangerPolicyRetriever)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
Aggregations
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)196
ArrayList (java.util.ArrayList)78
Test (org.junit.Test)73
RangerService (org.apache.ranger.plugin.model.RangerService)52
VXString (org.apache.ranger.view.VXString)48
HashMap (java.util.HashMap)38
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)36
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)33
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)30
WebApplicationException (javax.ws.rs.WebApplicationException)29
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)27
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)26
Path (javax.ws.rs.Path)23
Produces (javax.ws.rs.Produces)22
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)20
Date (java.util.Date)19
IOException (java.io.IOException)18
XXService (org.apache.ranger.entity.XXService)18
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)16
RangerPolicyList (org.apache.ranger.view.RangerPolicyList)15
