Example 1 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class ServiceDefUtilTest method testResourceUserGroupAttrRef.
@Test
public void testResourceUserGroupAttrRef() {
for (String attrExpr : UGA_ATTR_EXPRESSIONS) {
String resource = "test_" + "${{" + attrExpr + "}}";
ServicePolicies svcPolicies = getServicePolicies();
RangerPolicy policy = getPolicy(svcPolicies);
policy.getResources().put("database", new RangerPolicyResource(resource));
svcPolicies.getPolicies().add(policy);
assertTrue("policy resource refers to user/group attribute: " + resource, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicies().clear();
svcPolicies.getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
assertTrue("policy-delta resource refers to user/group attribute: " + resource, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicyDeltas().clear();
svcPolicies.getSecurityZones().put("zone1", getSecurityZoneInfo("zone1"));
svcPolicies.getSecurityZones().get("zone1").getPolicies().add(policy);
assertTrue("zone-policy resource refers to user/group attribute: " + resource, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getSecurityZones().get("zone1").getPolicies().clear();
svcPolicies.getSecurityZones().get("zone1").getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
assertTrue("zone-policy-delta resource refers to user/group attribute: " + resource, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
}
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
Test(org.junit.Test)
Example 2 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class ServiceDefUtilTest method testPolicyConditionUserGroupAttrRef.
@Test
public void testPolicyConditionUserGroupAttrRef() {
for (String attrExpr : UGA_ATTR_EXPRESSIONS) {
String condExpr = attrExpr + " != null";
ServicePolicies svcPolicies = getServicePolicies();
RangerPolicy policy = getPolicy(svcPolicies);
policy.getConditions().add(new RangerPolicyItemCondition("expr", Collections.singletonList(condExpr)));
svcPolicies.getPolicies().add(policy);
assertTrue("policy condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicies().clear();
svcPolicies.getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
assertTrue("policy-delta condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicyDeltas().clear();
svcPolicies.getSecurityZones().put("zone1", getSecurityZoneInfo("zone1"));
svcPolicies.getSecurityZones().get("zone1").getPolicies().add(policy);
assertTrue("zone-policy condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getSecurityZones().get("zone1").getPolicies().clear();
svcPolicies.getSecurityZones().get("zone1").getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
assertTrue("zone-policy-delta condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicies().clear();
svcPolicies.getPolicyDeltas().clear();
svcPolicies.getSecurityZones().clear();
svcPolicies.getTagPolicies().getPolicies().add(policy);
assertTrue("tag-policy condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
}
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
Test(org.junit.Test)
Example 3 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class ServiceDefUtilTest method testPolicyItemConditionUserGroupRef.
@Test
public void testPolicyItemConditionUserGroupRef() {
int i = 0;
for (String attrExpr : UGA_ATTR_EXPRESSIONS) {
String condExpr = attrExpr + " != null";
ServicePolicies svcPolicies = getServicePolicies();
RangerPolicy policy = getPolicy(svcPolicies);
final List<? extends RangerPolicyItem> policyItems;
switch(i % 6) {
case 0:
policyItems = policy.getPolicyItems();
break;
case 1:
policyItems = policy.getDenyPolicyItems();
break;
case 2:
policyItems = policy.getAllowExceptions();
break;
case 3:
policyItems = policy.getDenyExceptions();
break;
case 4:
policyItems = policy.getRowFilterPolicyItems();
break;
case 5:
policyItems = policy.getDataMaskPolicyItems();
break;
default:
policyItems = policy.getPolicyItems();
break;
}
policyItems.get(0).getConditions().add(new RangerPolicyItemCondition("expr", Collections.singletonList(condExpr)));
svcPolicies.getPolicies().add(policy);
assertTrue("policyItem condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicies().clear();
svcPolicies.getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
assertTrue("policy-delta-item condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicyDeltas().clear();
svcPolicies.getSecurityZones().put("zone1", getSecurityZoneInfo("zone1"));
svcPolicies.getSecurityZones().get("zone1").getPolicies().add(policy);
assertTrue("zone-policy-item condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getSecurityZones().get("zone1").getPolicies().clear();
svcPolicies.getSecurityZones().get("zone1").getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
assertTrue("zone-policy-delta-item condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicies().clear();
svcPolicies.getTagPolicies().getPolicies().add(policy);
assertTrue("tag-policyItem condition refers to user/group attribute: " + condExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
i++;
}
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
Test(org.junit.Test)
Example 4 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class RangerPolicyRepository method updateResourceTrie.
private void updateResourceTrie(List<RangerPolicyDelta> deltas) {
boolean[] flags = new boolean[RangerPolicy.POLICY_TYPES.length];
for (RangerPolicyDelta delta : deltas) {
final Integer changeType = delta.getChangeType();
final String serviceType = delta.getServiceType();
final Long policyId = delta.getPolicyId();
final Integer policyType = delta.getPolicyType();
if (!serviceType.equals(this.serviceDef.getName())) {
continue;
}
RangerPolicyEvaluator evaluator = null;
switch(changeType) {
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
if (delta.getPolicy() == null) {
LOG.warn("Could not find policy for policy-id:[" + policyId + "]");
continue;
}
evaluator = getPolicyEvaluator(policyId);
if (evaluator != null) {
LOG.warn("Unexpected: Found evaluator for policy-id:[" + policyId + "], changeType=CHANGE_TYPE_POLICY_CREATE");
}
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
evaluator = getPolicyEvaluator(policyId);
if (evaluator == null) {
LOG.warn("Unexpected: Did not find evaluator for policy-id:[" + policyId + "], changeType=CHANGE_TYPE_POLICY_UPDATE");
}
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
evaluator = getPolicyEvaluator(policyId);
if (evaluator == null) {
LOG.warn("Unexpected: Did not find evaluator for policy-id:[" + policyId + "], changeType=CHANGE_TYPE_POLICY_DELETE");
}
break;
default:
LOG.error("Unknown changeType:[" + changeType + "], Ignoring");
break;
}
evaluator = update(delta, evaluator);
if (evaluator != null) {
switch(changeType) {
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
policyEvaluatorsMap.put(policyId, evaluator);
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
policyEvaluatorsMap.put(policyId, evaluator);
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
policyEvaluatorsMap.remove(policyId);
break;
default:
break;
}
flags[policyType] = true;
}
}
for (int policyType = 0; policyType < flags.length; policyType++) {
if (flags[policyType]) {
Map<String, RangerResourceTrie> trie = getTrie(policyType);
if (trie != null) {
for (Map.Entry<String, RangerResourceTrie> entry : trie.entrySet()) {
entry.getValue().wrapUpUpdate();
}
}
}
}
if (auditFilterResourceTrie != null) {
for (Map.Entry<String, RangerResourceTrie> entry : auditFilterResourceTrie.entrySet()) {
entry.getValue().wrapUpUpdate();
}
}
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 5 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class RangerPolicyDeltaUtil method applyDeltas.
public static List<RangerPolicy> applyDeltas(List<RangerPolicy> policies, List<RangerPolicyDelta> deltas, String serviceType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> applyDeltas(serviceType=" + serviceType + ")");
}
List<RangerPolicy> ret;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_DELTA_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_DELTA_LOG, "RangerPolicyDelta.applyDeltas()");
}
boolean hasExpectedServiceType = false;
if (CollectionUtils.isNotEmpty(deltas)) {
if (LOG.isDebugEnabled()) {
LOG.debug("applyDeltas(deltas=" + Arrays.toString(deltas.toArray()) + ", serviceType=" + serviceType + ")");
}
for (RangerPolicyDelta delta : deltas) {
if (serviceType.equals(delta.getServiceType())) {
hasExpectedServiceType = true;
break;
} else if (!serviceType.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME) && !delta.getServiceType().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
LOG.warn("Found unexpected serviceType in policyDelta:[" + delta + "]. Was expecting serviceType:[" + serviceType + "]. Should NOT have come here!! Ignoring delta and continuing");
}
}
if (hasExpectedServiceType) {
ret = new ArrayList<>(policies);
for (RangerPolicyDelta delta : deltas) {
if (!serviceType.equals(delta.getServiceType())) {
continue;
}
int changeType = delta.getChangeType();
if (changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE || changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE || changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
Long policyId = delta.getPolicyId();
if (policyId == null) {
continue;
}
List<RangerPolicy> deletedPolicies = new ArrayList<>();
Iterator<RangerPolicy> iter = ret.iterator();
while (iter.hasNext()) {
RangerPolicy policy = iter.next();
if (policyId.equals(policy.getId()) && (changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE || changeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE)) {
deletedPolicies.add(policy);
iter.remove();
}
}
switch(changeType) {
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
{
if (CollectionUtils.isNotEmpty(deletedPolicies)) {
LOG.warn("Unexpected: found existing policy for CHANGE_TYPE_POLICY_CREATE: " + Arrays.toString(deletedPolicies.toArray()));
}
break;
}
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
{
if (CollectionUtils.isEmpty(deletedPolicies) || deletedPolicies.size() > 1) {
LOG.warn("Unexpected: found no policy or multiple policies for CHANGE_TYPE_POLICY_UPDATE: " + Arrays.toString(deletedPolicies.toArray()));
}
break;
}
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
{
if (CollectionUtils.isEmpty(deletedPolicies) || deletedPolicies.size() > 1) {
LOG.warn("Unexpected: found no policy or multiple policies for CHANGE_TYPE_POLICY_DELETE: " + Arrays.toString(deletedPolicies.toArray()));
}
break;
}
default:
break;
}
if (changeType != RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
ret.add(delta.getPolicy());
}
} else {
LOG.warn("Found unexpected changeType in policyDelta:[" + delta + "]. Ignoring delta");
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("applyDeltas - none of the deltas is for " + serviceType + ")");
}
ret = policies;
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("applyDeltas called with empty deltas. Will return policies without change");
}
ret = policies;
}
if (CollectionUtils.isNotEmpty(deltas) && hasExpectedServiceType && CollectionUtils.isNotEmpty(ret)) {
ret.sort(RangerPolicy.POLICY_ID_COMPARATOR);
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== applyDeltas(serviceType=" + serviceType + "): " + ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
ArrayList(java.util.ArrayList)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
Aggregations
RangerPolicyDelta (org.apache.ranger.plugin.model.RangerPolicyDelta)13
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)9
ArrayList (java.util.ArrayList)4
HashMap (java.util.HashMap)4
Map (java.util.Map)4
Test (org.junit.Test)4
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)3
VXString (org.apache.ranger.view.VXString)3
LinkedHashMap (java.util.LinkedHashMap)2
List (java.util.List)2
XXPolicyLabelMap (org.apache.ranger.entity.XXPolicyLabelMap)2
XXServiceConfigMap (org.apache.ranger.entity.XXServiceConfigMap)2
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)2
RangerSecurityZoneService (org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)2
IOException (java.io.IOException)1
UnknownHostException (java.net.UnknownHostException)1
XXPolicy (org.apache.ranger.entity.XXPolicy)1
XXService (org.apache.ranger.entity.XXService)1
XXServiceVersionInfo (org.apache.ranger.entity.XXServiceVersionInfo)1
RangerPolicyItemRowFilterInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo)1
