Example 6 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class RangerPolicyDeltaUtil method isValidDeltas.
public static boolean isValidDeltas(List<RangerPolicyDelta> deltas, String componentServiceType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> isValidDeltas(deltas=" + Arrays.toString(deltas.toArray()) + ", componentServiceType=" + componentServiceType + ")");
}
boolean isValid = true;
for (RangerPolicyDelta delta : deltas) {
final Integer changeType = delta.getChangeType();
final Long policyId = delta.getPolicyId();
if (changeType == null) {
isValid = false;
break;
}
if (changeType != RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE && changeType != RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE && changeType != RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
isValid = false;
} else if (policyId == null) {
isValid = false;
} else {
final String serviceType = delta.getServiceType();
final Integer policyType = delta.getPolicyType();
if (serviceType == null || (!serviceType.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME) && !serviceType.equals(componentServiceType))) {
isValid = false;
} else if (policyType == null || (policyType != RangerPolicy.POLICY_TYPE_ACCESS && policyType != RangerPolicy.POLICY_TYPE_DATAMASK && policyType != RangerPolicy.POLICY_TYPE_ROWFILTER)) {
isValid = false;
}
}
if (!isValid) {
break;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== isValidDeltas(deltas=" + Arrays.toString(deltas.toArray()) + ", componentServiceType=" + componentServiceType + "): " + isValid);
}
return isValid;
}
Also used :
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
Example 7 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class ServiceDBStore method getServicePoliciesIfUpdated.
@Override
public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long lastKnownVersion, boolean needsBackwardCompatibility) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + needsBackwardCompatibility + ")");
}
ServicePolicies ret = null;
XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName);
if (serviceDbObj == null) {
throw new Exception("service does not exist. name=" + serviceName);
}
XXServiceVersionInfo serviceVersionInfoDbObj = daoMgr.getXXServiceVersionInfo().findByServiceName(serviceName);
if (serviceVersionInfoDbObj == null) {
LOG.warn("serviceVersionInfo does not exist. name=" + serviceName);
}
if (lastKnownVersion == null || serviceVersionInfoDbObj == null || serviceVersionInfoDbObj.getPolicyVersion() == null || !lastKnownVersion.equals(serviceVersionInfoDbObj.getPolicyVersion())) {
ret = RangerServicePoliciesCache.getInstance().getServicePolicies(serviceName, serviceDbObj.getId(), lastKnownVersion, needsBackwardCompatibility, this);
}
if (LOG.isDebugEnabled()) {
RangerServicePoliciesCache.getInstance().dump();
}
if (ret != null && lastKnownVersion != null && lastKnownVersion.equals(ret.getPolicyVersion())) {
// ServicePolicies are not changed
ret = null;
}
if (ret != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Checking if resource-service:[" + ret.getServiceName() + "] is disabled");
}
if (!serviceDbObj.getIsenabled()) {
ret = ServicePolicies.copyHeader(ret);
ret.setTagPolicies(null);
} else {
boolean isTagServiceActive = true;
if (ret.getTagPolicies() != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Checking if tag-service:[" + ret.getTagPolicies().getServiceName() + "] is disabled");
}
String tagServiceName = ret.getTagPolicies().getServiceName();
if (StringUtils.isNotEmpty(tagServiceName)) {
XXService tagService = daoMgr.getXXService().findByName(tagServiceName);
if (tagService == null || !tagService.getIsenabled()) {
if (LOG.isDebugEnabled()) {
LOG.debug("tag-service:[" + tagServiceName + "] is disabled");
}
isTagServiceActive = false;
}
} else {
isTagServiceActive = false;
}
} else {
isTagServiceActive = false;
}
if (!isTagServiceActive) {
ServicePolicies copy = ServicePolicies.copyHeader(ret);
copy.setTagPolicies(null);
List<RangerPolicy> copyPolicies = ret.getPolicies() != null ? new ArrayList<>(ret.getPolicies()) : null;
List<RangerPolicyDelta> copyPolicyDeltas = ret.getPolicyDeltas() != null ? new ArrayList<>(ret.getPolicyDeltas()) : null;
copy.setPolicies(copyPolicies);
copy.setPolicyDeltas(copyPolicyDeltas);
ret = copy;
}
}
Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = securityZoneStore.getSecurityZonesForService(serviceName);
ServicePolicies updatedServicePolicies = ret;
if (MapUtils.isNotEmpty(securityZones)) {
updatedServicePolicies = getUpdatedServicePoliciesForZones(ret, securityZones);
patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
}
if (lastKnownVersion == null || lastKnownVersion == -1L || needsBackwardCompatibility) {
ret = filterServicePolicies(updatedServicePolicies);
} else {
ret = updatedServicePolicies;
}
ret.setServiceConfig(getServiceConfigForPlugin(ret.getServiceId()));
if (ret.getTagPolicies() != null && ret.getTagPolicies().getServiceId() != null) {
ret.getTagPolicies().setServiceConfig(getServiceConfigForPlugin(ret.getTagPolicies().getServiceId()));
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDBStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + needsBackwardCompatibility + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
}
return ret;
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
VXString(org.apache.ranger.view.VXString)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
JSONException(org.codehaus.jettison.json.JSONException)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
XXService(org.apache.ranger.entity.XXService)
XXServiceVersionInfo(org.apache.ranger.entity.XXServiceVersionInfo)
Example 8 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class ServiceDBStore method compressDeltas.
private static List<RangerPolicyDelta> compressDeltas(List<RangerPolicyDelta> deltas) {
List<RangerPolicyDelta> ret = new ArrayList<>();
final Map<Long, List<RangerPolicyDelta>> policyDeltaMap = new HashMap<>();
for (RangerPolicyDelta delta : deltas) {
Long policyId = delta.getPolicyId();
List<RangerPolicyDelta> oldPolicyDeltas = policyDeltaMap.get(policyId);
if (oldPolicyDeltas == null) {
oldPolicyDeltas = new ArrayList<>();
policyDeltaMap.put(policyId, oldPolicyDeltas);
}
oldPolicyDeltas.add(delta);
}
for (Map.Entry<Long, List<RangerPolicyDelta>> entry : policyDeltaMap.entrySet()) {
List<RangerPolicyDelta> policyDeltas = entry.getValue();
if (policyDeltas.size() == 1) {
ret.addAll(policyDeltas);
} else {
// Will always be greater than 1
List<RangerPolicyDelta> policyDeltasForPolicy = new ArrayList<>();
RangerPolicyDelta first = policyDeltas.get(0);
policyDeltasForPolicy.add(first);
int index = 1;
switch(first.getChangeType()) {
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
while (index < policyDeltas.size()) {
RangerPolicyDelta policyDelta = policyDeltas.get(index);
switch(policyDelta.getChangeType()) {
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
LOG.error("Multiple policy creates!! [" + policyDelta + "]");
policyDeltasForPolicy = null;
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
for (int i = index + 1; i < policyDeltas.size(); i++) {
RangerPolicyDelta next = policyDeltas.get(i);
if (next.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) {
index = i;
} else {
break;
}
}
index++;
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
if (policyDeltas.size() == index + 1) {
// Last one
policyDeltasForPolicy.clear();
index++;
} else {
LOG.error("CHANGE_TYPE_POLICY_DELETE should be the last policyDelta, found:[" + policyDeltas.get(index + 1) + "]");
policyDeltasForPolicy = null;
}
break;
default:
break;
}
if (policyDeltasForPolicy == null) {
break;
}
}
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
while (index < policyDeltas.size()) {
RangerPolicyDelta policyDelta = policyDeltas.get(index);
switch(policyDelta.getChangeType()) {
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
LOG.error("Should not get here! policy is created after it is updated!! policy-delta:[" + policyDelta + "]");
policyDeltasForPolicy = null;
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
for (int i = index + 1; i < policyDeltas.size(); i++) {
RangerPolicyDelta next = policyDeltas.get(i);
if (next.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) {
index = i;
} else {
break;
}
}
policyDeltasForPolicy.clear();
policyDeltasForPolicy.add(policyDeltas.get(index));
index++;
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
if (policyDeltas.size() == index + 1) {
// Last one
policyDeltasForPolicy.clear();
policyDeltasForPolicy.add(policyDeltas.get(index));
index++;
} else {
LOG.error("CHANGE_TYPE_POLICY_DELETE should be the last policyDelta, found:[" + policyDeltas.get(index + 1) + "]");
policyDeltasForPolicy = null;
}
break;
default:
break;
}
if (policyDeltasForPolicy == null) {
break;
}
}
break;
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
LOG.error("CHANGE_TYPE_POLICY_DELETE should be the last policyDelta, found:[" + policyDeltas.get(index) + "]");
policyDeltasForPolicy = null;
break;
default:
LOG.error("Should not get here for valid policy-delta:[" + first + "]");
break;
}
if (policyDeltasForPolicy != null) {
ret.addAll(policyDeltasForPolicy);
} else {
ret = null;
break;
}
}
}
if (ret != null) {
ret.sort(POLICY_DELTA_ID_COMPARATOR);
}
return ret;
}
Also used :
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
VXUserList(org.apache.ranger.view.VXUserList)
RangerServiceList(org.apache.ranger.view.RangerServiceList)
ArrayList(java.util.ArrayList)
VXGroupList(org.apache.ranger.view.VXGroupList)
VXPolicyLabelList(org.apache.ranger.view.VXPolicyLabelList)
List(java.util.List)
VXAccessAuditList(org.apache.ranger.view.VXAccessAuditList)
RangerExportPolicyList(org.apache.ranger.view.RangerExportPolicyList)
RangerPolicyList(org.apache.ranger.view.RangerPolicyList)
RangerServiceDefList(org.apache.ranger.view.RangerServiceDefList)
PList(org.apache.ranger.plugin.store.PList)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
Map(java.util.Map)
XXPolicyLabelMap(org.apache.ranger.entity.XXPolicyLabelMap)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
XXServiceConfigMap(org.apache.ranger.entity.XXServiceConfigMap)
Example 9 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class ServiceDBStore method getServicePoliciesWithDeltas.
ServicePolicies getServicePoliciesWithDeltas(RangerServiceDef serviceDef, XXService service, RangerServiceDef tagServiceDef, XXService tagService, Long lastKnownVersion) {
ServicePolicies ret = null;
// returned first in the list. and then find all ids greater than that for corresponding tag service.
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServicePoliciesWithDeltas(serviceType=" + serviceDef.getName() + ", serviceId=" + service.getId() + ", tagServiceId=" + (tagService != null ? tagService.getId() : null) + ", lastKnownVersion=" + lastKnownVersion + ")");
}
if (lastKnownVersion != -1L) {
List<RangerPolicyDelta> resourcePolicyDeltas;
List<RangerPolicyDelta> tagPolicyDeltas = null;
Long retrievedPolicyVersion = null;
Long retrievedTagPolicyVersion = null;
String componentServiceType = serviceDef.getName();
boolean isValid;
resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, service.getId());
if (CollectionUtils.isNotEmpty(resourcePolicyDeltas)) {
isValid = RangerPolicyDeltaUtil.isValidDeltas(resourcePolicyDeltas, componentServiceType);
if (isValid) {
retrievedPolicyVersion = resourcePolicyDeltas.get(resourcePolicyDeltas.size() - 1).getPoliciesVersion();
} else {
LOG.warn("Resource policy-Deltas :[" + resourcePolicyDeltas + "] from version :[" + lastKnownVersion + "] are not valid");
}
if (isValid && tagService != null) {
Long id = resourcePolicyDeltas.get(0).getId();
tagPolicyDeltas = daoMgr.getXXPolicyChangeLog().findGreaterThan(id, tagService.getId());
if (CollectionUtils.isNotEmpty(tagPolicyDeltas)) {
String tagServiceType = tagServiceDef.getName();
isValid = RangerPolicyDeltaUtil.isValidDeltas(tagPolicyDeltas, tagServiceType);
if (isValid) {
retrievedTagPolicyVersion = tagPolicyDeltas.get(tagPolicyDeltas.size() - 1).getPoliciesVersion();
} else {
LOG.warn("Tag policy-Deltas :[" + tagPolicyDeltas + "] for service-version :[" + lastKnownVersion + "] and delta-id :[" + id + "] are not valid");
}
}
}
if (isValid) {
if (CollectionUtils.isNotEmpty(tagPolicyDeltas)) {
// To ensure that resource-policy-deltas with service-type of 'tag' are ignored after validation
resourcePolicyDeltas.removeIf(rangerPolicyDelta -> StringUtils.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME, rangerPolicyDelta.getServiceType()));
resourcePolicyDeltas.addAll(tagPolicyDeltas);
}
List<RangerPolicyDelta> compressedDeltas = compressDeltas(resourcePolicyDeltas);
if (compressedDeltas != null) {
ret = new ServicePolicies();
ret.setServiceId(service.getId());
ret.setServiceName(service.getName());
ret.setServiceDef(serviceDef);
ret.setPolicies(null);
ret.setPolicyDeltas(compressedDeltas);
ret.setPolicyVersion(retrievedPolicyVersion);
if (tagServiceDef != null && tagService != null) {
ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
tagPolicies.setServiceDef(tagServiceDef);
tagPolicies.setServiceId(tagService.getId());
tagPolicies.setServiceName(tagService.getName());
tagPolicies.setPolicies(null);
tagPolicies.setPolicyVersion(retrievedTagPolicyVersion);
ret.setTagPolicies(tagPolicies);
}
} else {
LOG.warn("Deltas :[" + resourcePolicyDeltas + "] from version :[" + lastKnownVersion + "] after compressing are null!");
}
}
} else {
LOG.warn("No policy-deltas found for serviceId=" + service.getId() + ", tagServiceId=" + (tagService != null ? tagService.getId() : null) + ", lastKnownVersion=" + lastKnownVersion + ")");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDBStore.getServicePoliciesWithDeltas(serviceType=" + serviceDef.getName() + ", serviceId=" + service.getId() + ", tagServiceId=" + (tagService != null ? tagService.getId() : null) + ", lastKnownVersion=" + lastKnownVersion + ") : deltasSize=" + (ret != null && CollectionUtils.isNotEmpty(ret.getPolicyDeltas()) ? ret.getPolicyDeltas().size() : 0));
}
return ret;
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
VXString(org.apache.ranger.view.VXString)
Example 10 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class PolicyEngine method getDeltasSortedByZones.
private void getDeltasSortedByZones(PolicyEngine current, ServicePolicies servicePolicies, List<RangerPolicyDelta> defaultZoneDeltas, List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> getDeltasSortedByZones()");
}
long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L;
if (CollectionUtils.isNotEmpty(defaultZoneDeltas)) {
LOG.warn("Emptying out defaultZoneDeltas!");
defaultZoneDeltas.clear();
}
if (CollectionUtils.isNotEmpty(defaultZoneDeltasForTagPolicies)) {
LOG.warn("Emptying out defaultZoneDeltasForTagPolicies!");
defaultZoneDeltasForTagPolicies.clear();
}
if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
buildZoneTrie(servicePolicies);
Map<String, List<RangerPolicyDelta>> zoneDeltasMap = new HashMap<>();
for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone : servicePolicies.getSecurityZones().entrySet()) {
String zoneName = zone.getKey();
List<RangerPolicyDelta> deltas = zone.getValue().getPolicyDeltas();
List<RangerPolicyDelta> zoneDeltas = new ArrayList<>();
if (StringUtils.isNotEmpty(zoneName)) {
zoneDeltasMap.put(zoneName, zoneDeltas);
for (RangerPolicyDelta delta : deltas) {
zoneDeltas = zoneDeltasMap.get(zoneName);
zoneDeltas.add(delta);
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Security zones found in the service-policies:[" + zoneDeltasMap.keySet() + "]");
}
for (Map.Entry<String, List<RangerPolicyDelta>> entry : zoneDeltasMap.entrySet()) {
final String zoneName = entry.getKey();
final List<RangerPolicyDelta> zoneDeltas = entry.getValue();
final RangerPolicyRepository otherRepository = current.zonePolicyRepositories.get(zoneName);
final RangerPolicyRepository policyRepository;
if (LOG.isDebugEnabled()) {
LOG.debug("zoneName:[" + zoneName + "], zoneDeltas:[" + Arrays.toString(zoneDeltas.toArray()) + "], doesOtherRepositoryExist:[" + (otherRepository != null) + "]");
}
if (CollectionUtils.isNotEmpty(zoneDeltas)) {
if (otherRepository == null) {
List<RangerPolicy> policies = new ArrayList<>();
for (RangerPolicyDelta delta : zoneDeltas) {
if (delta.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
policies.add(delta.getPolicy());
} else {
LOG.warn("Expected changeType:[" + RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found policy-change-delta:[" + delta + "]");
}
}
servicePolicies.getSecurityZones().get(zoneName).setPolicies(policies);
policyRepository = new RangerPolicyRepository(servicePolicies, current.pluginContext, zoneName);
} else {
policyRepository = new RangerPolicyRepository(otherRepository, zoneDeltas, policyVersion);
}
} else {
policyRepository = shareWith(otherRepository);
}
zonePolicyRepositories.put(zoneName, policyRepository);
}
}
List<RangerPolicyDelta> unzonedDeltas = servicePolicies.getPolicyDeltas();
if (LOG.isDebugEnabled()) {
LOG.debug("ServicePolicies.policyDeltas:[" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + "]");
}
for (RangerPolicyDelta delta : unzonedDeltas) {
if (servicePolicies.getServiceDef().getName().equals(delta.getServiceType())) {
defaultZoneDeltas.add(delta);
} else {
defaultZoneDeltasForTagPolicies.add(delta);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("defaultZoneDeltas:[" + Arrays.toString(defaultZoneDeltas.toArray()) + "]");
LOG.debug("defaultZoneDeltasForTagPolicies:[" + Arrays.toString(defaultZoneDeltasForTagPolicies.toArray()) + "]");
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== getDeltasSortedByZones()");
}
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
ArrayList(java.util.ArrayList)
List(java.util.List)
HashMap(java.util.HashMap)
Map(java.util.Map)
Aggregations
RangerPolicyDelta (org.apache.ranger.plugin.model.RangerPolicyDelta)13
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)9
ArrayList (java.util.ArrayList)4
HashMap (java.util.HashMap)4
Map (java.util.Map)4
Test (org.junit.Test)4
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)3
VXString (org.apache.ranger.view.VXString)3
LinkedHashMap (java.util.LinkedHashMap)2
List (java.util.List)2
XXPolicyLabelMap (org.apache.ranger.entity.XXPolicyLabelMap)2
XXServiceConfigMap (org.apache.ranger.entity.XXServiceConfigMap)2
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)2
RangerSecurityZoneService (org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)2
IOException (java.io.IOException)1
UnknownHostException (java.net.UnknownHostException)1
XXPolicy (org.apache.ranger.entity.XXPolicy)1
XXService (org.apache.ranger.entity.XXService)1
XXServiceVersionInfo (org.apache.ranger.entity.XXServiceVersionInfo)1
RangerPolicyItemRowFilterInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo)1
