Example 11 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class ServiceDBStore method getUpdatedServicePoliciesForZones.
private static ServicePolicies getUpdatedServicePoliciesForZones(ServicePolicies servicePolicies, Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones) {
final ServicePolicies ret;
if (MapUtils.isNotEmpty(securityZones)) {
ret = new ServicePolicies();
ret.setServiceDef(servicePolicies.getServiceDef());
ret.setServiceId(servicePolicies.getServiceId());
ret.setServiceName(servicePolicies.getServiceName());
ret.setAuditMode(servicePolicies.getAuditMode());
ret.setPolicyVersion(servicePolicies.getPolicyVersion());
ret.setPolicyUpdateTime(servicePolicies.getPolicyUpdateTime());
ret.setTagPolicies(servicePolicies.getTagPolicies());
Map<String, ServicePolicies.SecurityZoneInfo> securityZonesInfo = new HashMap<>();
if (CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) {
List<RangerPolicy> allPolicies = new ArrayList<>(servicePolicies.getPolicies());
for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
List<RangerPolicy> zonePolicies = extractZonePolicies(allPolicies, entry.getKey());
if (CollectionUtils.isNotEmpty(zonePolicies)) {
allPolicies.removeAll(zonePolicies);
}
ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
securityZoneInfo.setZoneName(entry.getKey());
securityZoneInfo.setPolicies(zonePolicies);
securityZoneInfo.setResources(entry.getValue().getResources());
securityZoneInfo.setContainsAssociatedTagService(false);
securityZonesInfo.put(entry.getKey(), securityZoneInfo);
}
ret.setPolicies(allPolicies);
} else {
List<RangerPolicyDelta> allPolicyDeltas = new ArrayList<>(servicePolicies.getPolicyDeltas());
for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
List<RangerPolicyDelta> zonePolicyDeltas = extractZonePolicyDeltas(allPolicyDeltas, entry.getKey());
if (CollectionUtils.isNotEmpty(zonePolicyDeltas)) {
allPolicyDeltas.removeAll(zonePolicyDeltas);
}
ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
securityZoneInfo.setZoneName(entry.getKey());
securityZoneInfo.setPolicyDeltas(zonePolicyDeltas);
securityZoneInfo.setResources(entry.getValue().getResources());
securityZoneInfo.setContainsAssociatedTagService(false);
securityZonesInfo.put(entry.getKey(), securityZoneInfo);
}
ret.setPolicyDeltas(allPolicyDeltas);
}
ret.setSecurityZones(securityZonesInfo);
} else {
ret = servicePolicies;
}
return ret;
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
VXString(org.apache.ranger.view.VXString)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
Map(java.util.Map)
XXPolicyLabelMap(org.apache.ranger.entity.XXPolicyLabelMap)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
XXServiceConfigMap(org.apache.ranger.entity.XXServiceConfigMap)
Example 12 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class ServiceDefUtilTest method testPolicyItemRowFilterExprUserGroupRef.
@Test
public void testPolicyItemRowFilterExprUserGroupRef() {
for (String attrExpr : UGA_ATTR_EXPRESSIONS) {
String filterExpr = "${{" + attrExpr + "}}";
ServicePolicies svcPolicies = getServicePolicies();
RangerPolicy policy = getPolicy(svcPolicies);
policy.getRowFilterPolicyItems().get(0).setRowFilterInfo(new RangerPolicyItemRowFilterInfo("dept in (" + filterExpr + ")"));
svcPolicies.getPolicies().add(policy);
assertTrue("policy row-filter refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicies().clear();
svcPolicies.getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
assertTrue("policy-delta row-filter refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getPolicyDeltas().clear();
svcPolicies.getSecurityZones().put("zone1", getSecurityZoneInfo("zone1"));
svcPolicies.getSecurityZones().get("zone1").getPolicies().add(policy);
assertTrue("zone-policy row-filter refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
svcPolicies.getServiceDef().getContextEnrichers().clear();
svcPolicies.getSecurityZones().get("zone1").getPolicies().clear();
svcPolicies.getSecurityZones().get("zone1").getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
assertTrue("zone-policy-delta row-filter refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
}
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemRowFilterInfo(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
Test(org.junit.Test)
Example 13 with RangerPolicyDelta
use of org.apache.ranger.plugin.model.RangerPolicyDelta in project ranger by apache.
the class XXPolicyChangeLogDao method convert.
private List<RangerPolicyDelta> convert(List<Object[]> queryResult) {
final List<RangerPolicyDelta> ret;
if (CollectionUtils.isNotEmpty(queryResult)) {
ret = new ArrayList<>(queryResult.size());
for (Object[] log : queryResult) {
RangerPolicy policy;
Long logRecordId = (Long) log[POLICY_CHANGE_LOG_RECORD_ID_COLUMN_NUMBER];
Integer policyChangeType = (Integer) log[POLICY_CHANGE_LOG_RECORD_CHANGE_TYPE_COLUMN_NUMBER];
Long policiesVersion = (Long) log[POLICY_CHANGE_LOG_RECORD_POLICY_VERSION_COLUMN_NUMBER];
String serviceType = (String) log[POLICY_CHANGE_LOG_RECORD_SERVICE_TYPE_COLUMN_NUMBER];
Long policyId = (Long) log[POLICY_CHANGE_LOG_RECORD_POLICY_ID_COLUMN_NUMBER];
if (policyId != null) {
XXPolicy xxPolicy = daoManager.getXXPolicy().getById(policyId);
if (xxPolicy != null) {
try {
policy = JsonUtils.jsonToObject(xxPolicy.getPolicyText(), RangerPolicy.class);
policy.setId(policyId);
if (policy.getServiceType() == null) {
policy.setServiceType(serviceType);
}
policy.setVersion(xxPolicy.getVersion());
} catch (Exception e) {
LOG.error("Cannot read policy:[" + policyId + "]. Should not have come here!! Offending log-record-id:[" + logRecordId + "] and returning...", e);
ret.clear();
ret.add(new RangerPolicyDelta(logRecordId, RangerPolicyDelta.CHANGE_TYPE_LOG_ERROR, null, null));
break;
}
} else {
if (policyChangeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE || policyChangeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) {
LOG.warn((policyChangeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE ? "POLICY_CREATE" : "POLICY_UPDATE") + " type change for policy-id:[" + policyId + "], log-id:[" + logRecordId + "] was not found.. probably already deleted");
// Create a placeholder delta with a dummy policy as the created/updated policy cannot be found - If there is a subsequent POLICY_DELETE, this delta will be cleaned-up in ServiceDBStore.compressDeltas()
}
// Create a placeholder delta with a dummy policy
policy = new RangerPolicy();
policy.setId(policyId);
policy.setServiceType(serviceType);
policy.setPolicyType((Integer) log[POLICY_CHANGE_LOG_RECORD_POLICY_TYPE_COLUMN_NUMBER]);
policy.setZoneName((String) log[POLICY_CHANGE_LOG_RECORD_ZONE_NAME_COLUMN_NUMBER]);
}
ret.add(new RangerPolicyDelta(logRecordId, policyChangeType, policiesVersion, policy));
} else {
LOG.info("delta-reset-event: log-record-id=" + logRecordId + "; service-type=" + serviceType + "; policy-change-type=" + policyChangeType + ". Discarding " + ret.size() + " deltas");
ret.clear();
ret.add(new RangerPolicyDelta(logRecordId, policyChangeType, null, null));
break;
}
}
} else {
ret = null;
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyDelta(org.apache.ranger.plugin.model.RangerPolicyDelta)
XXPolicy(org.apache.ranger.entity.XXPolicy)
Aggregations
RangerPolicyDelta (org.apache.ranger.plugin.model.RangerPolicyDelta)13
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)9
ArrayList (java.util.ArrayList)4
HashMap (java.util.HashMap)4
Map (java.util.Map)4
Test (org.junit.Test)4
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)3
VXString (org.apache.ranger.view.VXString)3
LinkedHashMap (java.util.LinkedHashMap)2
List (java.util.List)2
XXPolicyLabelMap (org.apache.ranger.entity.XXPolicyLabelMap)2
XXServiceConfigMap (org.apache.ranger.entity.XXServiceConfigMap)2
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)2
RangerSecurityZoneService (org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)2
IOException (java.io.IOException)1
UnknownHostException (java.net.UnknownHostException)1
XXPolicy (org.apache.ranger.entity.XXPolicy)1
XXService (org.apache.ranger.entity.XXService)1
XXServiceVersionInfo (org.apache.ranger.entity.XXServiceVersionInfo)1
RangerPolicyItemRowFilterInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo)1
