use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.
the class RangerDefaultPolicyEvaluator method createPolicyACLSummary.
private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) {
PolicyACLSummary ret = null;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_ACLSUMMARY_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_ACLSUMMARY_LOG, "RangerPolicyEvaluator.init.ACLSummary(" + perfTag + ")");
}
RangerPolicy policy;
if (!disableRoleResolution && hasRoles(getPolicy())) {
policy = getPolicyWithRolesResolved(getPolicy());
} else {
policy = getPolicy();
}
final boolean hasNonPublicGroupOrConditionsInAllowExceptions = hasNonPublicGroupOrConditions(policy.getAllowExceptions());
final boolean hasNonPublicGroupOrConditionsInDenyExceptions = hasNonPublicGroupOrConditions(policy.getDenyExceptions());
final boolean hasPublicGroupInAllowAndUsersInAllowExceptions = hasPublicGroupAndUserInException(policy.getPolicyItems(), policy.getAllowExceptions());
final boolean hasPublicGroupInDenyAndUsersInDenyExceptions = hasPublicGroupAndUserInException(policy.getDenyPolicyItems(), policy.getDenyExceptions());
final boolean hasContextSensitiveSpecification = hasContextSensitiveSpecification();
final boolean hasRoles = hasRoles(policy);
final boolean isUsableForEvaluation = !hasNonPublicGroupOrConditionsInAllowExceptions && !hasNonPublicGroupOrConditionsInDenyExceptions && !hasPublicGroupInAllowAndUsersInAllowExceptions && !hasPublicGroupInDenyAndUsersInDenyExceptions && !hasContextSensitiveSpecification && !hasRoles;
if (isUsableForEvaluation || isCreationForced) {
ret = new PolicyACLSummary();
for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, hasNonPublicGroupOrConditionsInDenyExceptions || hasPublicGroupInDenyAndUsersInDenyExceptions);
}
if (!hasNonPublicGroupOrConditionsInDenyExceptions && !hasPublicGroupInDenyAndUsersInDenyExceptions) {
for (RangerPolicyItem policyItem : policy.getDenyExceptions()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS, false);
}
}
for (RangerPolicyItem policyItem : policy.getPolicyItems()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW, hasNonPublicGroupOrConditionsInAllowExceptions || hasPublicGroupInAllowAndUsersInAllowExceptions);
}
if (!hasNonPublicGroupOrConditionsInAllowExceptions && !hasPublicGroupInAllowAndUsersInAllowExceptions) {
for (RangerPolicyItem policyItem : policy.getAllowExceptions()) {
ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS, false);
}
}
for (RangerRowFilterPolicyItem policyItem : policy.getRowFilterPolicyItems()) {
ret.processRowFilterPolicyItem(policyItem);
}
for (RangerDataMaskPolicyItem policyItem : policy.getDataMaskPolicyItems()) {
ret.processDataMaskPolicyItem(policyItem);
}
final boolean isDenyAllElse = Boolean.TRUE.equals(policy.getIsDenyAllElse());
final Set<String> allAccessTypeNames;
if (isDenyAllElse) {
allAccessTypeNames = new HashSet<>();
RangerServiceDef serviceDef = getServiceDef();
for (RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
if (!StringUtils.equalsIgnoreCase(accessTypeDef.getName(), "all")) {
allAccessTypeNames.add(accessTypeDef.getName());
}
}
} else {
allAccessTypeNames = Collections.EMPTY_SET;
}
ret.finalizeAcls(isDenyAllElse, allAccessTypeNames);
}
RangerPerfTracer.logAlways(perf);
return ret;
}
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.
the class RangerDefaultPolicyEvaluator method getImpliedAccessGrants.
protected Map<String, Collection<String>> getImpliedAccessGrants(RangerServiceDef serviceDef) {
Map<String, Collection<String>> ret = null;
if (serviceDef != null && !CollectionUtils.isEmpty(serviceDef.getAccessTypes())) {
for (RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
if (!CollectionUtils.isEmpty(accessTypeDef.getImpliedGrants())) {
if (ret == null) {
ret = new HashMap<>();
}
Collection<String> impliedAccessGrants = ret.get(accessTypeDef.getName());
if (impliedAccessGrants == null) {
impliedAccessGrants = new HashSet<>();
ret.put(accessTypeDef.getName(), impliedAccessGrants);
}
impliedAccessGrants.addAll(accessTypeDef.getImpliedGrants());
}
}
}
return ret;
}
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.
the class RangerServiceDefValidator method isValidAccessTypes.
boolean isValidAccessTypes(final Long serviceDefId, final List<RangerAccessTypeDef> accessTypeDefs, final List<ValidationFailureDetails> failures, final Action action) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerServiceDefValidator.isValidAccessTypes(%s, %s)", accessTypeDefs, failures));
}
boolean valid = true;
if (CollectionUtils.isEmpty(accessTypeDefs)) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("access types").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("access types")).build());
valid = false;
} else {
Map<Long, String> existingAccessTypeIDNameMap = new HashMap<>();
if (action == Action.UPDATE) {
List<RangerAccessTypeDef> existingAccessTypes = this.getServiceDef(serviceDefId).getAccessTypes();
for (RangerAccessTypeDef existingAccessType : existingAccessTypes) {
existingAccessTypeIDNameMap.put(existingAccessType.getItemId(), existingAccessType.getName());
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("accessType names from db = " + existingAccessTypeIDNameMap.values());
}
List<RangerAccessTypeDef> defsWithImpliedGrants = new ArrayList<>();
Set<String> accessNames = new HashSet<>();
Set<Long> ids = new HashSet<>();
for (RangerAccessTypeDef def : accessTypeDefs) {
String name = def.getName();
Long itemId = def.getItemId();
valid = isUnique(name, accessNames, "access type name", "access types", failures) && valid;
valid = isUnique(def.getItemId(), ids, "access type itemId", "access types", failures) && valid;
if (action == Action.UPDATE) {
if (existingAccessTypeIDNameMap.get(itemId) != null && !existingAccessTypeIDNameMap.get(itemId).equals(name)) {
ValidationErrorCode error;
error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_SERVICE_DEF_NAME_CONFICT;
failures.add((new ValidationFailureDetailsBuilder()).field("access type name").isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(String.format("changing %s[%s] in %s is not supported", "access type name", name, "access types")).build());
valid = false;
}
}
if (CollectionUtils.isNotEmpty(def.getImpliedGrants())) {
defsWithImpliedGrants.add(def);
}
}
// validate implied grants
for (RangerAccessTypeDef def : defsWithImpliedGrants) {
Collection<String> impliedGrants = getImpliedGrants(def);
Set<String> unknownAccessTypes = Sets.difference(Sets.newHashSet(impliedGrants), accessNames);
if (!unknownAccessTypes.isEmpty()) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_UNKNOWN_ACCESS_TYPE;
failures.add(new ValidationFailureDetailsBuilder().field("implied grants").subField(// we return just on item here. Message has all unknow items
unknownAccessTypes.iterator().next()).isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(error.getMessage(impliedGrants, unknownAccessTypes)).build());
valid = false;
}
// implied grant should not imply itself!
// note: this name could be null/blank/empty!
String name = def.getName();
if (impliedGrants.contains(name)) {
ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_IMPLIES_ITSELF;
failures.add(new ValidationFailureDetailsBuilder().field("implied grants").subField(name).isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(error.getMessage(impliedGrants, name)).build());
valid = false;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerServiceDefValidator.isValidAccessTypes(%s, %s): %s", accessTypeDefs, failures, valid));
}
return valid;
}
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.
the class RangerPolicyValidator method isValidAccessTypeDef.
boolean isValidAccessTypeDef(RangerPolicy policy, final List<ValidationFailureDetails> failures, Action action, boolean isAdmin, final RangerServiceDef serviceDef) {
boolean valid = true;
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
}
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
// row filter policy
if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
List<String> rowFilterAccessTypeDefNames = new ArrayList<String>();
if (serviceDef != null && serviceDef.getRowFilterDef() != null) {
if (!CollectionUtils.isEmpty(serviceDef.getRowFilterDef().getAccessTypes())) {
for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getRowFilterDef().getAccessTypes()) {
rowFilterAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
}
}
}
if (!CollectionUtils.isEmpty(policy.getRowFilterPolicyItems())) {
for (RangerRowFilterPolicyItem rangerRowFilterPolicyItem : policy.getRowFilterPolicyItems()) {
if (!CollectionUtils.isEmpty(rangerRowFilterPolicyItem.getAccesses())) {
for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerRowFilterPolicyItem.getAccesses()) {
if (!rowFilterAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
failures.add(new ValidationFailureDetailsBuilder().field("row filter policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), rowFilterAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
}
}
// data mask policy
if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
List<String> dataMaskAccessTypeDefNames = new ArrayList<String>();
if (serviceDef != null && serviceDef.getDataMaskDef() != null) {
if (!CollectionUtils.isEmpty(serviceDef.getDataMaskDef().getAccessTypes())) {
for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getDataMaskDef().getAccessTypes()) {
dataMaskAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
}
}
}
if (!CollectionUtils.isEmpty(policy.getDataMaskPolicyItems())) {
for (RangerDataMaskPolicyItem rangerDataMaskPolicyItem : policy.getDataMaskPolicyItems()) {
if (!CollectionUtils.isEmpty(rangerDataMaskPolicyItem.getAccesses())) {
for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerDataMaskPolicyItem.getAccesses()) {
if (!dataMaskAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
failures.add(new ValidationFailureDetailsBuilder().field("data masking policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), dataMaskAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
}
return valid;
}
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.
the class TestRangerServiceDefService method rangerServiceDef.
private RangerServiceDef rangerServiceDef() {
List<RangerServiceConfigDef> configs = new ArrayList<RangerServiceConfigDef>();
List<RangerResourceDef> resources = new ArrayList<RangerResourceDef>();
List<RangerAccessTypeDef> accessTypes = new ArrayList<RangerAccessTypeDef>();
List<RangerPolicyConditionDef> policyConditions = new ArrayList<RangerPolicyConditionDef>();
List<RangerContextEnricherDef> contextEnrichers = new ArrayList<RangerContextEnricherDef>();
List<RangerEnumDef> enums = new ArrayList<RangerEnumDef>();
RangerServiceDef rangerServiceDef = new RangerServiceDef();
rangerServiceDef.setId(Id);
rangerServiceDef.setImplClass("RangerServiceHdfs");
rangerServiceDef.setLabel("HDFS Repository");
rangerServiceDef.setDescription("HDFS Repository");
rangerServiceDef.setRbKeyDescription(null);
rangerServiceDef.setUpdatedBy("Admin");
rangerServiceDef.setUpdateTime(new Date());
rangerServiceDef.setConfigs(configs);
rangerServiceDef.setResources(resources);
rangerServiceDef.setAccessTypes(accessTypes);
rangerServiceDef.setPolicyConditions(policyConditions);
rangerServiceDef.setContextEnrichers(contextEnrichers);
rangerServiceDef.setEnums(enums);
return rangerServiceDef;
}
Aggregations