Search in sources :

Example 11 with RangerAccessTypeDef

use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.

the class RangerDefaultPolicyEvaluator method createPolicyACLSummary.

private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) {
    PolicyACLSummary ret = null;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_ACLSUMMARY_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_ACLSUMMARY_LOG, "RangerPolicyEvaluator.init.ACLSummary(" + perfTag + ")");
    }
    RangerPolicy policy;
    if (!disableRoleResolution && hasRoles(getPolicy())) {
        policy = getPolicyWithRolesResolved(getPolicy());
    } else {
        policy = getPolicy();
    }
    final boolean hasNonPublicGroupOrConditionsInAllowExceptions = hasNonPublicGroupOrConditions(policy.getAllowExceptions());
    final boolean hasNonPublicGroupOrConditionsInDenyExceptions = hasNonPublicGroupOrConditions(policy.getDenyExceptions());
    final boolean hasPublicGroupInAllowAndUsersInAllowExceptions = hasPublicGroupAndUserInException(policy.getPolicyItems(), policy.getAllowExceptions());
    final boolean hasPublicGroupInDenyAndUsersInDenyExceptions = hasPublicGroupAndUserInException(policy.getDenyPolicyItems(), policy.getDenyExceptions());
    final boolean hasContextSensitiveSpecification = hasContextSensitiveSpecification();
    final boolean hasRoles = hasRoles(policy);
    final boolean isUsableForEvaluation = !hasNonPublicGroupOrConditionsInAllowExceptions && !hasNonPublicGroupOrConditionsInDenyExceptions && !hasPublicGroupInAllowAndUsersInAllowExceptions && !hasPublicGroupInDenyAndUsersInDenyExceptions && !hasContextSensitiveSpecification && !hasRoles;
    if (isUsableForEvaluation || isCreationForced) {
        ret = new PolicyACLSummary();
        for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) {
            ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, hasNonPublicGroupOrConditionsInDenyExceptions || hasPublicGroupInDenyAndUsersInDenyExceptions);
        }
        if (!hasNonPublicGroupOrConditionsInDenyExceptions && !hasPublicGroupInDenyAndUsersInDenyExceptions) {
            for (RangerPolicyItem policyItem : policy.getDenyExceptions()) {
                ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS, false);
            }
        }
        for (RangerPolicyItem policyItem : policy.getPolicyItems()) {
            ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW, hasNonPublicGroupOrConditionsInAllowExceptions || hasPublicGroupInAllowAndUsersInAllowExceptions);
        }
        if (!hasNonPublicGroupOrConditionsInAllowExceptions && !hasPublicGroupInAllowAndUsersInAllowExceptions) {
            for (RangerPolicyItem policyItem : policy.getAllowExceptions()) {
                ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS, false);
            }
        }
        for (RangerRowFilterPolicyItem policyItem : policy.getRowFilterPolicyItems()) {
            ret.processRowFilterPolicyItem(policyItem);
        }
        for (RangerDataMaskPolicyItem policyItem : policy.getDataMaskPolicyItems()) {
            ret.processDataMaskPolicyItem(policyItem);
        }
        final boolean isDenyAllElse = Boolean.TRUE.equals(policy.getIsDenyAllElse());
        final Set<String> allAccessTypeNames;
        if (isDenyAllElse) {
            allAccessTypeNames = new HashSet<>();
            RangerServiceDef serviceDef = getServiceDef();
            for (RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
                if (!StringUtils.equalsIgnoreCase(accessTypeDef.getName(), "all")) {
                    allAccessTypeNames.add(accessTypeDef.getName());
                }
            }
        } else {
            allAccessTypeNames = Collections.EMPTY_SET;
        }
        ret.finalizeAcls(isDenyAllElse, allAccessTypeNames);
    }
    RangerPerfTracer.logAlways(perf);
    return ret;
}
Also used : RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)

Example 12 with RangerAccessTypeDef

use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.

the class RangerDefaultPolicyEvaluator method getImpliedAccessGrants.

protected Map<String, Collection<String>> getImpliedAccessGrants(RangerServiceDef serviceDef) {
    Map<String, Collection<String>> ret = null;
    if (serviceDef != null && !CollectionUtils.isEmpty(serviceDef.getAccessTypes())) {
        for (RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
            if (!CollectionUtils.isEmpty(accessTypeDef.getImpliedGrants())) {
                if (ret == null) {
                    ret = new HashMap<>();
                }
                Collection<String> impliedAccessGrants = ret.get(accessTypeDef.getName());
                if (impliedAccessGrants == null) {
                    impliedAccessGrants = new HashSet<>();
                    ret.put(accessTypeDef.getName(), impliedAccessGrants);
                }
                impliedAccessGrants.addAll(accessTypeDef.getImpliedGrants());
            }
        }
    }
    return ret;
}
Also used : RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef) Collection(java.util.Collection)

Example 13 with RangerAccessTypeDef

use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.

the class RangerServiceDefValidator method isValidAccessTypes.

boolean isValidAccessTypes(final Long serviceDefId, final List<RangerAccessTypeDef> accessTypeDefs, final List<ValidationFailureDetails> failures, final Action action) {
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("==> RangerServiceDefValidator.isValidAccessTypes(%s, %s)", accessTypeDefs, failures));
    }
    boolean valid = true;
    if (CollectionUtils.isEmpty(accessTypeDefs)) {
        ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD;
        failures.add(new ValidationFailureDetailsBuilder().field("access types").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("access types")).build());
        valid = false;
    } else {
        Map<Long, String> existingAccessTypeIDNameMap = new HashMap<>();
        if (action == Action.UPDATE) {
            List<RangerAccessTypeDef> existingAccessTypes = this.getServiceDef(serviceDefId).getAccessTypes();
            for (RangerAccessTypeDef existingAccessType : existingAccessTypes) {
                existingAccessTypeIDNameMap.put(existingAccessType.getItemId(), existingAccessType.getName());
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("accessType names from db = " + existingAccessTypeIDNameMap.values());
        }
        List<RangerAccessTypeDef> defsWithImpliedGrants = new ArrayList<>();
        Set<String> accessNames = new HashSet<>();
        Set<Long> ids = new HashSet<>();
        for (RangerAccessTypeDef def : accessTypeDefs) {
            String name = def.getName();
            Long itemId = def.getItemId();
            valid = isUnique(name, accessNames, "access type name", "access types", failures) && valid;
            valid = isUnique(def.getItemId(), ids, "access type itemId", "access types", failures) && valid;
            if (action == Action.UPDATE) {
                if (existingAccessTypeIDNameMap.get(itemId) != null && !existingAccessTypeIDNameMap.get(itemId).equals(name)) {
                    ValidationErrorCode error;
                    error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_SERVICE_DEF_NAME_CONFICT;
                    failures.add((new ValidationFailureDetailsBuilder()).field("access type name").isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(String.format("changing %s[%s] in %s is not supported", "access type name", name, "access types")).build());
                    valid = false;
                }
            }
            if (CollectionUtils.isNotEmpty(def.getImpliedGrants())) {
                defsWithImpliedGrants.add(def);
            }
        }
        // validate implied grants
        for (RangerAccessTypeDef def : defsWithImpliedGrants) {
            Collection<String> impliedGrants = getImpliedGrants(def);
            Set<String> unknownAccessTypes = Sets.difference(Sets.newHashSet(impliedGrants), accessNames);
            if (!unknownAccessTypes.isEmpty()) {
                ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_UNKNOWN_ACCESS_TYPE;
                failures.add(new ValidationFailureDetailsBuilder().field("implied grants").subField(// we return just on item here.  Message has all unknow items
                unknownAccessTypes.iterator().next()).isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(error.getMessage(impliedGrants, unknownAccessTypes)).build());
                valid = false;
            }
            // implied grant should not imply itself!
            // note: this name could be null/blank/empty!
            String name = def.getName();
            if (impliedGrants.contains(name)) {
                ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_IMPLIES_ITSELF;
                failures.add(new ValidationFailureDetailsBuilder().field("implied grants").subField(name).isSemanticallyIncorrect().errorCode(error.getErrorCode()).becauseOf(error.getMessage(impliedGrants, name)).build());
                valid = false;
            }
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("<== RangerServiceDefValidator.isValidAccessTypes(%s, %s): %s", accessTypeDefs, failures, valid));
    }
    return valid;
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef) ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode) HashSet(java.util.HashSet)

Example 14 with RangerAccessTypeDef

use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.

the class RangerPolicyValidator method isValidAccessTypeDef.

boolean isValidAccessTypeDef(RangerPolicy policy, final List<ValidationFailureDetails> failures, Action action, boolean isAdmin, final RangerServiceDef serviceDef) {
    boolean valid = true;
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("==> RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
    }
    int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
    // row filter policy
    if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
        List<String> rowFilterAccessTypeDefNames = new ArrayList<String>();
        if (serviceDef != null && serviceDef.getRowFilterDef() != null) {
            if (!CollectionUtils.isEmpty(serviceDef.getRowFilterDef().getAccessTypes())) {
                for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getRowFilterDef().getAccessTypes()) {
                    rowFilterAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
                }
            }
        }
        if (!CollectionUtils.isEmpty(policy.getRowFilterPolicyItems())) {
            for (RangerRowFilterPolicyItem rangerRowFilterPolicyItem : policy.getRowFilterPolicyItems()) {
                if (!CollectionUtils.isEmpty(rangerRowFilterPolicyItem.getAccesses())) {
                    for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerRowFilterPolicyItem.getAccesses()) {
                        if (!rowFilterAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
                            ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
                            failures.add(new ValidationFailureDetailsBuilder().field("row filter policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), rowFilterAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
                            valid = false;
                        }
                    }
                }
            }
        }
    }
    // data mask policy
    if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
        List<String> dataMaskAccessTypeDefNames = new ArrayList<String>();
        if (serviceDef != null && serviceDef.getDataMaskDef() != null) {
            if (!CollectionUtils.isEmpty(serviceDef.getDataMaskDef().getAccessTypes())) {
                for (RangerAccessTypeDef rangerAccessTypeDef : serviceDef.getDataMaskDef().getAccessTypes()) {
                    dataMaskAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
                }
            }
        }
        if (!CollectionUtils.isEmpty(policy.getDataMaskPolicyItems())) {
            for (RangerDataMaskPolicyItem rangerDataMaskPolicyItem : policy.getDataMaskPolicyItems()) {
                if (!CollectionUtils.isEmpty(rangerDataMaskPolicyItem.getAccesses())) {
                    for (RangerPolicyItemAccess rangerPolicyItemAccess : rangerDataMaskPolicyItem.getAccesses()) {
                        if (!dataMaskAccessTypeDefNames.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
                            ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
                            failures.add(new ValidationFailureDetailsBuilder().field("data masking policy item access type").isSemanticallyIncorrect().becauseOf(error.getMessage(rangerPolicyItemAccess.getType(), dataMaskAccessTypeDefNames)).errorCode(error.getErrorCode()).build());
                            valid = false;
                        }
                    }
                }
            }
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("<== RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", policy, failures, action, isAdmin, serviceDef));
    }
    return valid;
}
Also used : RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef) RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem) RangerRowFilterPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)

Example 15 with RangerAccessTypeDef

use of org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef in project ranger by apache.

the class TestRangerServiceDefService method rangerServiceDef.

private RangerServiceDef rangerServiceDef() {
    List<RangerServiceConfigDef> configs = new ArrayList<RangerServiceConfigDef>();
    List<RangerResourceDef> resources = new ArrayList<RangerResourceDef>();
    List<RangerAccessTypeDef> accessTypes = new ArrayList<RangerAccessTypeDef>();
    List<RangerPolicyConditionDef> policyConditions = new ArrayList<RangerPolicyConditionDef>();
    List<RangerContextEnricherDef> contextEnrichers = new ArrayList<RangerContextEnricherDef>();
    List<RangerEnumDef> enums = new ArrayList<RangerEnumDef>();
    RangerServiceDef rangerServiceDef = new RangerServiceDef();
    rangerServiceDef.setId(Id);
    rangerServiceDef.setImplClass("RangerServiceHdfs");
    rangerServiceDef.setLabel("HDFS Repository");
    rangerServiceDef.setDescription("HDFS Repository");
    rangerServiceDef.setRbKeyDescription(null);
    rangerServiceDef.setUpdatedBy("Admin");
    rangerServiceDef.setUpdateTime(new Date());
    rangerServiceDef.setConfigs(configs);
    rangerServiceDef.setResources(resources);
    rangerServiceDef.setAccessTypes(accessTypes);
    rangerServiceDef.setPolicyConditions(policyConditions);
    rangerServiceDef.setContextEnrichers(contextEnrichers);
    rangerServiceDef.setEnums(enums);
    return rangerServiceDef;
}
Also used : RangerServiceConfigDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef) ArrayList(java.util.ArrayList) RangerEnumDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef) RangerPolicyConditionDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef) Date(java.util.Date) RangerAccessTypeDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef) RangerContextEnricherDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Aggregations

RangerAccessTypeDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)33 ArrayList (java.util.ArrayList)22 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)17 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)13 RangerContextEnricherDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef)11 RangerEnumDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef)11 RangerPolicyConditionDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)11 RangerServiceConfigDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef)11 Date (java.util.Date)10 Test (org.junit.Test)9 XXServiceDef (org.apache.ranger.entity.XXServiceDef)8 VXString (org.apache.ranger.view.VXString)7 HashSet (java.util.HashSet)6 XXAccessTypeDef (org.apache.ranger.entity.XXAccessTypeDef)5 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)5 XXServiceDao (org.apache.ranger.db.XXServiceDao)4 XXServiceDefDao (org.apache.ranger.db.XXServiceDefDao)4 XXService (org.apache.ranger.entity.XXService)4 RangerDataMaskDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskDef)3 RangerDataMaskTypeDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef)3