Example 26 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isCompleteMatch.
@Override
public boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
}
boolean ret = false;
Collection<String> resourceKeys = resource == null ? null : resource.getKeys();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
boolean keysMatch = resourceKeys != null && policyKeys != null && CollectionUtils.isEqualCollection(resourceKeys, policyKeys);
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
Object resourceValue = resource.getValue(resourceName);
RangerResourceMatcher matcher = getResourceMatcher(resourceName);
if (resourceValue == null) {
ret = matcher == null || matcher.isCompleteMatch(null, evalContext);
} else if (resourceValue instanceof String) {
String strValue = (String) resourceValue;
if (StringUtils.isEmpty(strValue)) {
ret = matcher == null || matcher.isCompleteMatch(strValue, evalContext);
} else {
ret = matcher != null && matcher.isCompleteMatch(strValue, evalContext);
}
} else {
// return false for any other type of resourceValue
ret = false;
}
if (!ret) {
break;
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 27 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method init.
@Override
public void init() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.init()");
}
allMatchers = null;
needsDynamicEval = false;
validResourceHierarchy = null;
isInitialized = false;
String errorText = "";
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG, "RangerDefaultPolicyResourceMatcher.init()");
}
if (policyResources != null && !policyResources.isEmpty() && serviceDef != null) {
serviceDefHelper = serviceDefHelper == null ? new RangerServiceDefHelper(serviceDef, false) : serviceDefHelper;
Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, policyResources.keySet());
int validHierarchiesCount = 0;
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
if (isHierarchyValidForResources(resourceHierarchy, policyResources)) {
validHierarchiesCount++;
if (validHierarchiesCount == 1) {
validResourceHierarchy = resourceHierarchy;
} else {
validResourceHierarchy = null;
}
} else {
LOG.warn("RangerDefaultPolicyResourceMatcher.init(): gaps found in policyResources, skipping hierarchy:[" + resourceHierarchies + "]");
}
}
if (validHierarchiesCount > 0) {
allMatchers = new HashMap<>();
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
for (RangerResourceDef resourceDef : resourceHierarchy) {
String resourceName = resourceDef.getName();
if (allMatchers.containsKey(resourceName)) {
continue;
}
RangerPolicyResource policyResource = policyResources.get(resourceName);
if (policyResource == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerDefaultPolicyResourceMatcher.init(): no matcher created for " + resourceName + ". Continuing ...");
}
continue;
}
RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource);
if (matcher != null) {
if (!needsDynamicEval && matcher.getNeedsDynamicEval()) {
needsDynamicEval = true;
}
allMatchers.put(resourceName, matcher);
} else {
LOG.error("RangerDefaultPolicyResourceMatcher.init(): failed to find matcher for resource " + resourceName);
allMatchers = null;
errorText = "no matcher found for resource " + resourceName;
break;
}
}
if (allMatchers == null) {
break;
}
}
} else {
errorText = "policyResources elements are not part of any valid resourcedef hierarchy.";
}
} else {
errorText = "policyResources is null or empty, or serviceDef is null.";
}
if (allMatchers == null) {
serviceDefHelper = null;
validResourceHierarchy = null;
Set<String> policyResourceKeys = policyResources == null ? null : policyResources.keySet();
String serviceDefName = serviceDef == null ? "" : serviceDef.getName();
StringBuilder keysString = new StringBuilder();
if (CollectionUtils.isNotEmpty(policyResourceKeys)) {
for (String policyResourceKeyName : policyResourceKeys) {
keysString.append(policyResourceKeyName).append(" ");
}
}
LOG.error("RangerDefaultPolicyResourceMatcher.init() failed: " + errorText + " (serviceDef=" + serviceDefName + ", policyResourceKeys=" + keysString.toString());
} else {
isInitialized = true;
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.init(): ret=" + isInitialized);
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
List(java.util.List)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 28 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method getMatchType.
@Override
public MatchType getMatchType(RangerAccessResource resource, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + ")");
}
MatchType ret = MatchType.NONE;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getMatchType()");
}
if (resource != null && policyResources != null) {
int resourceKeysSize = resource.getKeys() == null ? 0 : resource.getKeys().size();
if (policyResources.size() == 0 && resourceKeysSize == 0) {
ret = MatchType.SELF;
} else {
List<RangerResourceDef> hierarchy = getMatchingHierarchy(resource);
if (CollectionUtils.isNotEmpty(hierarchy)) {
int lastNonAnyMatcherIndex = -1;
int matchersSize = 0;
for (RangerResourceDef resourceDef : hierarchy) {
RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
if (matcher != null) {
if (!matcher.isMatchAny()) {
lastNonAnyMatcherIndex = matchersSize;
}
matchersSize++;
} else {
break;
}
}
int lastMatchedMatcherIndex = -1;
for (RangerResourceDef resourceDef : hierarchy) {
RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
Object resourceValue = resource.getValue(resourceDef.getName());
if (matcher != null) {
if (resourceValue != null) {
if (matcher.isMatch(resourceValue, evalContext)) {
ret = MatchType.SELF;
lastMatchedMatcherIndex++;
} else {
ret = MatchType.NONE;
break;
}
} else {
// More matchers than resource-values
ret = MatchType.DESCENDANT;
if (lastMatchedMatcherIndex >= lastNonAnyMatcherIndex) {
ret = MatchType.ANCESTOR;
if (lastMatchedMatcherIndex == lastNonAnyMatcherIndex && lastMatchedMatcherIndex == -1) {
// For degenerate case : resourceKeysSize == 0 and all matchers are of type Any
ret = MatchType.SELF;
}
}
break;
}
} else {
if (resourceValue != null) {
// More resource-values than matchers
ret = MatchType.ANCESTOR;
}
break;
}
}
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 29 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
}
/*
* There is already API to get the delegateAdmin permissions for a map of policyResources.
* That implementation should be reused for figuring out delegateAdmin permissions for a resource as well.
*/
Map<String, RangerPolicyResource> policyResources = null;
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
Object resourceValue = resource.getValue(resourceName);
if (resourceValue instanceof String) {
String strValue = (String) resourceValue;
if (policyResources == null) {
policyResources = new HashMap<>();
}
policyResources.put(resourceName, new RangerPolicyResource(strValue));
} else if (resourceValue != null) {
// return false for any other type of resourceValue
policyResources = null;
break;
}
}
final boolean ret = MapUtils.isNotEmpty(policyResources) && isMatch(policyResources, evalContext);
RangerPerfTracer.log(perf);
return ret;
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 30 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isHierarchyValidForResources.
private static boolean isHierarchyValidForResources(List<RangerResourceDef> hierarchy, Map<String, ?> resources) {
boolean ret = true;
if (hierarchy != null) {
boolean skipped = false;
for (RangerResourceDef resourceDef : hierarchy) {
String resourceName = resourceDef.getName();
Object resourceValue = resources.get(resourceName);
if (resourceValue == null) {
if (!skipped) {
skipped = true;
}
} else {
if (skipped) {
ret = false;
break;
}
}
}
} else {
ret = false;
}
return ret;
}
Also used :
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Aggregations
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)50
ArrayList (java.util.ArrayList)19
Test (org.junit.Test)15
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)12
RangerAccessTypeDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)12
Date (java.util.Date)11
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)11
RangerContextEnricherDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef)10
RangerEnumDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef)10
RangerPolicyConditionDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)10
RangerServiceConfigDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef)10
List (java.util.List)7
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)7
HashSet (java.util.HashSet)5
XXResourceDef (org.apache.ranger.entity.XXResourceDef)5
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)4
RangerResourceMatcher (org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)4
VXString (org.apache.ranger.view.VXString)4
HashMap (java.util.HashMap)3
XXResourceDefDao (org.apache.ranger.db.XXResourceDefDao)3
