Example 1 with RangerServiceDefHelper
use of org.apache.ranger.plugin.model.validation.RangerServiceDefHelper in project ranger by apache.
the class ServiceDBStore method getMatchers.
List<RangerPolicyResourceMatcher> getMatchers(RangerServiceDef serviceDef, Map<String, String> filterResources, SearchFilter filter) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getMatchers(filterResources=" + filterResources + ")");
}
List<RangerPolicyResourceMatcher> ret = new ArrayList<RangerPolicyResourceMatcher>();
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE);
int[] policyTypes = RangerPolicy.POLICY_TYPES;
if (StringUtils.isNotBlank(policyTypeStr)) {
policyTypes = new int[1];
policyTypes[0] = Integer.parseInt(policyTypeStr);
}
for (Integer policyType : policyTypes) {
Set<List<RangerResourceDef>> validResourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, filterResources.keySet());
if (LOG.isDebugEnabled()) {
LOG.debug("Found " + validResourceHierarchies.size() + " valid resource hierarchies for key-set " + filterResources.keySet());
}
List<List<RangerResourceDef>> resourceHierarchies = new ArrayList<List<RangerResourceDef>>(validResourceHierarchies);
for (List<RangerResourceDef> validResourceHierarchy : resourceHierarchies) {
if (LOG.isDebugEnabled()) {
LOG.debug("validResourceHierarchy:[" + validResourceHierarchy + "]");
}
Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
for (RangerResourceDef resourceDef : validResourceHierarchy) {
policyResources.put(resourceDef.getName(), new RangerPolicyResource(filterResources.get(resourceDef.getName()), false, resourceDef.getRecursiveSupported()));
}
RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setServiceDef(serviceDef);
matcher.setPolicyResources(policyResources, policyType);
matcher.init();
ret.add(matcher);
if (LOG.isDebugEnabled()) {
LOG.debug("Added matcher:[" + matcher + "]");
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDBStore.getMatchers(filterResources=" + filterResources + ", " + ", count=" + ret.size() + ")");
}
return ret;
}
Also used :
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerServiceList(org.apache.ranger.view.RangerServiceList)
ArrayList(java.util.ArrayList)
VXPolicyLabelList(org.apache.ranger.view.VXPolicyLabelList)
List(java.util.List)
RangerExportPolicyList(org.apache.ranger.view.RangerExportPolicyList)
RangerPolicyList(org.apache.ranger.view.RangerPolicyList)
RangerServiceDefList(org.apache.ranger.view.RangerServiceDefList)
PList(org.apache.ranger.plugin.store.PList)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 2 with RangerServiceDefHelper
use of org.apache.ranger.plugin.model.validation.RangerServiceDefHelper in project ranger by apache.
the class RangerTagEnricher method setServiceTags.
public void setServiceTags(final ServiceTags serviceTags) {
if (serviceTags == null || CollectionUtils.isEmpty(serviceTags.getServiceResources())) {
LOG.info("ServiceTags is null or there are no tagged resources for service " + serviceName);
enrichedServiceTags = null;
} else {
List<RangerServiceResourceMatcher> resourceMatchers = new ArrayList<>();
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef, false);
List<RangerServiceResource> serviceResources = serviceTags.getServiceResources();
ResourceHierarchies hierarchies = new ResourceHierarchies();
for (RangerServiceResource serviceResource : serviceResources) {
final Collection<String> resourceKeys = serviceResource.getResourceElements().keySet();
for (int policyType : RangerPolicy.POLICY_TYPES) {
Boolean isValidHierarchy = hierarchies.isValidHierarchy(policyType, resourceKeys);
if (isValidHierarchy == null) {
// hierarchy not yet validated
isValidHierarchy = Boolean.FALSE;
for (List<RangerServiceDef.RangerResourceDef> hierarchy : serviceDefHelper.getResourceHierarchies(policyType)) {
if (serviceDefHelper.hierarchyHasAllResources(hierarchy, resourceKeys)) {
isValidHierarchy = Boolean.TRUE;
break;
}
}
hierarchies.addHierarchy(policyType, resourceKeys, isValidHierarchy);
}
if (isValidHierarchy) {
RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setServiceDef(this.serviceDef);
matcher.setPolicyResources(serviceResource.getResourceElements(), policyType);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerTagEnricher.setServiceTags() - Initializing matcher with (resource=" + serviceResource + ", serviceDef=" + this.serviceDef.getName() + ")");
}
matcher.setServiceDefHelper(serviceDefHelper);
matcher.init();
RangerServiceResourceMatcher serviceResourceMatcher = new RangerServiceResourceMatcher(serviceResource, matcher);
resourceMatchers.add(serviceResourceMatcher);
}
}
}
Map<String, RangerResourceTrie<RangerServiceResourceMatcher>> serviceResourceTrie = null;
if (!disableTrieLookupPrefilter) {
serviceResourceTrie = new HashMap<>();
for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
serviceResourceTrie.put(resourceDef.getName(), new RangerResourceTrie<RangerServiceResourceMatcher>(resourceDef, resourceMatchers));
}
}
Set<RangerTagForEval> tagsForEmptyResourceAndAnyAccess = new HashSet<>();
for (Map.Entry<Long, RangerTag> entry : serviceTags.getTags().entrySet()) {
tagsForEmptyResourceAndAnyAccess.add(new RangerTagForEval(entry.getValue(), RangerPolicyResourceMatcher.MatchType.DESCENDANT));
}
enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie, tagsForEmptyResourceAndAnyAccess);
}
}
Also used :
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
ArrayList(java.util.ArrayList)
RangerResourceTrie(org.apache.ranger.plugin.util.RangerResourceTrie)
RangerTag(org.apache.ranger.plugin.model.RangerTag)
HashSet(java.util.HashSet)
RangerServiceResource(org.apache.ranger.plugin.model.RangerServiceResource)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 3 with RangerServiceDefHelper
use of org.apache.ranger.plugin.model.validation.RangerServiceDefHelper in project ranger by apache.
the class RangerServiceHdfs method getDefaultRangerPolicies.
@Override
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceHdfs.getDefaultRangerPolicies() ");
}
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
String pathResourceName = RangerHdfsAuthorizer.KEY_RESOURCE_PATH;
for (RangerPolicy defaultPolicy : ret) {
RangerPolicy.RangerPolicyResource pathPolicyResource = defaultPolicy.getResources().get(pathResourceName);
if (pathPolicyResource != null) {
List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
RangerServiceDef.RangerResourceDef pathResourceDef = null;
for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (resourceDef.getName().equals(pathResourceName)) {
pathResourceDef = resourceDef;
break;
}
}
if (pathResourceDef != null) {
String pathSeparator = pathResourceDef.getMatcherOptions().get(RangerPathResourceMatcher.OPTION_PATH_SEPARATOR);
if (StringUtils.isBlank(pathSeparator)) {
pathSeparator = Character.toString(RangerPathResourceMatcher.DEFAULT_PATH_SEPARATOR_CHAR);
}
String value = pathSeparator + RangerAbstractResourceMatcher.WILDCARD_ASTERISK;
pathPolicyResource.setValue(value);
} else {
LOG.warn("No resourceDef found in HDFS service-definition for '" + pathResourceName + "'");
}
} else {
LOG.warn("No '" + pathResourceName + "' found in default policy");
}
}
try {
// we need to create one policy for keyadmin user for audit to HDFS
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) {
RangerPolicy policy = getPolicyForKMSAudit(aHierarchy);
if (policy != null) {
ret.add(policy);
}
}
} catch (Exception e) {
LOG.error("Error creating policy for keyadmin for audit to HDFS : " + service.getName(), e);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceHdfs.getDefaultRangerPolicies() : " + ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
HadoopException(org.apache.ranger.plugin.client.HadoopException)
Example 4 with RangerServiceDefHelper
use of org.apache.ranger.plugin.model.validation.RangerServiceDefHelper in project ranger by apache.
the class ServiceREST method validateResourcePoliciesRequest.
private String validateResourcePoliciesRequest(String serviceDefName, String serviceName, HttpServletRequest request, List<RangerService> services, Map<String, Object> resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.validatePoliciesForResourceRequest(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
}
final String ret;
if (MapUtils.isNotEmpty(request.getParameterMap())) {
for (Map.Entry<String, String[]> e : request.getParameterMap().entrySet()) {
String name = e.getKey();
String[] values = e.getValue();
if (!StringUtils.isEmpty(name) && !ArrayUtils.isEmpty(values) && name.startsWith(SearchFilter.RESOURCE_PREFIX)) {
resource.put(name.substring(SearchFilter.RESOURCE_PREFIX.length()), values[0]);
}
}
}
if (MapUtils.isEmpty(resource)) {
ret = "No resource specified";
} else {
RangerServiceDef serviceDef = null;
try {
serviceDef = svcStore.getServiceDefByName(serviceDefName);
} catch (Exception e) {
LOG.error("Invalid service-type:[" + serviceDefName + "]", e);
}
if (serviceDef == null) {
ret = "Invalid service-type:[" + serviceDefName + "]";
} else {
Set<String> resourceDefNames = resource.keySet();
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
Set<List<RangerServiceDef.RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS, resourceDefNames);
if (CollectionUtils.isEmpty(resourceHierarchies)) {
ret = "Invalid resource specified: resource-names:" + resourceDefNames + " are not part of any valid resource hierarchy for service-type:[" + serviceDefName + "]";
} else {
if (StringUtils.isNotBlank(serviceName)) {
RangerService service = null;
try {
service = svcStore.getServiceByName(serviceName);
} catch (Exception e) {
LOG.error("Invalid service-name:[" + serviceName + "]");
}
if (service == null || !StringUtils.equals(service.getType(), serviceDefName)) {
ret = "Invalid service-name:[" + serviceName + "] or service-name is not of service-type:[" + serviceDefName + "]";
} else {
services.add(service);
ret = StringUtils.EMPTY;
}
} else {
SearchFilter filter = new SearchFilter();
filter.setParam(SearchFilter.SERVICE_TYPE, serviceDefName);
List<RangerService> serviceList = null;
try {
serviceList = svcStore.getServices(filter);
} catch (Exception e) {
LOG.error("Cannot find service of service-type:[" + serviceDefName + "]");
}
if (CollectionUtils.isEmpty(serviceList) || serviceList.size() != 1) {
ret = "Either 0 or more than 1 services found for service-type :[" + serviceDefName + "]";
} else {
services.add(serviceList.get(0));
ret = StringUtils.EMPTY;
}
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.validatePoliciesForResourceRequest(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret);
}
return ret;
}
Also used :
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
VXString(org.apache.ranger.view.VXString)
WebApplicationException(javax.ws.rs.WebApplicationException)
IOException(java.io.IOException)
JsonSyntaxException(com.google.gson.JsonSyntaxException)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerPluginInfoList(org.apache.ranger.view.RangerPluginInfoList)
RangerServiceList(org.apache.ranger.view.RangerServiceList)
ArrayList(java.util.ArrayList)
VXPolicyLabelList(org.apache.ranger.view.VXPolicyLabelList)
List(java.util.List)
RangerExportPolicyList(org.apache.ranger.view.RangerExportPolicyList)
RangerPolicyList(org.apache.ranger.view.RangerPolicyList)
RangerServiceDefList(org.apache.ranger.view.RangerServiceDefList)
RangerAPIList(org.apache.ranger.security.context.RangerAPIList)
PList(org.apache.ranger.plugin.store.PList)
RangerService(org.apache.ranger.plugin.model.RangerService)
Map(java.util.Map)
LinkedHashMap(java.util.LinkedHashMap)
TreeMap(java.util.TreeMap)
HashMap(java.util.HashMap)
Example 5 with RangerServiceDefHelper
use of org.apache.ranger.plugin.model.validation.RangerServiceDefHelper in project ranger by apache.
the class PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012 method updateAllServiceDef.
private void updateAllServiceDef() {
List<XXServiceDef> allXXServiceDefs;
allXXServiceDefs = daoMgr.getXXServiceDef().getAll();
if (CollectionUtils.isNotEmpty(allXXServiceDefs)) {
for (XXServiceDef xxServiceDef : allXXServiceDefs) {
String serviceDefName = xxServiceDef.getName();
try {
String jsonStrPreUpdate = xxServiceDef.getDefOptions();
Map<String, String> serviceDefOptionsPreUpdate = jsonUtil.jsonToMap(jsonStrPreUpdate);
String valueBeforeUpdate = serviceDefOptionsPreUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
RangerServiceDef serviceDef = svcDBStore.getServiceDefByName(serviceDefName);
if (serviceDef != null) {
logger.info("Started patching service-def:[" + serviceDefName + "]");
RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false);
defHelper.patchServiceDefWithDefaultValues();
svcStore.updateServiceDef(serviceDef);
XXServiceDef dbServiceDef = daoMgr.getXXServiceDef().findByName(serviceDefName);
if (dbServiceDef != null) {
String jsonStrPostUpdate = dbServiceDef.getDefOptions();
Map<String, String> serviceDefOptionsPostUpdate = jsonUtil.jsonToMap(jsonStrPostUpdate);
String valueAfterUpdate = serviceDefOptionsPostUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
if (!StringUtils.equals(valueBeforeUpdate, valueAfterUpdate)) {
if (StringUtils.isEmpty(valueBeforeUpdate)) {
serviceDefOptionsPostUpdate.remove(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
} else {
serviceDefOptionsPostUpdate.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, valueBeforeUpdate);
}
dbServiceDef.setDefOptions(mapToJsonString(serviceDefOptionsPostUpdate));
daoMgr.getXXServiceDef().update(dbServiceDef);
}
}
logger.info("Completed patching service-def:[" + serviceDefName + "]");
}
} catch (Exception e) {
logger.error("Error while patching service-def:[" + serviceDefName + "]", e);
}
}
}
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
Aggregations
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)9
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)7
ArrayList (java.util.ArrayList)4
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)4
VXString (org.apache.ranger.view.VXString)4
HashMap (java.util.HashMap)3
List (java.util.List)3
XXServiceDef (org.apache.ranger.entity.XXServiceDef)3
LinkedHashMap (java.util.LinkedHashMap)2
Map (java.util.Map)2
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)2
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)2
RangerAccessTypeDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)2
RangerContextEnricherDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef)2
RangerDataMaskDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskDef)2
RangerEnumDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef)2
RangerPolicyConditionDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)2
RangerRowFilterDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerRowFilterDef)2
RangerServiceConfigDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef)2
RangerDefaultPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)2
