Examples with RangerAccessRequest org.apache.ranger.plugin.policyengine.RangerAccessRequest used on opensource projects

Example 11 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerSampleSimpleMatcherTest method test_firewallings.

@Test
public void test_firewallings() {
    // create a request for some policyValue, say, country and use it to match against matcher initialized with all sorts of bad data
    RangerAccessRequest request = createRequest("AB");
    RangerSampleSimpleMatcher matcher = new RangerSampleSimpleMatcher();
    // Matcher initialized with null policy should behave sensibly!  It matches everything!
    matcher.setConditionDef(null);
    matcher.setPolicyItemCondition(null);
    matcher.init();
    Assert.assertTrue(matcher.isMatched(request));
    RangerPolicyItemCondition policyItemCondition = Mockito.mock(RangerPolicyItemCondition.class);
    matcher.setConditionDef(null);
    matcher.setPolicyItemCondition(policyItemCondition);
    matcher.init();
    Assert.assertTrue(matcher.isMatched(request));
    RangerPolicyConditionDef conditionDef = Mockito.mock(RangerPolicyConditionDef.class);
    matcher.setConditionDef(conditionDef);
    matcher.setPolicyItemCondition(null);
    matcher.init();
    Assert.assertTrue(matcher.isMatched(request));
    // so should a policy item condition with initialized with null list of values
    Mockito.when(policyItemCondition.getValues()).thenReturn(null);
    matcher.setConditionDef(conditionDef);
    matcher.setPolicyItemCondition(policyItemCondition);
    matcher.init();
    Assert.assertTrue(matcher.isMatched(request));
    // not null item condition with empty condition list
    List<String> values = new ArrayList<String>();
    Mockito.when(policyItemCondition.getValues()).thenReturn(values);
    matcher.setConditionDef(conditionDef);
    matcher.setPolicyItemCondition(policyItemCondition);
    matcher.init();
    Assert.assertTrue(matcher.isMatched(request));
    // values as sensible items in it, however, the conditionDef has null evaluator option, so that too suppresses any check
    values.add("AB");
    Mockito.when(policyItemCondition.getValues()).thenReturn(values);
    Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(null);
    matcher.setConditionDef(conditionDef);
    matcher.setPolicyItemCondition(policyItemCondition);
    matcher.init();
    Assert.assertTrue(matcher.isMatched(request));
    // If evaluator option on the condition def is non-null then it starts to evaluate for real
    Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions);
    matcher.setConditionDef(conditionDef);
    matcher.setPolicyItemCondition(policyItemCondition);
    matcher.init();
    Assert.assertTrue(matcher.isMatched(request));
}

Example 12 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerAuthorizer method authorize.

public boolean authorize(String fileName, String accessType, String user, Set<String> userGroups) {
    RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    // "path" must be a value resource name in servicedef JSON
    resource.setValue("path", fileName);
    RangerAccessRequest request = new RangerAccessRequestImpl(resource, accessType, user, userGroups);
    RangerAccessResult result = plugin.isAccessAllowed(request);
    return result != null && result.getIsAllowed();
}

Example 13 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerHivePlugin method checkPrivileges.

/**
 * Check if user has privileges to do this action on these objects
 * @param hiveOpType
 * @param inputHObjs
 * @param outputHObjs
 * @param context
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
    UserGroupInformation ugi = getCurrentUserGroupInfo();
    if (ugi == null) {
        throw new HiveAccessControlException("Permission denied: user information not available");
    }
    RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
    RangerPerfTracer perf = null;
    try {
        HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
        String user = ugi.getShortUserName();
        Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
        String clusterName = hivePlugin.getClusterName();
        if (LOG.isDebugEnabled()) {
            LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context, sessionContext));
        }
        if (hiveOpType == HiveOperationType.DFS) {
            handleDfsCommand(hiveOpType, inputHObjs, user, auditHandler);
            return;
        }
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.checkPrivileges(hiveOpType=" + hiveOpType + ")");
        }
        List<RangerHiveAccessRequest> requests = new ArrayList<RangerHiveAccessRequest>();
        if (!CollectionUtils.isEmpty(inputHObjs)) {
            for (HivePrivilegeObject hiveObj : inputHObjs) {
                RangerHiveResource resource = getHiveResource(hiveOpType, hiveObj);
                if (resource == null) {
                    // possible if input object/object is of a kind that we don't currently authorize
                    continue;
                }
                String path = hiveObj.getObjectName();
                HiveObjectType hiveObjType = resource.getObjectType();
                if (hiveObjType == HiveObjectType.URI && isPathInFSScheme(path)) {
                    FsAction permission = getURIAccessType(hiveOpType);
                    if (!isURIAccessAllowed(user, permission, path, getHiveConf())) {
                        throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, permission.name(), path));
                    }
                    continue;
                }
                HiveAccessType accessType = getAccessType(hiveObj, hiveOpType, hiveObjType, true);
                if (accessType == HiveAccessType.NONE) {
                    continue;
                }
                if (!existsByResourceAndAccessType(requests, resource, accessType)) {
                    RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext, clusterName);
                    requests.add(request);
                }
            }
        } else {
            // this should happen only for SHOWDATABASES
            if (hiveOpType == HiveOperationType.SHOWDATABASES) {
                RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
                RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext, clusterName);
                requests.add(request);
            } else {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("RangerHiveAuthorizer.checkPrivileges: Unexpected operation type[" + hiveOpType + "] received with empty input objects list!");
                }
            }
        }
        if (!CollectionUtils.isEmpty(outputHObjs)) {
            for (HivePrivilegeObject hiveObj : outputHObjs) {
                RangerHiveResource resource = getHiveResource(hiveOpType, hiveObj);
                if (resource == null) {
                    // possible if input object/object is of a kind that we don't currently authorize
                    continue;
                }
                String path = hiveObj.getObjectName();
                HiveObjectType hiveObjType = resource.getObjectType();
                if (hiveObjType == HiveObjectType.URI && isPathInFSScheme(path)) {
                    FsAction permission = getURIAccessType(hiveOpType);
                    if (!isURIAccessAllowed(user, permission, path, getHiveConf())) {
                        throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, permission.name(), path));
                    }
                    continue;
                }
                HiveAccessType accessType = getAccessType(hiveObj, hiveOpType, hiveObjType, false);
                if (accessType == HiveAccessType.NONE) {
                    continue;
                }
                if (!existsByResourceAndAccessType(requests, resource, accessType)) {
                    RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext, clusterName);
                    requests.add(request);
                }
            }
        }
        buildRequestContextWithAllAccessedResources(requests);
        for (RangerHiveAccessRequest request : requests) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("request: " + request);
            }
            RangerHiveResource resource = (RangerHiveResource) request.getResource();
            RangerAccessResult result = null;
            if (resource.getObjectType() == HiveObjectType.COLUMN && StringUtils.contains(resource.getColumn(), COLUMN_SEP)) {
                List<RangerAccessRequest> colRequests = new ArrayList<RangerAccessRequest>();
                String[] columns = StringUtils.split(resource.getColumn(), COLUMN_SEP);
                // in case of multiple columns, original request is not sent to the plugin; hence service-def will not be set
                resource.setServiceDef(hivePlugin.getServiceDef());
                for (String column : columns) {
                    if (column != null) {
                        column = column.trim();
                    }
                    if (StringUtils.isBlank(column)) {
                        continue;
                    }
                    RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column);
                    RangerHiveAccessRequest colRequest = request.copy();
                    colRequest.setResource(colResource);
                    colRequests.add(colRequest);
                }
                Collection<RangerAccessResult> colResults = hivePlugin.isAccessAllowed(colRequests, auditHandler);
                if (colResults != null) {
                    for (RangerAccessResult colResult : colResults) {
                        result = colResult;
                        if (result != null && !result.getIsAllowed()) {
                            break;
                        }
                    }
                }
            } else {
                result = hivePlugin.isAccessAllowed(request, auditHandler);
            }
            if ((result == null || result.getIsAllowed()) && isBlockAccessIfRowfilterColumnMaskSpecified(hiveOpType, request)) {
                // check if row-filtering is applicable for the table/view being accessed
                HiveAccessType savedAccessType = request.getHiveAccessType();
                RangerHiveResource tblResource = new RangerHiveResource(HiveObjectType.TABLE, resource.getDatabase(), resource.getTable());
                // filtering/masking policies are defined only for SELECT
                request.setHiveAccessType(HiveAccessType.SELECT);
                request.setResource(tblResource);
                RangerAccessResult rowFilterResult = getRowFilterResult(request);
                if (isRowFilterEnabled(rowFilterResult)) {
                    if (result == null) {
                        result = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, rowFilterResult.getServiceName(), rowFilterResult.getServiceDef(), request);
                    }
                    result.setIsAllowed(false);
                    result.setPolicyId(rowFilterResult.getPolicyId());
                    result.setReason("User does not have acces to all rows of the table");
                } else {
                    // check if masking is enabled for any column in the table/view
                    request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
                    RangerAccessResult dataMaskResult = getDataMaskResult(request);
                    if (isDataMaskEnabled(dataMaskResult)) {
                        if (result == null) {
                            result = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request);
                        }
                        result.setIsAllowed(false);
                        result.setPolicyId(dataMaskResult.getPolicyId());
                        result.setReason("User does not have access to unmasked column values");
                    }
                }
                request.setHiveAccessType(savedAccessType);
                request.setResource(resource);
                if (result != null && !result.getIsAllowed()) {
                    auditHandler.processResult(result);
                }
            }
            if (result == null || !result.getIsAllowed()) {
                String path = resource.getAsString();
                path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
                throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path));
            }
        }
    } finally {
        auditHandler.flushAudit();
        RangerPerfTracer.log(perf);
    }
}

Example 14 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class RangerDefaultPolicyEvaluatorTest method createAccessRequestWithConditions.

RangerAccessRequest createAccessRequestWithConditions(String[] conditionNames) {
    // let's first create a request with 2 different conditions
    Map<String, Object> context = new HashMap<String, Object>(conditionNames.length);
    for (String conditionName : conditionNames) {
        // value is not important for our test
        context.put(conditionName, conditionName + "-value");
    }
    RangerAccessRequest request = mock(RangerAccessRequest.class);
    when(request.getContext()).thenReturn(context);
    return request;
}

Example 15 with RangerAccessRequest

use of org.apache.ranger.plugin.policyengine.RangerAccessRequest in project ranger by apache.

the class TestPolicyEngine method runTests.

private void runTests(InputStreamReader reader, String testName) {
    try {
        PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
        assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
        ServicePolicies servicePolicies = new ServicePolicies();
        servicePolicies.setServiceName(testCase.serviceName);
        servicePolicies.setServiceDef(testCase.serviceDef);
        servicePolicies.setPolicies(testCase.policies);
        RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
        RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
        RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
        for (TestData test : testCase.tests) {
            RangerAccessResult expected = test.result;
            RangerAccessRequest request = test.request;
            policyEngine.preProcess(request);
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
            assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
    } catch (Throwable excp) {
        excp.printStackTrace();
    }
}