Examples with RangerAccessResource org.apache.ranger.plugin.policyengine.RangerAccessResource used on opensource projects

Example 1 with RangerAccessResource

use of org.apache.ranger.plugin.policyengine.RangerAccessResource in project ranger by apache.

the class RangerRequestedResources method isMutuallyExcluded.

public boolean isMutuallyExcluded(final List<RangerPolicyResourceMatcher> matchers, final Map<String, Object> evalContext) {
    boolean ret = true;
    int matchedCount = 0;
    if (!CollectionUtils.isEmpty(matchers) && !CollectionUtils.isEmpty(requestedResources) && requestedResources.size() > 1) {
        for (RangerAccessResource resource : requestedResources) {
            for (RangerPolicyResourceMatcher matcher : matchers) {
                if (matcher.isMatch(resource, evalContext) && matchedCount++ > 0) {
                    ret = false;
                    break;
                }
            }
        }
    }
    return ret;
}

Example 2 with RangerAccessResource

use of org.apache.ranger.plugin.policyengine.RangerAccessResource in project ranger by apache.

the class RangerDefaultPolicyItemEvaluator method matchUserGroupAndOwner.

private boolean matchUserGroupAndOwner(RangerAccessRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchUserGroupAndOwner(" + request + ")");
    }
    boolean ret = false;
    String user = request.getUser();
    Set<String> userGroups = request.getUserGroups();
    if (hasResourceOwner) {
        RangerAccessResource accessedResource = request.getResource();
        String resourceOwner = accessedResource != null ? accessedResource.getOwnerUser() : null;
        if (user != null && resourceOwner != null && user.equals(resourceOwner)) {
            ret = true;
        }
    }
    if (!ret) {
        ret = matchUserGroup(user, userGroups);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchUserGroupAndOwner(" + request + "): " + ret);
    }
    return ret;
}

Example 3 with RangerAccessResource

use of org.apache.ranger.plugin.policyengine.RangerAccessResource in project ranger by apache.

the class RangerTagEnricher method findMatchingTags.

private Set<RangerTagForEval> findMatchingTags(final RangerAccessRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerTagEnricher.findMatchingTags(" + request + ")");
    }
    // To minimize chance for race condition between Tag-Refresher thread and access-evaluation thread
    final EnrichedServiceTags enrichedServiceTags = this.enrichedServiceTags;
    Set<RangerTagForEval> ret = null;
    RangerAccessResource resource = request.getResource();
    if ((resource == null || resource.getKeys() == null || resource.getKeys().isEmpty()) && request.isAccessTypeAny()) {
        ret = enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess();
    } else {
        final List<RangerServiceResourceMatcher> serviceResourceMatchers = getEvaluators(resource, enrichedServiceTags);
        if (CollectionUtils.isNotEmpty(serviceResourceMatchers)) {
            for (RangerServiceResourceMatcher resourceMatcher : serviceResourceMatchers) {
                final RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher.getMatchType(resource, request.getContext());
                final boolean isMatched;
                if (request.isAccessTypeAny()) {
                    isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
                } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                    isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                } else {
                    isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
                }
                if (isMatched) {
                    if (ret == null) {
                        ret = new HashSet<>();
                    }
                    ret.addAll(getTagsForServiceResource(enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType));
                }
            }
        }
    }
    if (CollectionUtils.isEmpty(ret)) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - No tags Found ");
        }
    } else {
        if (LOG.isDebugEnabled()) {
            LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - " + ret.size() + " tags Found ");
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerTagEnricher.findMatchingTags(" + request + ")");
    }
    return ret;
}

Example 4 with RangerAccessResource

use of org.apache.ranger.plugin.policyengine.RangerAccessResource in project ranger by apache.

the class RangerHdfsAuditHandler method processResult.

@Override
public void processResult(RangerAccessResult result) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + result + ")");
    }
    if (!isAuditEnabled && result.getIsAudited()) {
        isAuditEnabled = true;
    }
    if (auditEvent == null) {
        auditEvent = super.getAuthzEvents(result);
    }
    if (auditEvent != null) {
        RangerAccessRequest request = result.getAccessRequest();
        RangerAccessResource resource = request.getResource();
        String resourcePath = resource != null ? resource.getAsString() : null;
        // Overwrite fields in original auditEvent
        auditEvent.setEventTime(request.getAccessTime());
        auditEvent.setAccessType(request.getAction());
        auditEvent.setResourcePath(this.pathToBeValidated);
        auditEvent.setResultReason(resourcePath);
        auditEvent.setAccessResult((short) (result.getIsAllowed() ? 1 : 0));
        auditEvent.setPolicyId(result.getPolicyId());
        Set<String> tags = getTags(request);
        if (tags != null) {
            auditEvent.setTags(tags);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + result + "): " + auditEvent);
    }
}

Example 5 with RangerAccessResource

use of org.apache.ranger.plugin.policyengine.RangerAccessResource in project ranger by apache.

the class RangerHiveAuditHandler method createAuditEvent.

AuthzAuditEvent createAuditEvent(RangerAccessResult result) {
    AuthzAuditEvent ret = null;
    RangerAccessRequest request = result.getAccessRequest();
    RangerAccessResource resource = request.getResource();
    String resourcePath = resource != null ? resource.getAsString() : null;
    int policyType = result.getPolicyType();
    if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK && result.isMaskEnabled()) {
        ret = createAuditEvent(result, result.getMaskType(), resourcePath);
    } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
        ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath);
    } else {
        String accessType = null;
        if (request instanceof RangerHiveAccessRequest) {
            RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request;
            accessType = hiveRequest.getHiveAccessType().toString();
        }
        if (StringUtils.isEmpty(accessType)) {
            accessType = request.getAccessType();
        }
        ret = createAuditEvent(result, accessType, resourcePath);
    }
    return ret;
}