Example 21 with RangerAccessResourceImpl
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) {
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()");
}
Map<String, RangerPolicyResource> resources = policy.getResources();
if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) {
List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet());
if (CollectionUtils.isNotEmpty(hierarchy)) {
MatchType matchType = MatchType.NONE;
RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();
accessResource.setServiceDef(serviceDef);
// Build up accessResource resourceDef by resourceDef.
// For each resourceDef,
// examine policy-values one by one.
// The first value that is acceptable, that is,
// value matches in any way, is used for that resourceDef, and
// next resourceDef is processed.
// If none of the values matches, the policy as a whole definitely will not match,
// therefore, the match is failed
// After all resourceDefs are processed, and some match is achieved at every
// level, the final matchType (which is for the entire policy) is checked against
// requested scope to determine the match-result.
// Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java
// test_defaultpolicyresourcematcher_for_hdfs_policy.json, and
// test_defaultpolicyresourcematcher_for_hive_policy.json, and
// test_defaultPolicyResourceMatcher.json
boolean skipped = false;
for (RangerResourceDef resourceDef : hierarchy) {
String name = resourceDef.getName();
RangerPolicyResource policyResource = resources.get(name);
if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
ret = false;
matchType = MatchType.NONE;
if (!skipped) {
for (String value : policyResource.getValues()) {
accessResource.setValue(name, value);
matchType = getMatchType(accessResource, evalContext);
if (matchType != MatchType.NONE) {
// One value for this resourceDef matched
ret = true;
break;
}
}
} else {
break;
}
} else {
skipped = true;
}
if (!ret) {
// None of the values specified for this resourceDef matched, no point in continuing with next resourceDef
break;
}
}
ret = ret && isMatch(scope, matchType);
}
}
RangerPerfTracer.log(perf);
return ret;
}
Also used :
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 22 with RangerAccessResourceImpl
use of org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl in project ranger by apache.
the class StormRangerPlugin method buildAccessRequest.
public RangerAccessRequest buildAccessRequest(String _user, String[] _groups, String _clientIp, String _topology, String _operation, String clusterName) {
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
request.setUser(_user);
if (_groups != null && _groups.length > 0) {
Set<String> groups = Sets.newHashSet(_groups);
request.setUserGroups(groups);
}
request.setAccessType(getAccessType(_operation));
request.setClientIPAddress(_clientIp);
request.setAction(_operation);
// build resource and connect stuff into request
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(ResourceName.Topology, _topology);
request.setResource(resource);
request.setClusterName(clusterName);
if (LOG.isDebugEnabled()) {
LOG.debug("Returning request: " + request.toString());
}
return request;
}
Also used :
RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
Aggregations
RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)22
RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)16
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)9
HashMap (java.util.HashMap)8
JsonSyntaxException (com.google.gson.JsonSyntaxException)5
IOException (java.io.IOException)5
Path (javax.ws.rs.Path)5
Produces (javax.ws.rs.Produces)5
WebApplicationException (javax.ws.rs.WebApplicationException)5
AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)5
AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)5
RequestAction (org.apache.nifi.authorization.RequestAction)5
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)5
VXString (org.apache.ranger.view.VXString)5
POST (javax.ws.rs.POST)4
RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)4
RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)4
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4
Test (org.junit.Test)4
LinkedHashMap (java.util.LinkedHashMap)3
