Examples with RangerPluginContext org.apache.ranger.plugin.policyengine.RangerPluginContext used on opensource projects

Example 6 with RangerPluginContext

use of org.apache.ranger.plugin.policyengine.RangerPluginContext in project ranger by apache.

the class RangerPolicyAdminCache method addPolicyAdmin.

private RangerPolicyAdmin addPolicyAdmin(ServicePolicies policies, RangerRoles roles, RangerPolicyEngineOptions options) {
    RangerServiceDef serviceDef = policies.getServiceDef();
    String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
    RangerPluginContext rangerPluginContext = new RangerPluginContext(new RangerPluginConfig(serviceType, null, "ranger-admin", null, null, options));
    return new RangerPolicyAdminImpl(policies, rangerPluginContext, roles);
}

Example 7 with RangerPluginContext

use of org.apache.ranger.plugin.policyengine.RangerPluginContext in project ranger by apache.

the class TestPolicyEngine method runTests.

private void runTests(InputStreamReader reader, String testName) {
    try {
        PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
        assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
        ServicePolicies servicePolicies = new ServicePolicies();
        servicePolicies.setServiceName(testCase.serviceName);
        servicePolicies.setServiceDef(testCase.serviceDef);
        servicePolicies.setPolicies(testCase.policies);
        RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
        RangerPluginContext pluginContext = new RangerPluginContext(new RangerPluginConfig("hbase", null, testName, "cl1", "on-prem", policyEngineOptions));
        RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, null);
        RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler(pluginContext.getConfig());
        for (TestData test : testCase.tests) {
            RangerAccessResult expected = test.result;
            RangerAccessRequest request = test.request;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
            assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
    } catch (Throwable excp) {
        excp.printStackTrace();
    }
}

Example 8 with RangerPluginContext

use of org.apache.ranger.plugin.policyengine.RangerPluginContext in project ranger by apache.

the class TestPolicyDb method runTests.

private void runTests(InputStreamReader reader, String testName, RangerServiceDef serviceDef) {
    PolicyDbTestCase testCase = gsonBuilder.fromJson(reader, PolicyDbTestCase.class);
    if (serviceDef != null) {
        // Override serviceDef in the json test-file with a global service-def
        testCase.servicePolicies.setServiceDef(serviceDef);
    }
    assertTrue("invalid input: " + testName, testCase != null && testCase.servicePolicies != null && testCase.tests != null && testCase.servicePolicies.getPolicies() != null);
    RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
    policyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
    policyEngineOptions.cacheAuditResults = false;
    policyEngineOptions.disableContextEnrichers = true;
    policyEngineOptions.disableCustomConditions = true;
    RangerPluginContext pluginContext = new RangerPluginContext(new RangerPluginConfig("hive", null, "test-policydb", "cl1", "on-prem", policyEngineOptions));
    RangerPolicyAdmin policyAdmin = new RangerPolicyAdminImpl(testCase.servicePolicies, pluginContext, null);
    for (TestData test : testCase.tests) {
        boolean expected = test.result;
        if (test.allowedPolicies != null) {
            List<RangerPolicy> allowedPolicies = policyAdmin.getAllowedUnzonedPolicies(test.user, test.userGroups, test.accessType);
            assertEquals("allowed-policy count mismatch!", test.allowedPolicies.size(), allowedPolicies.size());
            Set<Long> allowedPolicyIds = new HashSet<>();
            for (RangerPolicy allowedPolicy : allowedPolicies) {
                allowedPolicyIds.add(allowedPolicy.getId());
            }
            assertEquals("allowed-policy list mismatch!", test.allowedPolicies, allowedPolicyIds);
        } else {
            boolean result = policyAdmin.isAccessAllowedByUnzonedPolicies(test.resources, test.user, test.userGroups, test.accessType);
            assertEquals("isAccessAllowed mismatched! - " + test.name, expected, result);
        }
    }
}

Example 9 with RangerPluginContext

use of org.apache.ranger.plugin.policyengine.RangerPluginContext in project ranger by apache.

the class RangerAbstractPolicyEvaluator method getPrunedPolicy.

private RangerPolicy getPrunedPolicy(final RangerPolicy policy) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerAbstractPolicyEvaluator.getPrunedPolicy(" + policy + ")");
    }
    final RangerPolicy ret;
    final boolean isPruningNeeded;
    final List<RangerPolicy.RangerPolicyItem> prunedAllowItems;
    final List<RangerPolicy.RangerPolicyItem> prunedDenyItems;
    final List<RangerPolicy.RangerPolicyItem> prunedAllowExceptions;
    final List<RangerPolicy.RangerPolicyItem> prunedDenyExceptions;
    final RangerPluginContext pluginContext = getPluginContext();
    if (pluginContext != null && pluginContext.getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) {
        prunedAllowItems = policy.getPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
        prunedDenyItems = policy.getDenyPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
        prunedAllowExceptions = policy.getAllowExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
        prunedDenyExceptions = policy.getDenyExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
        isPruningNeeded = prunedAllowItems.size() != policy.getPolicyItems().size() || prunedDenyItems.size() != policy.getDenyPolicyItems().size() || prunedAllowExceptions.size() != policy.getAllowExceptions().size() || prunedDenyExceptions.size() != policy.getDenyExceptions().size();
    } else {
        prunedAllowItems = null;
        prunedDenyItems = null;
        prunedAllowExceptions = null;
        prunedDenyExceptions = null;
        isPruningNeeded = false;
    }
    if (!isPruningNeeded) {
        ret = policy;
    } else {
        ret = new RangerPolicy();
        ret.updateFrom(policy);
        ret.setId(policy.getId());
        ret.setGuid(policy.getGuid());
        ret.setVersion(policy.getVersion());
        ret.setServiceType(policy.getServiceType());
        ret.setPolicyItems(prunedAllowItems);
        ret.setDenyPolicyItems(prunedDenyItems);
        ret.setAllowExceptions(prunedAllowExceptions);
        ret.setDenyExceptions(prunedDenyExceptions);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerAbstractPolicyEvaluator.getPrunedPolicy(isPruningNeeded=" + isPruningNeeded + ") : " + ret);
    }
    return ret;
}

Example 10 with RangerPluginContext

use of org.apache.ranger.plugin.policyengine.RangerPluginContext in project ranger by apache.

the class RangerPolicyEnginePerformanceTest method policyEngineTest.

@Test
public void policyEngineTest() throws InterruptedException {
    List<RangerAccessRequest> requests = requestsCache.getUnchecked(concurrency);
    ServicePolicies servicePolicies = servicePoliciesCache.getUnchecked(numberOfPolicies);
    RangerPluginContext pluginContext = new RangerPluginContext(new RangerPluginConfig("hive", null, "perf-test", "cl1", "on-prem", RangerPolicyFactory.createPolicyEngineOption()));
    final RangerPolicyEngineImpl rangerPolicyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, null);
    for (int iterations = 0; iterations < WARM_UP__ITERATIONS; iterations++) {
        // using return value of 'isAccessAllowed' with a cheap operation: System#identityHashCode so JIT wont remove it as dead code
        System.identityHashCode(rangerPolicyEngine.evaluatePolicies(requests.get(iterations % concurrency), RangerPolicy.POLICY_TYPE_ACCESS, null));
        PerfDataRecorder.clearStatistics();
    }
    final CountDownLatch latch = new CountDownLatch(concurrency);
    for (int i = 0; i < concurrency; i++) {
        final RangerAccessRequest rangerAccessRequest = requests.get(i);
        new Thread(new Runnable() {

            @Override
            public void run() {
                System.identityHashCode(rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, RangerPolicy.POLICY_TYPE_ACCESS, null));
                latch.countDown();
            }
        }, String.format("Client #%s", i)).start();
    }
    latch.await();
}