use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class RangerBasePlugin method cleanup.
public void cleanup() {
PolicyRefresher refresher = this.refresher;
RangerPolicyEngine policyEngine = this.policyEngine;
Timer policyEngineRefreshTimer = this.policyEngineRefreshTimer;
this.serviceName = null;
this.policyEngine = null;
this.refresher = null;
this.policyEngineRefreshTimer = null;
if (refresher != null) {
refresher.stopRefresher();
}
if (policyEngineRefreshTimer != null) {
policyEngineRefreshTimer.cancel();
}
if (policyEngine != null) {
policyEngine.cleanup();
}
}
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method hasAdminAccess.
private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, RangerAccessResource resource) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
if (policyEngine != null) {
isAllowed = policyEngine.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
}
return isAllowed;
}
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method hasAdminAccess.
private boolean hasAdminAccess(RangerPolicy policy, String userName, Set<String> userGroups) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
if (policyEngine != null) {
isAllowed = policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
}
return isAllowed;
}
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method getPoliciesForResource.
@GET
@Path("/policies/{serviceDefName}/for-resource")
@Produces({ "application/json", "application/xml" })
public List<RangerPolicy> getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, @DefaultValue("") @QueryParam("serviceName") String serviceName, @Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
}
List<RangerPolicy> ret = new ArrayList<>();
List<RangerService> services = new ArrayList<>();
Map<String, Object> resource = new HashMap<>();
String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource);
if (StringUtils.isNotEmpty(validationMessage)) {
LOG.error("Invalid request: [" + validationMessage + "]");
throw restErrorUtil.createRESTException(validationMessage, MessageEnums.INVALID_INPUT_DATA);
} else {
RangerService service = services.get(0);
if (LOG.isDebugEnabled()) {
LOG.debug("getServicePolicies with service-name=" + service.getName());
}
RangerPolicyEngine engine = null;
try {
engine = getPolicySearchPolicyEngine(service.getName());
} catch (Exception e) {
LOG.error("Cannot initialize Policy-Engine", e);
throw restErrorUtil.createRESTException("Cannot initialize Policy Engine", MessageEnums.ERROR_SYSTEM);
}
if (engine != null) {
ret = engine.getMatchingPolicies(new RangerAccessResourceImpl(resource));
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret.toString());
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method ensureAdminAccess.
void ensureAdminAccess(RangerPolicy policy) {
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
if (!isAdmin && !isKeyAdmin) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
if (policyEngine != null) {
Set<String> userGroups = userMgr.getGroupsForUser(userName);
isAllowed = hasAdminAccess(policy, userName, userGroups);
}
if (!isAllowed) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '" + userName + "' does not have delegated-admin privilege on given resources", true);
}
} else {
XXService xService = daoManager.getXXService().findByName(policy.getService());
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
if (isAdmin) {
if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
} else if (isKeyAdmin) {
if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
}
}
}
Aggregations