Search in sources :

Example 1 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class RangerBasePlugin method cleanup.

public void cleanup() {
    PolicyRefresher refresher = this.refresher;
    RangerPolicyEngine policyEngine = this.policyEngine;
    Timer policyEngineRefreshTimer = this.policyEngineRefreshTimer;
    this.serviceName = null;
    this.policyEngine = null;
    this.refresher = null;
    this.policyEngineRefreshTimer = null;
    if (refresher != null) {
        refresher.stopRefresher();
    }
    if (policyEngineRefreshTimer != null) {
        policyEngineRefreshTimer.cancel();
    }
    if (policyEngine != null) {
        policyEngine.cleanup();
    }
}
Also used : PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher) Timer(java.util.Timer) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)

Example 2 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method hasAdminAccess.

private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, RangerAccessResource resource) {
    boolean isAllowed = false;
    RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
    if (policyEngine != null) {
        isAllowed = policyEngine.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
    }
    return isAllowed;
}
Also used : RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)

Example 3 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method hasAdminAccess.

private boolean hasAdminAccess(RangerPolicy policy, String userName, Set<String> userGroups) {
    boolean isAllowed = false;
    RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
    if (policyEngine != null) {
        isAllowed = policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
    }
    return isAllowed;
}
Also used : RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)

Example 4 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method getPoliciesForResource.

@GET
@Path("/policies/{serviceDefName}/for-resource")
@Produces({ "application/json", "application/xml" })
public List<RangerPolicy> getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, @DefaultValue("") @QueryParam("serviceName") String serviceName, @Context HttpServletRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
    }
    List<RangerPolicy> ret = new ArrayList<>();
    List<RangerService> services = new ArrayList<>();
    Map<String, Object> resource = new HashMap<>();
    String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource);
    if (StringUtils.isNotEmpty(validationMessage)) {
        LOG.error("Invalid request: [" + validationMessage + "]");
        throw restErrorUtil.createRESTException(validationMessage, MessageEnums.INVALID_INPUT_DATA);
    } else {
        RangerService service = services.get(0);
        if (LOG.isDebugEnabled()) {
            LOG.debug("getServicePolicies with service-name=" + service.getName());
        }
        RangerPolicyEngine engine = null;
        try {
            engine = getPolicySearchPolicyEngine(service.getName());
        } catch (Exception e) {
            LOG.error("Cannot initialize Policy-Engine", e);
            throw restErrorUtil.createRESTException("Cannot initialize Policy Engine", MessageEnums.ERROR_SYSTEM);
        }
        if (engine != null) {
            ret = engine.getMatchingPolicies(new RangerAccessResourceImpl(resource));
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret.toString());
    }
    return ret;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) RangerService(org.apache.ranger.plugin.model.RangerService) VXString(org.apache.ranger.view.VXString) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET)

Example 5 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method ensureAdminAccess.

void ensureAdminAccess(RangerPolicy policy) {
    boolean isAdmin = bizUtil.isAdmin();
    boolean isKeyAdmin = bizUtil.isKeyAdmin();
    String userName = bizUtil.getCurrentUserLoginId();
    if (!isAdmin && !isKeyAdmin) {
        boolean isAllowed = false;
        RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
        if (policyEngine != null) {
            Set<String> userGroups = userMgr.getGroupsForUser(userName);
            isAllowed = hasAdminAccess(policy, userName, userGroups);
        }
        if (!isAllowed) {
            throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '" + userName + "' does not have delegated-admin privilege on given resources", true);
        }
    } else {
        XXService xService = daoManager.getXXService().findByName(policy.getService());
        XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
        if (isAdmin) {
            if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
                throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
            }
        } else if (isKeyAdmin) {
            if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
                throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
            }
        }
    }
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) VXString(org.apache.ranger.view.VXString) XXService(org.apache.ranger.entity.XXService)

Aggregations

RangerPolicyEngine (org.apache.ranger.plugin.policyengine.RangerPolicyEngine)12 VXString (org.apache.ranger.view.VXString)6 HashMap (java.util.HashMap)4 LinkedHashMap (java.util.LinkedHashMap)4 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)4 XXService (org.apache.ranger.entity.XXService)3 RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)3 ArrayList (java.util.ArrayList)2 XXServiceDef (org.apache.ranger.entity.XXServiceDef)2 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2 JsonSyntaxException (com.google.gson.JsonSyntaxException)1 IOException (java.io.IOException)1 List (java.util.List)1 Map (java.util.Map)1 Timer (java.util.Timer)1 TreeMap (java.util.TreeMap)1 GET (javax.ws.rs.GET)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1 WebApplicationException (javax.ws.rs.WebApplicationException)1