Example 1 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class RangerBasePlugin method cleanup.
public void cleanup() {
PolicyRefresher refresher = this.refresher;
RangerPolicyEngine policyEngine = this.policyEngine;
Timer policyEngineRefreshTimer = this.policyEngineRefreshTimer;
this.serviceName = null;
this.policyEngine = null;
this.refresher = null;
this.policyEngineRefreshTimer = null;
if (refresher != null) {
refresher.stopRefresher();
}
if (policyEngineRefreshTimer != null) {
policyEngineRefreshTimer.cancel();
}
if (policyEngine != null) {
policyEngine.cleanup();
}
}
Also used :
PolicyRefresher(org.apache.ranger.plugin.util.PolicyRefresher)
Timer(java.util.Timer)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
Example 2 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method hasAdminAccess.
private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, RangerAccessResource resource) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
if (policyEngine != null) {
isAllowed = policyEngine.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
}
return isAllowed;
}
Also used :
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
Example 3 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method hasAdminAccess.
private boolean hasAdminAccess(RangerPolicy policy, String userName, Set<String> userGroups) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
if (policyEngine != null) {
isAllowed = policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
}
return isAllowed;
}
Also used :
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
Example 4 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method getPoliciesForResource.
@GET
@Path("/policies/{serviceDefName}/for-resource")
@Produces({ "application/json", "application/xml" })
public List<RangerPolicy> getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, @DefaultValue("") @QueryParam("serviceName") String serviceName, @Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
}
List<RangerPolicy> ret = new ArrayList<>();
List<RangerService> services = new ArrayList<>();
Map<String, Object> resource = new HashMap<>();
String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource);
if (StringUtils.isNotEmpty(validationMessage)) {
LOG.error("Invalid request: [" + validationMessage + "]");
throw restErrorUtil.createRESTException(validationMessage, MessageEnums.INVALID_INPUT_DATA);
} else {
RangerService service = services.get(0);
if (LOG.isDebugEnabled()) {
LOG.debug("getServicePolicies with service-name=" + service.getName());
}
RangerPolicyEngine engine = null;
try {
engine = getPolicySearchPolicyEngine(service.getName());
} catch (Exception e) {
LOG.error("Cannot initialize Policy-Engine", e);
throw restErrorUtil.createRESTException("Cannot initialize Policy Engine", MessageEnums.ERROR_SYSTEM);
}
if (engine != null) {
ret = engine.getMatchingPolicies(new RangerAccessResourceImpl(resource));
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret.toString());
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
RangerService(org.apache.ranger.plugin.model.RangerService)
VXString(org.apache.ranger.view.VXString)
WebApplicationException(javax.ws.rs.WebApplicationException)
IOException(java.io.IOException)
JsonSyntaxException(com.google.gson.JsonSyntaxException)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 5 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method ensureAdminAccess.
void ensureAdminAccess(RangerPolicy policy) {
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
if (!isAdmin && !isKeyAdmin) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
if (policyEngine != null) {
Set<String> userGroups = userMgr.getGroupsForUser(userName);
isAllowed = hasAdminAccess(policy, userName, userGroups);
}
if (!isAllowed) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '" + userName + "' does not have delegated-admin privilege on given resources", true);
}
} else {
XXService xService = daoManager.getXXService().findByName(policy.getService());
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
if (isAdmin) {
if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
} else if (isKeyAdmin) {
if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
}
}
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
VXString(org.apache.ranger.view.VXString)
XXService(org.apache.ranger.entity.XXService)
Aggregations
RangerPolicyEngine (org.apache.ranger.plugin.policyengine.RangerPolicyEngine)12
VXString (org.apache.ranger.view.VXString)6
HashMap (java.util.HashMap)4
LinkedHashMap (java.util.LinkedHashMap)4
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)4
XXService (org.apache.ranger.entity.XXService)3
RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)3
ArrayList (java.util.ArrayList)2
XXServiceDef (org.apache.ranger.entity.XXServiceDef)2
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2
JsonSyntaxException (com.google.gson.JsonSyntaxException)1
IOException (java.io.IOException)1
List (java.util.List)1
Map (java.util.Map)1
Timer (java.util.Timer)1
TreeMap (java.util.TreeMap)1
GET (javax.ws.rs.GET)1
Path (javax.ws.rs.Path)1
Produces (javax.ws.rs.Produces)1
WebApplicationException (javax.ws.rs.WebApplicationException)1
