use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method ensureAdminAndAuditAccess.
void ensureAdminAndAuditAccess(RangerPolicy policy) {
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
boolean isAuditAdmin = bizUtil.isAuditAdmin();
boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
if (!isAdmin && !isKeyAdmin && !isAuditAdmin && !isAuditKeyAdmin) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
if (policyEngine != null) {
Set<String> userGroups = userMgr.getGroupsForUser(userName);
isAllowed = hasAdminAccess(policy, userName, userGroups);
}
if (!isAllowed) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '" + userName + "' does not have delegated-admin privilege on given resources", true);
}
} else {
XXService xService = daoManager.getXXService().findByName(policy.getService());
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
if (isAdmin || isAuditAdmin) {
if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
} else if (isKeyAdmin || isAuditKeyAdmin) {
if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
}
}
}
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method getExactMatchPolicyForResource.
private RangerPolicy getExactMatchPolicyForResource(String serviceName, Map<String, RangerPolicyResource> resources, String user) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resources + ", " + user + ")");
}
RangerPolicy ret = null;
RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
Map<String, Object> evalContext = new HashMap<String, Object>();
RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resources, evalContext) : null;
if (CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
ret = svcStore.getPolicy(policies.get(0).getId());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resources + ", " + user + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method applyAdminAccessFilter.
private List<RangerPolicy> applyAdminAccessFilter(List<RangerPolicy> policies) {
List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")");
}
if (CollectionUtils.isNotEmpty(policies)) {
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
boolean isAuditAdmin = bizUtil.isAuditAdmin();
boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
Set<String> userGroups = null;
Map<String, List<RangerPolicy>> servicePoliciesMap = new HashMap<String, List<RangerPolicy>>();
for (int i = 0; i < policies.size(); i++) {
RangerPolicy policy = policies.get(i);
String serviceName = policy.getService();
List<RangerPolicy> policyList = servicePoliciesMap.get(serviceName);
if (policyList == null) {
policyList = new ArrayList<RangerPolicy>();
servicePoliciesMap.put(serviceName, policyList);
}
policyList.add(policy);
}
for (Map.Entry<String, List<RangerPolicy>> entry : servicePoliciesMap.entrySet()) {
String serviceName = entry.getKey();
List<RangerPolicy> listToFilter = entry.getValue();
if (CollectionUtils.isNotEmpty(listToFilter)) {
if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin) {
XXService xService = daoManager.getXXService().findByName(serviceName);
Long serviceDefId = xService.getType();
boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId());
if (isAdmin) {
if (!isKmsService) {
ret.addAll(listToFilter);
}
} else if (isAuditAdmin) {
if (!isKmsService) {
ret.addAll(listToFilter);
}
} else if (isAuditKeyAdmin) {
if (isKmsService) {
ret.addAll(listToFilter);
}
} else {
// isKeyAdmin
if (isKmsService) {
ret.addAll(listToFilter);
}
}
continue;
}
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
if (policyEngine != null) {
if (userGroups == null) {
userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
}
for (RangerPolicy policy : listToFilter) {
if (policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) {
ret.add(policy);
}
}
}
}
}
}
RangerPerfTracer.log(perf);
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method getPolicyEngine.
private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception {
ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);
RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, defaultAdminOptions);
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method getExactMatchPolicyForResource.
private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource resource, String user) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + ")");
}
RangerPolicy ret = null;
RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
Map<String, Object> evalContext = new HashMap<String, Object>();
RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource, evalContext) : null;
if (CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
ret = svcStore.getPolicy(policies.get(0).getId());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + "): " + ret);
}
return ret;
}
Aggregations