Example 6 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method ensureAdminAndAuditAccess.
void ensureAdminAndAuditAccess(RangerPolicy policy) {
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
boolean isAuditAdmin = bizUtil.isAuditAdmin();
boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
if (!isAdmin && !isKeyAdmin && !isAuditAdmin && !isAuditKeyAdmin) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
if (policyEngine != null) {
Set<String> userGroups = userMgr.getGroupsForUser(userName);
isAllowed = hasAdminAccess(policy, userName, userGroups);
}
if (!isAllowed) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '" + userName + "' does not have delegated-admin privilege on given resources", true);
}
} else {
XXService xService = daoManager.getXXService().findByName(policy.getService());
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
if (isAdmin || isAuditAdmin) {
if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
} else if (isKeyAdmin || isAuditKeyAdmin) {
if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
}
}
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
VXString(org.apache.ranger.view.VXString)
XXService(org.apache.ranger.entity.XXService)
Example 7 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method getExactMatchPolicyForResource.
private RangerPolicy getExactMatchPolicyForResource(String serviceName, Map<String, RangerPolicyResource> resources, String user) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resources + ", " + user + ")");
}
RangerPolicy ret = null;
RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
Map<String, Object> evalContext = new HashMap<String, Object>();
RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resources, evalContext) : null;
if (CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
ret = svcStore.getPolicy(policies.get(0).getId());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resources + ", " + user + "): " + ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
VXString(org.apache.ranger.view.VXString)
Example 8 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method applyAdminAccessFilter.
private List<RangerPolicy> applyAdminAccessFilter(List<RangerPolicy> policies) {
List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")");
}
if (CollectionUtils.isNotEmpty(policies)) {
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
boolean isAuditAdmin = bizUtil.isAuditAdmin();
boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
Set<String> userGroups = null;
Map<String, List<RangerPolicy>> servicePoliciesMap = new HashMap<String, List<RangerPolicy>>();
for (int i = 0; i < policies.size(); i++) {
RangerPolicy policy = policies.get(i);
String serviceName = policy.getService();
List<RangerPolicy> policyList = servicePoliciesMap.get(serviceName);
if (policyList == null) {
policyList = new ArrayList<RangerPolicy>();
servicePoliciesMap.put(serviceName, policyList);
}
policyList.add(policy);
}
for (Map.Entry<String, List<RangerPolicy>> entry : servicePoliciesMap.entrySet()) {
String serviceName = entry.getKey();
List<RangerPolicy> listToFilter = entry.getValue();
if (CollectionUtils.isNotEmpty(listToFilter)) {
if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin) {
XXService xService = daoManager.getXXService().findByName(serviceName);
Long serviceDefId = xService.getType();
boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId());
if (isAdmin) {
if (!isKmsService) {
ret.addAll(listToFilter);
}
} else if (isAuditAdmin) {
if (!isKmsService) {
ret.addAll(listToFilter);
}
} else if (isAuditKeyAdmin) {
if (isKmsService) {
ret.addAll(listToFilter);
}
} else {
// isKeyAdmin
if (isKmsService) {
ret.addAll(listToFilter);
}
}
continue;
}
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
if (policyEngine != null) {
if (userGroups == null) {
userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
}
for (RangerPolicy policy : listToFilter) {
if (policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) {
ret.add(policy);
}
}
}
}
}
}
RangerPerfTracer.log(perf);
return ret;
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
VXString(org.apache.ranger.view.VXString)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPluginInfoList(org.apache.ranger.view.RangerPluginInfoList)
RangerServiceList(org.apache.ranger.view.RangerServiceList)
ArrayList(java.util.ArrayList)
VXPolicyLabelList(org.apache.ranger.view.VXPolicyLabelList)
List(java.util.List)
RangerExportPolicyList(org.apache.ranger.view.RangerExportPolicyList)
RangerPolicyList(org.apache.ranger.view.RangerPolicyList)
RangerServiceDefList(org.apache.ranger.view.RangerServiceDefList)
RangerAPIList(org.apache.ranger.security.context.RangerAPIList)
PList(org.apache.ranger.plugin.store.PList)
XXService(org.apache.ranger.entity.XXService)
Map(java.util.Map)
LinkedHashMap(java.util.LinkedHashMap)
TreeMap(java.util.TreeMap)
HashMap(java.util.HashMap)
Example 9 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method getPolicyEngine.
private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception {
ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);
RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, defaultAdminOptions);
return ret;
}
Also used :
RangerPolicyEngineImpl(org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
Example 10 with RangerPolicyEngine
use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.
the class ServiceREST method getExactMatchPolicyForResource.
private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource resource, String user) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + ")");
}
RangerPolicy ret = null;
RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
Map<String, Object> evalContext = new HashMap<String, Object>();
RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource, evalContext) : null;
if (CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
ret = svcStore.getPolicy(policies.get(0).getId());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + "): " + ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
VXString(org.apache.ranger.view.VXString)
Aggregations
RangerPolicyEngine (org.apache.ranger.plugin.policyengine.RangerPolicyEngine)12
VXString (org.apache.ranger.view.VXString)6
HashMap (java.util.HashMap)4
LinkedHashMap (java.util.LinkedHashMap)4
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)4
XXService (org.apache.ranger.entity.XXService)3
RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)3
ArrayList (java.util.ArrayList)2
XXServiceDef (org.apache.ranger.entity.XXServiceDef)2
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2
JsonSyntaxException (com.google.gson.JsonSyntaxException)1
IOException (java.io.IOException)1
List (java.util.List)1
Map (java.util.Map)1
Timer (java.util.Timer)1
TreeMap (java.util.TreeMap)1
GET (javax.ws.rs.GET)1
Path (javax.ws.rs.Path)1
Produces (javax.ws.rs.Produces)1
WebApplicationException (javax.ws.rs.WebApplicationException)1
