Search in sources :

Example 6 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method ensureAdminAndAuditAccess.

void ensureAdminAndAuditAccess(RangerPolicy policy) {
    boolean isAdmin = bizUtil.isAdmin();
    boolean isKeyAdmin = bizUtil.isKeyAdmin();
    String userName = bizUtil.getCurrentUserLoginId();
    boolean isAuditAdmin = bizUtil.isAuditAdmin();
    boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
    if (!isAdmin && !isKeyAdmin && !isAuditAdmin && !isAuditKeyAdmin) {
        boolean isAllowed = false;
        RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
        if (policyEngine != null) {
            Set<String> userGroups = userMgr.getGroupsForUser(userName);
            isAllowed = hasAdminAccess(policy, userName, userGroups);
        }
        if (!isAllowed) {
            throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '" + userName + "' does not have delegated-admin privilege on given resources", true);
        }
    } else {
        XXService xService = daoManager.getXXService().findByName(policy.getService());
        XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
        if (isAdmin || isAuditAdmin) {
            if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
                throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
            }
        } else if (isKeyAdmin || isAuditKeyAdmin) {
            if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
                throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
            }
        }
    }
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) VXString(org.apache.ranger.view.VXString) XXService(org.apache.ranger.entity.XXService)

Example 7 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method getExactMatchPolicyForResource.

private RangerPolicy getExactMatchPolicyForResource(String serviceName, Map<String, RangerPolicyResource> resources, String user) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resources + ", " + user + ")");
    }
    RangerPolicy ret = null;
    RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
    Map<String, Object> evalContext = new HashMap<String, Object>();
    RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
    List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resources, evalContext) : null;
    if (CollectionUtils.isNotEmpty(policies)) {
        // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
        ret = svcStore.getPolicy(policies.get(0).getId());
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resources + ", " + user + "): " + ret);
    }
    return ret;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) VXString(org.apache.ranger.view.VXString)

Example 8 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method applyAdminAccessFilter.

private List<RangerPolicy> applyAdminAccessFilter(List<RangerPolicy> policies) {
    List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")");
    }
    if (CollectionUtils.isNotEmpty(policies)) {
        boolean isAdmin = bizUtil.isAdmin();
        boolean isKeyAdmin = bizUtil.isKeyAdmin();
        String userName = bizUtil.getCurrentUserLoginId();
        boolean isAuditAdmin = bizUtil.isAuditAdmin();
        boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
        Set<String> userGroups = null;
        Map<String, List<RangerPolicy>> servicePoliciesMap = new HashMap<String, List<RangerPolicy>>();
        for (int i = 0; i < policies.size(); i++) {
            RangerPolicy policy = policies.get(i);
            String serviceName = policy.getService();
            List<RangerPolicy> policyList = servicePoliciesMap.get(serviceName);
            if (policyList == null) {
                policyList = new ArrayList<RangerPolicy>();
                servicePoliciesMap.put(serviceName, policyList);
            }
            policyList.add(policy);
        }
        for (Map.Entry<String, List<RangerPolicy>> entry : servicePoliciesMap.entrySet()) {
            String serviceName = entry.getKey();
            List<RangerPolicy> listToFilter = entry.getValue();
            if (CollectionUtils.isNotEmpty(listToFilter)) {
                if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin) {
                    XXService xService = daoManager.getXXService().findByName(serviceName);
                    Long serviceDefId = xService.getType();
                    boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId());
                    if (isAdmin) {
                        if (!isKmsService) {
                            ret.addAll(listToFilter);
                        }
                    } else if (isAuditAdmin) {
                        if (!isKmsService) {
                            ret.addAll(listToFilter);
                        }
                    } else if (isAuditKeyAdmin) {
                        if (isKmsService) {
                            ret.addAll(listToFilter);
                        }
                    } else {
                        // isKeyAdmin
                        if (isKmsService) {
                            ret.addAll(listToFilter);
                        }
                    }
                    continue;
                }
                RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
                if (policyEngine != null) {
                    if (userGroups == null) {
                        userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
                    }
                    for (RangerPolicy policy : listToFilter) {
                        if (policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) {
                            ret.add(policy);
                        }
                    }
                }
            }
        }
    }
    RangerPerfTracer.log(perf);
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) VXString(org.apache.ranger.view.VXString) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPluginInfoList(org.apache.ranger.view.RangerPluginInfoList) RangerServiceList(org.apache.ranger.view.RangerServiceList) ArrayList(java.util.ArrayList) VXPolicyLabelList(org.apache.ranger.view.VXPolicyLabelList) List(java.util.List) RangerExportPolicyList(org.apache.ranger.view.RangerExportPolicyList) RangerPolicyList(org.apache.ranger.view.RangerPolicyList) RangerServiceDefList(org.apache.ranger.view.RangerServiceDefList) RangerAPIList(org.apache.ranger.security.context.RangerAPIList) PList(org.apache.ranger.plugin.store.PList) XXService(org.apache.ranger.entity.XXService) Map(java.util.Map) LinkedHashMap(java.util.LinkedHashMap) TreeMap(java.util.TreeMap) HashMap(java.util.HashMap)

Example 9 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method getPolicyEngine.

private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception {
    ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);
    RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, defaultAdminOptions);
    return ret;
}
Also used : RangerPolicyEngineImpl(org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl) ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)

Example 10 with RangerPolicyEngine

use of org.apache.ranger.plugin.policyengine.RangerPolicyEngine in project ranger by apache.

the class ServiceREST method getExactMatchPolicyForResource.

private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource resource, String user) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + ")");
    }
    RangerPolicy ret = null;
    RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
    Map<String, Object> evalContext = new HashMap<String, Object>();
    RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
    List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource, evalContext) : null;
    if (CollectionUtils.isNotEmpty(policies)) {
        // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
        ret = svcStore.getPolicy(policies.get(0).getId());
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + "): " + ret);
    }
    return ret;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) VXString(org.apache.ranger.view.VXString)

Aggregations

RangerPolicyEngine (org.apache.ranger.plugin.policyengine.RangerPolicyEngine)12 VXString (org.apache.ranger.view.VXString)6 HashMap (java.util.HashMap)4 LinkedHashMap (java.util.LinkedHashMap)4 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)4 XXService (org.apache.ranger.entity.XXService)3 RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)3 ArrayList (java.util.ArrayList)2 XXServiceDef (org.apache.ranger.entity.XXServiceDef)2 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)2 JsonSyntaxException (com.google.gson.JsonSyntaxException)1 IOException (java.io.IOException)1 List (java.util.List)1 Map (java.util.Map)1 Timer (java.util.Timer)1 TreeMap (java.util.TreeMap)1 GET (javax.ws.rs.GET)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1 WebApplicationException (javax.ws.rs.WebApplicationException)1