Example 1 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method isAccessAllowed.
/*
* This API is used by test-code
*/
@Override
public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")");
}
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType);
if (ret) {
break;
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
return ret;
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Example 2 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method evaluatePoliciesNoAudit.
private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest request, int policyType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ")");
}
RangerAccessResult ret = createAccessResult(request, policyType);
Date accessTime = request.getAccessTime();
if (ret != null && request != null) {
evaluateTagPolicies(request, policyType, ret);
if (LOG.isDebugEnabled()) {
if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
if (!ret.getIsAllowed()) {
LOG.debug("RangerPolicyEngineImpl.evaluatePoliciesNoAudit() - audit determined and access denied by a tag policy. Higher priority resource policies will be evaluated to check for allow, request=" + request + ", result=" + ret);
} else {
LOG.debug("RangerPolicyEngineImpl.evaluatePoliciesNoAudit() - audit determined and access allowed by a tag policy. Same or higher priority resource policies will be evaluated to check for deny, request=" + request + ", result=" + ret);
}
}
}
boolean isAllowedByTags = ret.getIsAccessDetermined() && ret.getIsAllowed();
boolean isDeniedByTags = ret.getIsAccessDetermined() && !ret.getIsAllowed();
boolean evaluateResourcePolicies = hasResourcePolicies();
if (evaluateResourcePolicies) {
boolean findAuditByResource = !ret.getIsAuditedDetermined();
boolean foundInCache = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret);
// discard result by tag-policies, to evaluate resource policies for possible override
ret.setIsAccessDetermined(false);
List<RangerPolicyEvaluator> evaluators = policyRepository.getLikelyMatchPolicyEvaluators(request.getResource(), policyType);
for (RangerPolicyEvaluator evaluator : evaluators) {
if (!evaluator.isApplicable(accessTime)) {
continue;
}
if (isDeniedByTags) {
if (ret.getPolicyPriority() >= evaluator.getPolicyPriority()) {
ret.setIsAccessDetermined(true);
}
} else if (isAllowedByTags) {
if (ret.getPolicyPriority() > evaluator.getPolicyPriority()) {
ret.setIsAccessDetermined(true);
}
}
ret.incrementEvaluatedPoliciesCount();
evaluator.evaluate(request, ret);
if (ret.getIsAllowed()) {
if (!evaluator.hasDeny()) {
// No more deny policies left
ret.setIsAccessDetermined(true);
}
}
if (ret.getIsAuditedDetermined() && ret.getIsAccessDetermined()) {
// Break out of policy-evaluation loop
break;
}
}
if (!ret.getIsAccessDetermined()) {
if (isDeniedByTags) {
ret.setIsAllowed(false);
} else if (isAllowedByTags) {
ret.setIsAllowed(true);
}
}
if (ret.getIsAllowed()) {
ret.setIsAccessDetermined(true);
}
if (findAuditByResource && !foundInCache) {
policyRepository.storeAuditEnabledInCache(request, ret);
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + "): " + ret);
}
return ret;
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
Date(java.util.Date)
Example 3 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method getResourceAccessInfo.
/*
* This API is used by ranger-admin
*/
@Override
public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + request + ")");
}
RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request);
List<RangerPolicyEvaluator> tagPolicyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators();
if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) {
Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
if (CollectionUtils.isNotEmpty(tags)) {
for (RangerTagForEval tag : tags) {
RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource(), RangerPolicy.POLICY_TYPE_ACCESS);
for (RangerPolicyEvaluator evaluator : evaluators) {
evaluator.getResourceAccessInfo(tagEvalRequest, ret);
}
}
}
}
List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getLikelyMatchPolicyEvaluators(request.getResource(), RangerPolicy.POLICY_TYPE_ACCESS);
if (CollectionUtils.isNotEmpty(resPolicyEvaluators)) {
for (RangerPolicyEvaluator evaluator : resPolicyEvaluators) {
evaluator.getResourceAccessInfo(request, ret);
}
}
ret.getAllowedUsers().removeAll(ret.getDeniedUsers());
ret.getAllowedGroups().removeAll(ret.getDeniedGroups());
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.getResourceAccessInfo(" + request + "): " + ret);
}
return ret;
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)
Example 4 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyRepository method buildPolicyEvaluator.
private RangerPolicyEvaluator buildPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + ", " + options + ")");
}
scrubPolicy(policy);
RangerPolicyEvaluator ret;
if (StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) {
ret = new RangerCachedPolicyEvaluator();
} else {
ret = new RangerOptimizedPolicyEvaluator();
}
ret.init(policy, serviceDef, options);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + "): " + ret);
}
return ret;
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerOptimizedPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator)
RangerCachedPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator)
Example 5 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method isAccessAllowed.
/*
* This API is used by ranger-admin
*/
@Override
public boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")");
}
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
ret = evaluator.isAccessAllowed(policy, user, userGroups, accessType);
if (ret) {
break;
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
return ret;
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Aggregations
RangerPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)15
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)5
ArrayList (java.util.ArrayList)4
RangerTagForEval (org.apache.ranger.plugin.contextenricher.RangerTagForEval)4
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)3
Date (java.util.Date)2
RangerContextEnricher (org.apache.ranger.plugin.contextenricher.RangerContextEnricher)2
HashMap (java.util.HashMap)1
List (java.util.List)1
Map (java.util.Map)1
RangerTagEnricher (org.apache.ranger.plugin.contextenricher.RangerTagEnricher)1
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)1
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)1
RangerCachedPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator)1
RangerOptimizedPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator)1
RangerPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)1
RangerResourceTrie (org.apache.ranger.plugin.util.RangerResourceTrie)1
