Example 6 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method reorderPolicyEvaluators.
@Override
public void reorderPolicyEvaluators() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> reorderEvaluators()");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REBALANCE_LOG, "RangerPolicyEngine.reorderEvaluators()");
}
if (MapUtils.isNotEmpty(policyEvaluatorsMap)) {
for (Map.Entry<Long, RangerPolicyEvaluator> entry : policyEvaluatorsMap.entrySet()) {
entry.getValue().setUsageCountImmutable();
}
}
if (tagPolicyRepository != null) {
tagPolicyRepository.reorderPolicyEvaluators();
}
if (policyRepository != null) {
policyRepository.reorderPolicyEvaluators();
}
if (MapUtils.isNotEmpty(policyEvaluatorsMap)) {
for (Map.Entry<Long, RangerPolicyEvaluator> entry : policyEvaluatorsMap.entrySet()) {
entry.getValue().resetUsageCount();
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== reorderEvaluators()");
}
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 7 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method evaluateTagPolicies.
private void evaluateTagPolicies(final RangerAccessRequest request, int policyType, RangerAccessResult result) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", " + result + ")");
}
Date accessTime = request.getAccessTime();
Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
List<PolicyEvaluatorForTag> policyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getLikelyMatchPolicyEvaluators(tags, policyType, accessTime);
if (CollectionUtils.isNotEmpty(policyEvaluators)) {
for (PolicyEvaluatorForTag policyEvaluator : policyEvaluators) {
RangerPolicyEvaluator evaluator = policyEvaluator.getEvaluator();
RangerTagForEval tag = policyEvaluator.getTag();
RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest, policyType);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl.evaluateTagPolicies: Evaluating policies for tag (" + tag.getType() + ")");
}
tagEvalResult.setAccessResultFrom(result);
tagEvalResult.setAuditResultFrom(result);
result.incrementEvaluatedPoliciesCount();
evaluator.evaluate(tagEvalRequest, tagEvalResult);
if (tagEvalResult.getIsAllowed()) {
if (!evaluator.hasDeny()) {
// No Deny policies left now
tagEvalResult.setIsAccessDetermined(true);
}
}
if (tagEvalResult.getIsAudited()) {
result.setAuditResultFrom(tagEvalResult);
}
if (!result.getIsAccessDetermined()) {
if (tagEvalResult.getIsAccessDetermined()) {
result.setAccessResultFrom(tagEvalResult);
} else {
if (!result.getIsAllowed() && tagEvalResult.getIsAllowed()) {
result.setAccessResultFrom(tagEvalResult);
}
}
}
if (result.getIsAuditedDetermined() && result.getIsAccessDetermined()) {
// Break out of policy-evaluation loop
break;
}
}
}
if (result.getIsAllowed()) {
result.setIsAccessDetermined(true);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", " + result + ")");
}
}
Also used :
RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
Date(java.util.Date)
Example 8 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method getAllowedPolicies.
/*
* This API is used only by test-code
*/
@Override
public List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + ")");
}
List<RangerPolicy> ret = new ArrayList<>();
// TODO: run through evaluator in tagPolicyRepository as well
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
RangerPolicy policy = evaluator.getPolicy();
boolean isAccessAllowed = isAccessAllowed(policy.getResources(), user, userGroups, accessType);
if (isAccessAllowed) {
ret.add(policy);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.getAllowedPolicies(" + user + ", " + userGroups + ", " + accessType + "): policyCount=" + ret.size());
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
ArrayList(java.util.ArrayList)
Example 9 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method getMatchingPolicies.
/*
* This API is used by ranger-admin
*/
@Override
public List<RangerPolicy> getMatchingPolicies(RangerAccessResource resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.getMatchingPolicies(" + resource + ")");
}
List<RangerPolicy> ret = new ArrayList<>();
RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, RangerPolicyEngine.ANY_ACCESS, null, null);
preProcess(request);
if (hasTagPolicies()) {
Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
if (CollectionUtils.isNotEmpty(tags)) {
for (RangerTagForEval tag : tags) {
RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
RangerAccessResource tagResource = tagEvalRequest.getResource();
List<RangerPolicyEvaluator> likelyEvaluators = tagPolicyRepository.getLikelyMatchPolicyEvaluators(tagResource);
for (RangerPolicyEvaluator evaluator : likelyEvaluators) {
RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
if (matcher != null && matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
ret.add(evaluator.getPolicy());
}
}
}
}
}
if (hasResourcePolicies()) {
List<RangerPolicyEvaluator> likelyEvaluators = policyRepository.getLikelyMatchPolicyEvaluators(resource);
for (RangerPolicyEvaluator evaluator : likelyEvaluators) {
RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
if (matcher != null && matcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
ret.add(evaluator.getPolicy());
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.getMatchingPolicies(" + resource + ") : " + ret.size());
}
return ret;
}
Also used :
RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
ArrayList(java.util.ArrayList)
Example 10 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyRepository method init.
private void init(RangerPolicyEngineOptions options) {
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef, false);
options.setServiceDefHelper(serviceDefHelper);
List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<>();
List<RangerPolicyEvaluator> dataMaskPolicyEvaluators = new ArrayList<>();
List<RangerPolicyEvaluator> rowFilterPolicyEvaluators = new ArrayList<>();
for (RangerPolicy policy : policies) {
if (skipBuildingPolicyEvaluator(policy, options)) {
continue;
}
RangerPolicyEvaluator evaluator = buildPolicyEvaluator(policy, serviceDef, options);
if (evaluator != null) {
if (policy.getPolicyType() == null || policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) {
policyEvaluators.add(evaluator);
} else if (policy.getPolicyType() == RangerPolicy.POLICY_TYPE_DATAMASK) {
dataMaskPolicyEvaluators.add(evaluator);
} else if (policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ROWFILTER) {
rowFilterPolicyEvaluators.add(evaluator);
} else {
LOG.warn("RangerPolicyEngine: ignoring policy id=" + policy.getId() + " - invalid policyType '" + policy.getPolicyType() + "'");
}
}
}
RangerPolicyEvaluator.PolicyEvalOrderComparator comparator = new RangerPolicyEvaluator.PolicyEvalOrderComparator();
Collections.sort(policyEvaluators, comparator);
this.policyEvaluators = Collections.unmodifiableList(policyEvaluators);
Collections.sort(dataMaskPolicyEvaluators, comparator);
this.dataMaskPolicyEvaluators = Collections.unmodifiableList(dataMaskPolicyEvaluators);
Collections.sort(rowFilterPolicyEvaluators, comparator);
this.rowFilterPolicyEvaluators = Collections.unmodifiableList(rowFilterPolicyEvaluators);
List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
if (CollectionUtils.isNotEmpty(this.policyEvaluators) || CollectionUtils.isNotEmpty(this.dataMaskPolicyEvaluators) || CollectionUtils.isNotEmpty(this.rowFilterPolicyEvaluators)) {
if (CollectionUtils.isNotEmpty(serviceDef.getContextEnrichers())) {
for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) {
if (enricherDef == null) {
continue;
}
if (!options.disableContextEnrichers || options.enableTagEnricherWithLocalRefresher && StringUtils.equals(enricherDef.getEnricher(), RangerTagEnricher.class.getName())) {
// This will be true only if the engine is initialized within ranger-admin
RangerServiceDef.RangerContextEnricherDef contextEnricherDef = enricherDef;
if (options.enableTagEnricherWithLocalRefresher && StringUtils.equals(enricherDef.getEnricher(), RangerTagEnricher.class.getName())) {
contextEnricherDef = new RangerServiceDef.RangerContextEnricherDef(enricherDef.getItemId(), enricherDef.getName(), "org.apache.ranger.common.RangerAdminTagEnricher", null);
}
RangerContextEnricher contextEnricher = buildContextEnricher(contextEnricherDef);
if (contextEnricher != null) {
contextEnrichers.add(contextEnricher);
}
}
}
}
}
this.contextEnrichers = Collections.unmodifiableList(contextEnrichers);
if (LOG.isDebugEnabled()) {
LOG.debug("policy evaluation order: " + this.policyEvaluators.size() + " policies");
int order = 0;
for (RangerPolicyEvaluator policyEvaluator : this.policyEvaluators) {
RangerPolicy policy = policyEvaluator.getPolicy();
LOG.debug("policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
}
LOG.debug("dataMask policy evaluation order: " + this.dataMaskPolicyEvaluators.size() + " policies");
order = 0;
for (RangerPolicyEvaluator policyEvaluator : this.dataMaskPolicyEvaluators) {
RangerPolicy policy = policyEvaluator.getPolicy();
LOG.debug("dataMask policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
}
LOG.debug("rowFilter policy evaluation order: " + this.rowFilterPolicyEvaluators.size() + " policies");
order = 0;
for (RangerPolicyEvaluator policyEvaluator : this.rowFilterPolicyEvaluators) {
RangerPolicy policy = policyEvaluator.getPolicy();
LOG.debug("rowFilter policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
}
}
}
Also used :
ArrayList(java.util.ArrayList)
RangerContextEnricher(org.apache.ranger.plugin.contextenricher.RangerContextEnricher)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerTagEnricher(org.apache.ranger.plugin.contextenricher.RangerTagEnricher)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
Aggregations
RangerPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)15
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)5
ArrayList (java.util.ArrayList)4
RangerTagForEval (org.apache.ranger.plugin.contextenricher.RangerTagForEval)4
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)3
Date (java.util.Date)2
RangerContextEnricher (org.apache.ranger.plugin.contextenricher.RangerContextEnricher)2
HashMap (java.util.HashMap)1
List (java.util.List)1
Map (java.util.Map)1
RangerTagEnricher (org.apache.ranger.plugin.contextenricher.RangerTagEnricher)1
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)1
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)1
RangerCachedPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator)1
RangerOptimizedPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator)1
RangerPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)1
RangerResourceTrie (org.apache.ranger.plugin.util.RangerResourceTrie)1
