Example 11 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyRepository method toString.
private StringBuilder toString(StringBuilder sb) {
sb.append("RangerPolicyRepository={");
sb.append("serviceName={").append(serviceName).append("} ");
sb.append("serviceDef={").append(serviceDef).append("} ");
sb.append("appId={").append(appId).append("} ");
sb.append("policyEvaluators={");
if (policyEvaluators != null) {
for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
if (policyEvaluator != null) {
sb.append(policyEvaluator).append(" ");
}
}
}
sb.append("} ");
sb.append("dataMaskPolicyEvaluators={");
if (this.dataMaskPolicyEvaluators != null) {
for (RangerPolicyEvaluator policyEvaluator : dataMaskPolicyEvaluators) {
if (policyEvaluator != null) {
sb.append(policyEvaluator).append(" ");
}
}
}
sb.append("} ");
sb.append("rowFilterPolicyEvaluators={");
if (this.rowFilterPolicyEvaluators != null) {
for (RangerPolicyEvaluator policyEvaluator : rowFilterPolicyEvaluators) {
if (policyEvaluator != null) {
sb.append(policyEvaluator).append(" ");
}
}
}
sb.append("} ");
sb.append("contextEnrichers={");
if (contextEnrichers != null) {
for (RangerContextEnricher contextEnricher : contextEnrichers) {
if (contextEnricher != null) {
sb.append(contextEnricher).append(" ");
}
}
}
sb.append("} ");
sb.append("} ");
return sb;
}
Also used :
RangerContextEnricher(org.apache.ranger.plugin.contextenricher.RangerContextEnricher)
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
Example 12 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyRepository method getLikelyMatchPolicyEvaluators.
List<PolicyEvaluatorForTag> getLikelyMatchPolicyEvaluators(Set<RangerTagForEval> tags, int policyType, Date accessTime) {
List<PolicyEvaluatorForTag> ret = Collections.EMPTY_LIST;
if (CollectionUtils.isNotEmpty(tags) && getServiceDef() != null) {
ret = new ArrayList<PolicyEvaluatorForTag>();
for (RangerTagForEval tag : tags) {
if (tag.isApplicable(accessTime)) {
RangerAccessResource resource = new RangerTagResource(tag.getType(), getServiceDef());
List<RangerPolicyEvaluator> evaluators = getLikelyMatchPolicyEvaluators(resource, policyType);
if (CollectionUtils.isNotEmpty(evaluators)) {
for (RangerPolicyEvaluator evaluator : evaluators) {
if (evaluator.isApplicable(accessTime)) {
ret.add(new PolicyEvaluatorForTag(evaluator, tag));
}
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag:[" + tag.getType() + "] is not applicable at accessTime:[" + accessTime + "]");
}
}
}
if (CollectionUtils.isNotEmpty(ret)) {
switch(policyType) {
case RangerPolicy.POLICY_TYPE_ACCESS:
Collections.sort(ret, PolicyEvaluatorForTag.EVAL_ORDER_COMPARATOR);
break;
case RangerPolicy.POLICY_TYPE_DATAMASK:
Collections.sort(ret, PolicyEvaluatorForTag.NAME_COMPARATOR);
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
Collections.sort(ret, PolicyEvaluatorForTag.NAME_COMPARATOR);
break;
default:
LOG.warn("Unknown policy-type:[" + policyType + "]. Ignoring..");
break;
}
}
}
return ret;
}
Also used :
RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
Example 13 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyRepository method getLikelyMatchPolicyEvaluators.
private List<RangerPolicyEvaluator> getLikelyMatchPolicyEvaluators(Map<String, RangerResourceTrie> resourceTrie, RangerAccessResource resource) {
List<RangerPolicyEvaluator> ret = null;
Set<String> resourceKeys = resource == null ? null : resource.getKeys();
if (CollectionUtils.isNotEmpty(resourceKeys)) {
List<List<RangerPolicyEvaluator>> resourceEvaluatorsList = null;
List<RangerPolicyEvaluator> smallestList = null;
for (String resourceName : resourceKeys) {
RangerResourceTrie trie = resourceTrie.get(resourceName);
if (trie == null) {
// if no trie exists for this resource level, ignore and continue to next level
continue;
}
List<RangerPolicyEvaluator> resourceEvaluators = trie.getEvaluatorsForResource(resource.getValue(resourceName));
if (CollectionUtils.isEmpty(resourceEvaluators)) {
// no policies for this resource, bail out
resourceEvaluatorsList = null;
smallestList = null;
break;
}
if (smallestList == null) {
smallestList = resourceEvaluators;
} else {
if (resourceEvaluatorsList == null) {
resourceEvaluatorsList = new ArrayList<>();
resourceEvaluatorsList.add(smallestList);
}
resourceEvaluatorsList.add(resourceEvaluators);
if (smallestList.size() > resourceEvaluators.size()) {
smallestList = resourceEvaluators;
}
}
}
if (resourceEvaluatorsList != null) {
ret = new ArrayList<>(smallestList);
for (List<RangerPolicyEvaluator> resourceEvaluators : resourceEvaluatorsList) {
if (resourceEvaluators != smallestList) {
// remove policies from ret that are not in resourceEvaluators
ret.retainAll(resourceEvaluators);
if (CollectionUtils.isEmpty(ret)) {
// if no policy exists, bail out and return empty list
ret = null;
break;
}
}
}
} else {
ret = smallestList;
}
}
if (ret == null) {
ret = Collections.emptyList();
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.getLikelyMatchPolicyEvaluators(" + resource.getAsString() + "): evaluatorCount=" + ret.size());
}
return ret;
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerResourceTrie(org.apache.ranger.plugin.util.RangerResourceTrie)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 14 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method isAccessAllowed.
/*
* This API is used by ranger-admin
*/
@Override
public boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + "resource=" + resource.getAsString() + ")");
}
boolean ret = false;
for (RangerPolicyEvaluator evaluator : policyRepository.getLikelyMatchPolicyEvaluators(resource, RangerPolicy.POLICY_TYPE_ACCESS)) {
ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType);
if (ret) {
break;
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
return ret;
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Example 15 with RangerPolicyEvaluator
use of org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator in project ranger by apache.
the class RangerPolicyEngineImpl method updatePolicyUsageCounts.
private void updatePolicyUsageCounts(RangerAccessRequest accessRequest, RangerAccessResult accessResult) {
boolean auditCountUpdated = false;
if (accessResult.getIsAccessDetermined()) {
RangerPolicyEvaluator accessPolicy = getPolicyEvaluator(accessResult.getPolicyId());
if (accessPolicy != null) {
if (accessPolicy.getPolicy().getIsAuditEnabled()) {
updateUsageCount(accessPolicy, 2);
accessResult.setAuditPolicyId(accessResult.getPolicyId());
auditCountUpdated = true;
} else {
updateUsageCount(accessPolicy, 1);
}
}
}
if (!auditCountUpdated && accessResult.getIsAuditedDetermined()) {
long auditPolicyId = accessResult.getAuditPolicyId();
RangerPolicyEvaluator auditPolicy = auditPolicyId == -1 ? null : getPolicyEvaluator(auditPolicyId);
updateUsageCount(auditPolicy, 1);
}
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_USAGE_LOG)) {
RangerAccessRequestImpl rangerAccessRequest = (RangerAccessRequestImpl) accessRequest;
RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_USAGE_LOG, "RangerPolicyEngine.usage(accessingUser=" + rangerAccessRequest.getUser() + ",accessedResource=" + rangerAccessRequest.getResource().getAsString() + ",accessType=" + rangerAccessRequest.getAccessType() + ",evaluatedPoliciesCount=" + accessResult.getEvaluatedPoliciesCount() + ")");
RangerPerfTracer.logAlways(perf);
}
}
Also used :
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Aggregations
RangerPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)15
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)5
ArrayList (java.util.ArrayList)4
RangerTagForEval (org.apache.ranger.plugin.contextenricher.RangerTagForEval)4
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)3
Date (java.util.Date)2
RangerContextEnricher (org.apache.ranger.plugin.contextenricher.RangerContextEnricher)2
HashMap (java.util.HashMap)1
List (java.util.List)1
Map (java.util.Map)1
RangerTagEnricher (org.apache.ranger.plugin.contextenricher.RangerTagEnricher)1
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)1
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)1
RangerCachedPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator)1
RangerOptimizedPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator)1
RangerPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)1
RangerResourceTrie (org.apache.ranger.plugin.util.RangerResourceTrie)1
