Example 1 with RangerDefaultPolicyResourceMatcher
use of org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher in project ranger by apache.
the class ServiceDBStore method getMatchers.
List<RangerPolicyResourceMatcher> getMatchers(RangerServiceDef serviceDef, Map<String, String> filterResources, SearchFilter filter) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getMatchers(filterResources=" + filterResources + ")");
}
List<RangerPolicyResourceMatcher> ret = new ArrayList<RangerPolicyResourceMatcher>();
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE);
int[] policyTypes = RangerPolicy.POLICY_TYPES;
if (StringUtils.isNotBlank(policyTypeStr)) {
policyTypes = new int[1];
policyTypes[0] = Integer.parseInt(policyTypeStr);
}
for (Integer policyType : policyTypes) {
Set<List<RangerResourceDef>> validResourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, filterResources.keySet());
if (LOG.isDebugEnabled()) {
LOG.debug("Found " + validResourceHierarchies.size() + " valid resource hierarchies for key-set " + filterResources.keySet());
}
List<List<RangerResourceDef>> resourceHierarchies = new ArrayList<List<RangerResourceDef>>(validResourceHierarchies);
for (List<RangerResourceDef> validResourceHierarchy : resourceHierarchies) {
if (LOG.isDebugEnabled()) {
LOG.debug("validResourceHierarchy:[" + validResourceHierarchy + "]");
}
Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
for (RangerResourceDef resourceDef : validResourceHierarchy) {
policyResources.put(resourceDef.getName(), new RangerPolicyResource(filterResources.get(resourceDef.getName()), false, resourceDef.getRecursiveSupported()));
}
RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setServiceDef(serviceDef);
matcher.setPolicyResources(policyResources, policyType);
matcher.init();
ret.add(matcher);
if (LOG.isDebugEnabled()) {
LOG.debug("Added matcher:[" + matcher + "]");
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDBStore.getMatchers(filterResources=" + filterResources + ", " + ", count=" + ret.size() + ")");
}
return ret;
}
Also used :
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerServiceList(org.apache.ranger.view.RangerServiceList)
ArrayList(java.util.ArrayList)
VXPolicyLabelList(org.apache.ranger.view.VXPolicyLabelList)
List(java.util.List)
RangerExportPolicyList(org.apache.ranger.view.RangerExportPolicyList)
RangerPolicyList(org.apache.ranger.view.RangerPolicyList)
RangerServiceDefList(org.apache.ranger.view.RangerServiceDefList)
PList(org.apache.ranger.plugin.store.PList)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 2 with RangerDefaultPolicyResourceMatcher
use of org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher in project ranger by apache.
the class TestDefaultPolicyResourceMatcher method runTest.
private void runTest(DefaultPolicyResourceMatcherTestCases.TestCase testCase, RangerServiceDef serviceDef) throws Exception {
assertTrue("invalid input: ", testCase != null && testCase.tests != null);
RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setServiceDef(serviceDef);
matcher.setPolicyResources(testCase.policyResources);
matcher.init();
for (DefaultPolicyResourceMatcherTestCases.TestCase.OneTest oneTest : testCase.tests) {
if (oneTest == null) {
continue;
}
boolean expected = oneTest.result;
RangerPolicyResourceMatcher.MatchScope scope;
if (StringUtils.equalsIgnoreCase(oneTest.type, "selfOrDescendantMatch")) {
scope = RangerPolicyResourceMatcher.MatchScope.SELF_OR_DESCENDANT;
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "descendantMatch")) {
scope = RangerPolicyResourceMatcher.MatchScope.DESCENDANT;
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "exactMatch")) {
scope = RangerPolicyResourceMatcher.MatchScope.SELF;
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "selfOrAncestorMatch")) {
scope = RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR;
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "ancestorMatch")) {
scope = RangerPolicyResourceMatcher.MatchScope.ANCESTOR;
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "anyMatch")) {
scope = RangerPolicyResourceMatcher.MatchScope.ANY;
} else {
continue;
}
boolean result = matcher.isMatch(oneTest.resource, scope, oneTest.evalContext);
assertEquals("match failed! " + ":" + testCase.name + ":" + oneTest.name + ":" + oneTest.type + ": resource=" + oneTest.resource, expected, result);
}
}
Also used :
RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
Example 3 with RangerDefaultPolicyResourceMatcher
use of org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher in project ranger by apache.
the class RangerDefaultPolicyEvaluator method init.
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
}
StringBuilder perfTagBuffer = new StringBuilder();
if (policy != null) {
perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
}
perfTag = perfTagBuffer.toString();
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.init(" + perfTag + ")");
}
super.init(policy, serviceDef, options);
preprocessPolicy(policy, serviceDef);
resourceMatcher = new RangerDefaultPolicyResourceMatcher();
resourceMatcher.setServiceDef(serviceDef);
resourceMatcher.setPolicy(policy);
resourceMatcher.setServiceDefHelper(options.getServiceDefHelper());
resourceMatcher.init();
if (policy != null) {
validityScheduleEvaluators = createValidityScheduleEvaluators(policy);
allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
dataMaskEvaluators = createDataMaskPolicyItemEvaluators(policy, serviceDef, options, policy.getDataMaskPolicyItems());
rowFilterEvaluators = createRowFilterPolicyItemEvaluators(policy, serviceDef, options, policy.getRowFilterPolicyItems());
} else {
validityScheduleEvaluators = Collections.<RangerValidityScheduleEvaluator>emptyList();
allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
allowExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
dataMaskEvaluators = Collections.<RangerDataMaskPolicyItemEvaluator>emptyList();
rowFilterEvaluators = Collections.<RangerRowFilterPolicyItemEvaluator>emptyList();
}
RangerPolicyItemEvaluator.EvalOrderComparator comparator = new RangerPolicyItemEvaluator.EvalOrderComparator();
Collections.sort(allowEvaluators, comparator);
Collections.sort(denyEvaluators, comparator);
Collections.sort(allowExceptionEvaluators, comparator);
Collections.sort(denyExceptionEvaluators, comparator);
/* dataMask, rowFilter policyItems must be evaulated in the order given in the policy; hence no sort
Collections.sort(dataMaskEvaluators);
Collections.sort(rowFilterEvaluators);
*/
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
Example 4 with RangerDefaultPolicyResourceMatcher
use of org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher in project ranger by apache.
the class RangerTagEnricher method setServiceTags.
public void setServiceTags(final ServiceTags serviceTags) {
if (serviceTags == null || CollectionUtils.isEmpty(serviceTags.getServiceResources())) {
LOG.info("ServiceTags is null or there are no tagged resources for service " + serviceName);
enrichedServiceTags = null;
} else {
List<RangerServiceResourceMatcher> resourceMatchers = new ArrayList<>();
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef, false);
List<RangerServiceResource> serviceResources = serviceTags.getServiceResources();
ResourceHierarchies hierarchies = new ResourceHierarchies();
for (RangerServiceResource serviceResource : serviceResources) {
final Collection<String> resourceKeys = serviceResource.getResourceElements().keySet();
for (int policyType : RangerPolicy.POLICY_TYPES) {
Boolean isValidHierarchy = hierarchies.isValidHierarchy(policyType, resourceKeys);
if (isValidHierarchy == null) {
// hierarchy not yet validated
isValidHierarchy = Boolean.FALSE;
for (List<RangerServiceDef.RangerResourceDef> hierarchy : serviceDefHelper.getResourceHierarchies(policyType)) {
if (serviceDefHelper.hierarchyHasAllResources(hierarchy, resourceKeys)) {
isValidHierarchy = Boolean.TRUE;
break;
}
}
hierarchies.addHierarchy(policyType, resourceKeys, isValidHierarchy);
}
if (isValidHierarchy) {
RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setServiceDef(this.serviceDef);
matcher.setPolicyResources(serviceResource.getResourceElements(), policyType);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerTagEnricher.setServiceTags() - Initializing matcher with (resource=" + serviceResource + ", serviceDef=" + this.serviceDef.getName() + ")");
}
matcher.setServiceDefHelper(serviceDefHelper);
matcher.init();
RangerServiceResourceMatcher serviceResourceMatcher = new RangerServiceResourceMatcher(serviceResource, matcher);
resourceMatchers.add(serviceResourceMatcher);
}
}
}
Map<String, RangerResourceTrie<RangerServiceResourceMatcher>> serviceResourceTrie = null;
if (!disableTrieLookupPrefilter) {
serviceResourceTrie = new HashMap<>();
for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
serviceResourceTrie.put(resourceDef.getName(), new RangerResourceTrie<RangerServiceResourceMatcher>(resourceDef, resourceMatchers));
}
}
Set<RangerTagForEval> tagsForEmptyResourceAndAnyAccess = new HashSet<>();
for (Map.Entry<Long, RangerTag> entry : serviceTags.getTags().entrySet()) {
tagsForEmptyResourceAndAnyAccess.add(new RangerTagForEval(entry.getValue(), RangerPolicyResourceMatcher.MatchType.DESCENDANT));
}
enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie, tagsForEmptyResourceAndAnyAccess);
}
}
Also used :
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
ArrayList(java.util.ArrayList)
RangerResourceTrie(org.apache.ranger.plugin.util.RangerResourceTrie)
RangerTag(org.apache.ranger.plugin.model.RangerTag)
HashSet(java.util.HashSet)
RangerServiceResource(org.apache.ranger.plugin.model.RangerServiceResource)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 5 with RangerDefaultPolicyResourceMatcher
use of org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher in project ranger by apache.
the class RangerHiveResourcesNotAccessedTogetherCondition method buildMatcher.
private RangerPolicyResourceMatcher buildMatcher(String policyResourceSpec) {
RangerPolicyResourceMatcher matcher = null;
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveResourcesNotAccessedTogetherCondition.buildMatcher(" + policyResourceSpec + ")");
}
// Works only for Hive serviceDef for now
if (serviceDef != null && EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME.equals(serviceDef.getName())) {
// Parse policyResourceSpec
char separator = '.';
String any = "*";
Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();
String[] elements = StringUtils.split(policyResourceSpec, separator);
RangerPolicy.RangerPolicyResource policyResource;
if (elements.length > 0 && elements.length < 4) {
if (elements.length == 3) {
policyResource = new RangerPolicy.RangerPolicyResource(elements[2]);
} else {
policyResource = new RangerPolicy.RangerPolicyResource(any);
}
policyResources.put("column", policyResource);
if (elements.length >= 2) {
policyResource = new RangerPolicy.RangerPolicyResource(elements[1]);
} else {
policyResource = new RangerPolicy.RangerPolicyResource(any);
}
policyResources.put("table", policyResource);
policyResource = new RangerPolicy.RangerPolicyResource(elements[0]);
policyResources.put("database", policyResource);
matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setPolicyResources(policyResources);
matcher.setServiceDef(serviceDef);
matcher.init();
} else {
LOG.error("RangerHiveResourcesNotAccessedTogetherCondition.buildMatcher() - Incorrect elements in the hierarchy specified (" + elements.length + ")");
}
} else {
LOG.error("RangerHiveResourcesNotAccessedTogetherCondition.buildMatcher() - ServiceDef not set or ServiceDef is not for Hive");
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveResourcesNotAccessedTogetherCondition.buildMatcher(" + policyResourceSpec + ")" + ", matcher=" + matcher);
}
return matcher;
}
Also used :
RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
HashMap(java.util.HashMap)
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
Aggregations
RangerDefaultPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)7
RangerPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)5
HashMap (java.util.HashMap)4
ArrayList (java.util.ArrayList)2
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)2
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)2
HashSet (java.util.HashSet)1
LinkedHashMap (java.util.LinkedHashMap)1
List (java.util.List)1
Map (java.util.Map)1
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)1
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)1
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)1
RangerServiceResource (org.apache.ranger.plugin.model.RangerServiceResource)1
RangerTag (org.apache.ranger.plugin.model.RangerTag)1
PList (org.apache.ranger.plugin.store.PList)1
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)1
RangerResourceTrie (org.apache.ranger.plugin.util.RangerResourceTrie)1
RangerExportPolicyList (org.apache.ranger.view.RangerExportPolicyList)1
RangerPolicyList (org.apache.ranger.view.RangerPolicyList)1
