Example 6 with RangerPolicyResourceMatcher
use of org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher in project ranger by apache.
the class ServiceDBStore method applyResourceFilter.
List<RangerPolicy> applyResourceFilter(RangerServiceDef serviceDef, List<RangerPolicy> policies, Map<String, String> filterResources, SearchFilter filter, RangerPolicyResourceMatcher.MatchScope scope) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.applyResourceFilter(policies-size=" + policies.size() + ", filterResources=" + filterResources + ", " + scope + ")");
}
List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
List<RangerPolicyResourceMatcher> matchers = getMatchers(serviceDef, filterResources, filter);
if (CollectionUtils.isNotEmpty(matchers)) {
for (RangerPolicy policy : policies) {
for (RangerPolicyResourceMatcher matcher : matchers) {
if (LOG.isDebugEnabled()) {
LOG.debug("Trying to match for policy:[" + policy + "] using RangerDefaultPolicyResourceMatcher:[" + matcher + "]");
}
if (matcher.isMatch(policy, scope, null)) {
if (LOG.isDebugEnabled()) {
LOG.debug("matched policy:[" + policy + "]");
}
ret.add(policy);
break;
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDBStore.applyResourceFilter(policies-size=" + ret.size() + ", filterResources=" + filterResources + ", " + scope + ")");
}
return ret;
}
Also used :
RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
ArrayList(java.util.ArrayList)
Example 7 with RangerPolicyResourceMatcher
use of org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher in project ranger by apache.
the class RangerPolicyEngineImpl method getMatchingPolicies.
/*
* This API is used by ranger-admin
*/
@Override
public List<RangerPolicy> getMatchingPolicies(RangerAccessResource resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.getMatchingPolicies(" + resource + ")");
}
List<RangerPolicy> ret = new ArrayList<>();
RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, RangerPolicyEngine.ANY_ACCESS, null, null);
preProcess(request);
if (hasTagPolicies()) {
Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
if (CollectionUtils.isNotEmpty(tags)) {
for (RangerTagForEval tag : tags) {
RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
RangerAccessResource tagResource = tagEvalRequest.getResource();
List<RangerPolicyEvaluator> likelyEvaluators = tagPolicyRepository.getLikelyMatchPolicyEvaluators(tagResource);
for (RangerPolicyEvaluator evaluator : likelyEvaluators) {
RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
if (matcher != null && matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
ret.add(evaluator.getPolicy());
}
}
}
}
}
if (hasResourcePolicies()) {
List<RangerPolicyEvaluator> likelyEvaluators = policyRepository.getLikelyMatchPolicyEvaluators(resource);
for (RangerPolicyEvaluator evaluator : likelyEvaluators) {
RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
if (matcher != null && matcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
ret.add(evaluator.getPolicy());
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.getMatchingPolicies(" + resource + ") : " + ret.size());
}
return ret;
}
Also used :
RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval)
RangerPolicyEvaluator(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)
ArrayList(java.util.ArrayList)
Example 8 with RangerPolicyResourceMatcher
use of org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher in project ranger by apache.
the class RangerHiveResourcesAccessedTogetherCondition method buildMatcher.
private RangerPolicyResourceMatcher buildMatcher(String policyResourceSpec) {
RangerPolicyResourceMatcher matcher = null;
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.buildMatcher(" + policyResourceSpec + ")");
}
// Works only for Hive serviceDef for now
if (serviceDef != null && EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME.equals(serviceDef.getName())) {
// Parse policyResourceSpec
char separator = '.';
String any = "*";
Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();
String[] elements = StringUtils.split(policyResourceSpec, separator);
RangerPolicy.RangerPolicyResource policyResource;
if (elements.length > 0 && elements.length < 4) {
if (elements.length == 3) {
policyResource = new RangerPolicy.RangerPolicyResource(elements[2]);
} else {
policyResource = new RangerPolicy.RangerPolicyResource(any);
}
policyResources.put("column", policyResource);
if (elements.length >= 2) {
policyResource = new RangerPolicy.RangerPolicyResource(elements[1]);
} else {
policyResource = new RangerPolicy.RangerPolicyResource(any);
}
policyResources.put("table", policyResource);
policyResource = new RangerPolicy.RangerPolicyResource(elements[0]);
policyResources.put("database", policyResource);
matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setPolicyResources(policyResources);
matcher.setServiceDef(serviceDef);
matcher.init();
} else {
LOG.error("RangerHiveResourcesAccessedTogetherCondition.buildMatcher() - Incorrect elements in the hierarchy specified (" + elements.length + ")");
}
} else {
LOG.error("RangerHiveResourcesAccessedTogetherCondition.buildMatcher() - ServiceDef not set or ServiceDef is not for Hive");
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.buildMatcher(" + policyResourceSpec + ")" + ", matcher=" + matcher);
}
return matcher;
}
Also used :
RangerPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
HashMap(java.util.HashMap)
RangerDefaultPolicyResourceMatcher(org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)
Aggregations
RangerPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher)8
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)4
ArrayList (java.util.ArrayList)3
HashMap (java.util.HashMap)3
RangerDefaultPolicyResourceMatcher (org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher)3
LinkedHashMap (java.util.LinkedHashMap)1
List (java.util.List)1
RangerTagForEval (org.apache.ranger.plugin.contextenricher.RangerTagForEval)1
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)1
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)1
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)1
RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)1
RangerPolicyEvaluator (org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator)1
PList (org.apache.ranger.plugin.store.PList)1
RangerExportPolicyList (org.apache.ranger.view.RangerExportPolicyList)1
RangerPolicyList (org.apache.ranger.view.RangerPolicyList)1
RangerServiceDefList (org.apache.ranger.view.RangerServiceDefList)1
RangerServiceList (org.apache.ranger.view.RangerServiceList)1
VXPolicyLabelList (org.apache.ranger.view.VXPolicyLabelList)1
VXString (org.apache.ranger.view.VXString)1
