Example 1 with RangerResourceMatcher
use of org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method createResourceMatcher.
private static RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.createResourceMatcher(" + resourceDef + ", " + resource + ")");
}
RangerResourceMatcher ret = null;
if (resourceDef != null) {
String resName = resourceDef.getName();
String clsName = resourceDef.getMatcher();
if (!StringUtils.isEmpty(clsName)) {
try {
@SuppressWarnings("unchecked") Class<RangerResourceMatcher> matcherClass = (Class<RangerResourceMatcher>) Class.forName(clsName);
ret = matcherClass.newInstance();
} catch (Exception excp) {
LOG.error("failed to instantiate resource matcher '" + clsName + "' for '" + resName + "'. Default resource matcher will be used", excp);
}
}
if (ret == null) {
ret = new RangerDefaultResourceMatcher();
}
ret.setResourceDef(resourceDef);
ret.setPolicyResource(resource);
ret.init();
} else {
LOG.error("RangerDefaultPolicyResourceMatcher: RangerResourceDef is null");
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.createResourceMatcher(" + resourceDef + ", " + resource + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerDefaultResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher)
Example 2 with RangerResourceMatcher
use of org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.delegateAdminMatch()");
}
if (serviceDef != null && serviceDef.getResources() != null) {
Collection<String> resourceKeys = resources == null ? null : resources.keySet();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
boolean keysMatch = CollectionUtils.isEmpty(resourceKeys) || (policyKeys != null && policyKeys.containsAll(resourceKeys));
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
RangerPolicyResource resourceValues = resources == null ? null : resources.get(resourceName);
List<String> values = resourceValues == null ? null : resourceValues.getValues();
RangerResourceMatcher matcher = allMatchers == null ? null : allMatchers.get(resourceName);
if (matcher != null) {
if (CollectionUtils.isNotEmpty(values)) {
for (String value : values) {
ret = matcher.isMatch(value, evalContext);
if (!ret) {
break;
}
}
} else {
ret = matcher.isMatchAny();
}
} else {
ret = CollectionUtils.isEmpty(values);
}
if (!ret) {
break;
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 3 with RangerResourceMatcher
use of org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isCompleteMatch.
@Override
public boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
}
boolean ret = false;
Collection<String> resourceKeys = resource == null ? null : resource.getKeys();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
boolean keysMatch = resourceKeys != null && policyKeys != null && CollectionUtils.isEqualCollection(resourceKeys, policyKeys);
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
Object resourceValue = resource.getValue(resourceName);
RangerResourceMatcher matcher = getResourceMatcher(resourceName);
if (resourceValue == null) {
ret = matcher == null || matcher.isCompleteMatch(null, evalContext);
} else if (resourceValue instanceof String) {
String strValue = (String) resourceValue;
if (StringUtils.isEmpty(strValue)) {
ret = matcher == null || matcher.isCompleteMatch(strValue, evalContext);
} else {
ret = matcher != null && matcher.isCompleteMatch(strValue, evalContext);
}
} else {
// return false for any other type of resourceValue
ret = false;
}
if (!ret) {
break;
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 4 with RangerResourceMatcher
use of org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method init.
@Override
public void init() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.init()");
}
allMatchers = null;
needsDynamicEval = false;
validResourceHierarchy = null;
isInitialized = false;
String errorText = "";
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG, "RangerDefaultPolicyResourceMatcher.init()");
}
if (policyResources != null && !policyResources.isEmpty() && serviceDef != null) {
serviceDefHelper = serviceDefHelper == null ? new RangerServiceDefHelper(serviceDef, false) : serviceDefHelper;
Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, policyResources.keySet());
int validHierarchiesCount = 0;
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
if (isHierarchyValidForResources(resourceHierarchy, policyResources)) {
validHierarchiesCount++;
if (validHierarchiesCount == 1) {
validResourceHierarchy = resourceHierarchy;
} else {
validResourceHierarchy = null;
}
} else {
LOG.warn("RangerDefaultPolicyResourceMatcher.init(): gaps found in policyResources, skipping hierarchy:[" + resourceHierarchies + "]");
}
}
if (validHierarchiesCount > 0) {
allMatchers = new HashMap<>();
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
for (RangerResourceDef resourceDef : resourceHierarchy) {
String resourceName = resourceDef.getName();
if (allMatchers.containsKey(resourceName)) {
continue;
}
RangerPolicyResource policyResource = policyResources.get(resourceName);
if (policyResource == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerDefaultPolicyResourceMatcher.init(): no matcher created for " + resourceName + ". Continuing ...");
}
continue;
}
RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource);
if (matcher != null) {
if (!needsDynamicEval && matcher.getNeedsDynamicEval()) {
needsDynamicEval = true;
}
allMatchers.put(resourceName, matcher);
} else {
LOG.error("RangerDefaultPolicyResourceMatcher.init(): failed to find matcher for resource " + resourceName);
allMatchers = null;
errorText = "no matcher found for resource " + resourceName;
break;
}
}
if (allMatchers == null) {
break;
}
}
} else {
errorText = "policyResources elements are not part of any valid resourcedef hierarchy.";
}
} else {
errorText = "policyResources is null or empty, or serviceDef is null.";
}
if (allMatchers == null) {
serviceDefHelper = null;
validResourceHierarchy = null;
Set<String> policyResourceKeys = policyResources == null ? null : policyResources.keySet();
String serviceDefName = serviceDef == null ? "" : serviceDef.getName();
StringBuilder keysString = new StringBuilder();
if (CollectionUtils.isNotEmpty(policyResourceKeys)) {
for (String policyResourceKeyName : policyResourceKeys) {
keysString.append(policyResourceKeyName).append(" ");
}
}
LOG.error("RangerDefaultPolicyResourceMatcher.init() failed: " + errorText + " (serviceDef=" + serviceDefName + ", policyResourceKeys=" + keysString.toString());
} else {
isInitialized = true;
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.init(): ret=" + isInitialized);
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
List(java.util.List)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 5 with RangerResourceMatcher
use of org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method toString.
@Override
public StringBuilder toString(StringBuilder sb) {
sb.append("RangerDefaultPolicyResourceMatcher={");
sb.append("isInitialized=").append(isInitialized).append(", ");
sb.append("matchers={");
if (allMatchers != null) {
for (RangerResourceMatcher matcher : allMatchers.values()) {
sb.append("{").append(matcher).append("} ");
}
}
sb.append("} ");
sb.append("}");
return sb;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
Aggregations
RangerResourceMatcher (org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)6
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)4
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)4
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)2
List (java.util.List)1
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)1
RangerDefaultResourceMatcher (org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher)1
