Example 6 with RangerResourceMatcher
use of org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method getMatchType.
@Override
public MatchType getMatchType(RangerAccessResource resource, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + ")");
}
MatchType ret = MatchType.NONE;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getMatchType()");
}
if (resource != null && policyResources != null) {
int resourceKeysSize = resource.getKeys() == null ? 0 : resource.getKeys().size();
if (policyResources.size() == 0 && resourceKeysSize == 0) {
ret = MatchType.SELF;
} else {
List<RangerResourceDef> hierarchy = getMatchingHierarchy(resource);
if (CollectionUtils.isNotEmpty(hierarchy)) {
int lastNonAnyMatcherIndex = -1;
int matchersSize = 0;
for (RangerResourceDef resourceDef : hierarchy) {
RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
if (matcher != null) {
if (!matcher.isMatchAny()) {
lastNonAnyMatcherIndex = matchersSize;
}
matchersSize++;
} else {
break;
}
}
int lastMatchedMatcherIndex = -1;
for (RangerResourceDef resourceDef : hierarchy) {
RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
Object resourceValue = resource.getValue(resourceDef.getName());
if (matcher != null) {
if (resourceValue != null) {
if (matcher.isMatch(resourceValue, evalContext)) {
ret = MatchType.SELF;
lastMatchedMatcherIndex++;
} else {
ret = MatchType.NONE;
break;
}
} else {
// More matchers than resource-values
ret = MatchType.DESCENDANT;
if (lastMatchedMatcherIndex >= lastNonAnyMatcherIndex) {
ret = MatchType.ANCESTOR;
if (lastMatchedMatcherIndex == lastNonAnyMatcherIndex && lastMatchedMatcherIndex == -1) {
// For degenerate case : resourceKeysSize == 0 and all matchers are of type Any
ret = MatchType.SELF;
}
}
break;
}
} else {
if (resourceValue != null) {
// More resource-values than matchers
ret = MatchType.ANCESTOR;
}
break;
}
}
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Aggregations
RangerResourceMatcher (org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)6
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)4
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)4
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)2
List (java.util.List)1
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)1
RangerDefaultResourceMatcher (org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher)1
