Example 66 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyItemEvaluator method matchCustomConditions.
@Override
public boolean matchCustomConditions(RangerAccessRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchCustomConditions(" + request + ")");
}
boolean ret = true;
if (CollectionUtils.isNotEmpty(conditionEvaluators)) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerDefaultPolicyItemEvaluator.matchCustomConditions(): conditionCount=" + conditionEvaluators.size());
}
for (RangerConditionEvaluator conditionEvaluator : conditionEvaluators) {
if (LOG.isDebugEnabled()) {
LOG.debug("evaluating condition: " + conditionEvaluator);
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_REQUEST_LOG)) {
String conditionType = null;
if (conditionEvaluator instanceof RangerAbstractConditionEvaluator) {
conditionType = ((RangerAbstractConditionEvaluator) conditionEvaluator).getPolicyItemCondition().getType();
}
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchCondition(policyId=" + policyId + ",policyItemIndex=" + getPolicyItemIndex() + ",policyConditionType=" + conditionType + ")");
}
boolean conditionEvalResult = conditionEvaluator.isMatched(request);
RangerPerfTracer.log(perf);
if (!conditionEvalResult) {
if (LOG.isDebugEnabled()) {
LOG.debug(conditionEvaluator + " returned false");
}
ret = false;
break;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchCustomConditions(" + request + "): " + ret);
}
return ret;
}
Also used :
RangerAbstractConditionEvaluator(org.apache.ranger.plugin.conditionevaluator.RangerAbstractConditionEvaluator)
RangerConditionEvaluator(org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
Example 67 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isCompleteMatch.
@Override
public boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
}
boolean ret = false;
Collection<String> resourceKeys = resource == null ? null : resource.getKeys();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
boolean keysMatch = resourceKeys != null && policyKeys != null && CollectionUtils.isEqualCollection(resourceKeys, policyKeys);
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
Object resourceValue = resource.getValue(resourceName);
RangerResourceMatcher matcher = getResourceMatcher(resourceName);
if (resourceValue == null) {
ret = matcher == null || matcher.isCompleteMatch(null, evalContext);
} else if (resourceValue instanceof String) {
String strValue = (String) resourceValue;
if (StringUtils.isEmpty(strValue)) {
ret = matcher == null || matcher.isCompleteMatch(strValue, evalContext);
} else {
ret = matcher != null && matcher.isCompleteMatch(strValue, evalContext);
}
} else {
// return false for any other type of resourceValue
ret = false;
}
if (!ret) {
break;
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 68 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method init.
@Override
public void init() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.init()");
}
allMatchers = null;
needsDynamicEval = false;
validResourceHierarchy = null;
isInitialized = false;
String errorText = "";
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG, "RangerDefaultPolicyResourceMatcher.init()");
}
if (policyResources != null && !policyResources.isEmpty() && serviceDef != null) {
serviceDefHelper = serviceDefHelper == null ? new RangerServiceDefHelper(serviceDef, false) : serviceDefHelper;
Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, policyResources.keySet());
int validHierarchiesCount = 0;
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
if (isHierarchyValidForResources(resourceHierarchy, policyResources)) {
validHierarchiesCount++;
if (validHierarchiesCount == 1) {
validResourceHierarchy = resourceHierarchy;
} else {
validResourceHierarchy = null;
}
} else {
LOG.warn("RangerDefaultPolicyResourceMatcher.init(): gaps found in policyResources, skipping hierarchy:[" + resourceHierarchies + "]");
}
}
if (validHierarchiesCount > 0) {
allMatchers = new HashMap<>();
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
for (RangerResourceDef resourceDef : resourceHierarchy) {
String resourceName = resourceDef.getName();
if (allMatchers.containsKey(resourceName)) {
continue;
}
RangerPolicyResource policyResource = policyResources.get(resourceName);
if (policyResource == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerDefaultPolicyResourceMatcher.init(): no matcher created for " + resourceName + ". Continuing ...");
}
continue;
}
RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource);
if (matcher != null) {
if (!needsDynamicEval && matcher.getNeedsDynamicEval()) {
needsDynamicEval = true;
}
allMatchers.put(resourceName, matcher);
} else {
LOG.error("RangerDefaultPolicyResourceMatcher.init(): failed to find matcher for resource " + resourceName);
allMatchers = null;
errorText = "no matcher found for resource " + resourceName;
break;
}
}
if (allMatchers == null) {
break;
}
}
} else {
errorText = "policyResources elements are not part of any valid resourcedef hierarchy.";
}
} else {
errorText = "policyResources is null or empty, or serviceDef is null.";
}
if (allMatchers == null) {
serviceDefHelper = null;
validResourceHierarchy = null;
Set<String> policyResourceKeys = policyResources == null ? null : policyResources.keySet();
String serviceDefName = serviceDef == null ? "" : serviceDef.getName();
StringBuilder keysString = new StringBuilder();
if (CollectionUtils.isNotEmpty(policyResourceKeys)) {
for (String policyResourceKeyName : policyResourceKeys) {
keysString.append(policyResourceKeyName).append(" ");
}
}
LOG.error("RangerDefaultPolicyResourceMatcher.init() failed: " + errorText + " (serviceDef=" + serviceDefName + ", policyResourceKeys=" + keysString.toString());
} else {
isInitialized = true;
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.init(): ret=" + isInitialized);
}
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerServiceDefHelper(org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
List(java.util.List)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 69 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method getMatchType.
@Override
public MatchType getMatchType(RangerAccessResource resource, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + ")");
}
MatchType ret = MatchType.NONE;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getMatchType()");
}
if (resource != null && policyResources != null) {
int resourceKeysSize = resource.getKeys() == null ? 0 : resource.getKeys().size();
if (policyResources.size() == 0 && resourceKeysSize == 0) {
ret = MatchType.SELF;
} else {
List<RangerResourceDef> hierarchy = getMatchingHierarchy(resource);
if (CollectionUtils.isNotEmpty(hierarchy)) {
int lastNonAnyMatcherIndex = -1;
int matchersSize = 0;
for (RangerResourceDef resourceDef : hierarchy) {
RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
if (matcher != null) {
if (!matcher.isMatchAny()) {
lastNonAnyMatcherIndex = matchersSize;
}
matchersSize++;
} else {
break;
}
}
int lastMatchedMatcherIndex = -1;
for (RangerResourceDef resourceDef : hierarchy) {
RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
Object resourceValue = resource.getValue(resourceDef.getName());
if (matcher != null) {
if (resourceValue != null) {
if (matcher.isMatch(resourceValue, evalContext)) {
ret = MatchType.SELF;
lastMatchedMatcherIndex++;
} else {
ret = MatchType.NONE;
break;
}
} else {
// More matchers than resource-values
ret = MatchType.DESCENDANT;
if (lastMatchedMatcherIndex >= lastNonAnyMatcherIndex) {
ret = MatchType.ANCESTOR;
if (lastMatchedMatcherIndex == lastNonAnyMatcherIndex && lastMatchedMatcherIndex == -1) {
// For degenerate case : resourceKeysSize == 0 and all matchers are of type Any
ret = MatchType.SELF;
}
}
break;
}
} else {
if (resourceValue != null) {
// More resource-values than matchers
ret = MatchType.ANCESTOR;
}
break;
}
}
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 70 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
}
/*
* There is already API to get the delegateAdmin permissions for a map of policyResources.
* That implementation should be reused for figuring out delegateAdmin permissions for a resource as well.
*/
Map<String, RangerPolicyResource> policyResources = null;
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
Object resourceValue = resource.getValue(resourceName);
if (resourceValue instanceof String) {
String strValue = (String) resourceValue;
if (policyResources == null) {
policyResources = new HashMap<>();
}
policyResources.put(resourceName, new RangerPolicyResource(strValue));
} else if (resourceValue != null) {
// return false for any other type of resourceValue
policyResources = null;
break;
}
}
final boolean ret = MapUtils.isNotEmpty(policyResources) && isMatch(policyResources, evalContext);
RangerPerfTracer.log(perf);
return ret;
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Aggregations
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75
WebApplicationException (javax.ws.rs.WebApplicationException)36
Path (javax.ws.rs.Path)33
Produces (javax.ws.rs.Produces)33
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21
VXString (org.apache.ranger.view.VXString)18
GET (javax.ws.rs.GET)17
PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16
RangerService (org.apache.ranger.plugin.model.RangerService)11
POST (javax.ws.rs.POST)10
ArrayList (java.util.ArrayList)9
XXServiceDef (org.apache.ranger.entity.XXServiceDef)9
RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9
JsonSyntaxException (com.google.gson.JsonSyntaxException)8
IOException (java.io.IOException)8
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6
XXService (org.apache.ranger.entity.XXService)5
