Example 6 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyItemEvaluator method init.
public void init() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyItemEvaluator(policyId=" + policyId + ", policyItem=" + policyItem + ", serviceType=" + getServiceType() + ", conditionsDisabled=" + getConditionsDisabledOption() + ")");
}
Set<String> accessPerms = new HashSet<String>();
List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
if (policyItemAccess.getIsAllowed()) {
accessPerms.add(policyItemAccess.getType());
}
}
hasAllPerms = true;
List<RangerServiceDef.RangerAccessTypeDef> serviceAccessTypes = serviceDef.getAccessTypes();
for (RangerServiceDef.RangerAccessTypeDef serviceAccessType : serviceAccessTypes) {
String serviceAccessTypeName = serviceAccessType.getName();
if (!accessPerms.contains(serviceAccessTypeName)) {
hasAllPerms = false;
break;
}
}
if (!getConditionsDisabledOption() && CollectionUtils.isNotEmpty(policyItem.getConditions())) {
conditionEvaluators = new ArrayList<>();
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_INIT_LOG, "RangerPolicyItemEvaluator.init(policyId=" + policyId + ",policyItemIndex=" + getPolicyItemIndex() + ")");
}
for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
RangerPolicyConditionDef conditionDef = getConditionDef(condition.getType());
if (conditionDef == null) {
LOG.error("RangerDefaultPolicyItemEvaluator(policyId=" + policyId + "): conditionDef '" + condition.getType() + "' not found. Ignoring the condition");
continue;
}
RangerConditionEvaluator conditionEvaluator = newConditionEvaluator(conditionDef.getEvaluator());
if (conditionEvaluator != null) {
conditionEvaluator.setServiceDef(serviceDef);
conditionEvaluator.setConditionDef(conditionDef);
conditionEvaluator.setPolicyItemCondition(condition);
RangerPerfTracer perfConditionInit = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) {
perfConditionInit = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(policyId=" + policyId + ",policyItemIndex=" + getPolicyItemIndex() + ",policyConditionType=" + condition.getType() + ")");
}
conditionEvaluator.init();
RangerPerfTracer.log(perfConditionInit);
conditionEvaluators.add(conditionEvaluator);
} else {
LOG.error("RangerDefaultPolicyItemEvaluator(policyId=" + policyId + "): failed to instantiate condition evaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'");
}
}
RangerPerfTracer.log(perf);
}
List<String> users = policyItem.getUsers();
this.hasCurrentUser = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.USER_CURRENT);
this.hasResourceOwner = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.RESOURCE_OWNER);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyItemEvaluator(policyId=" + policyId + ", conditionsCount=" + getConditionEvaluators().size() + ")");
}
}
Also used :
RangerConditionEvaluator(org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyConditionDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
HashSet(java.util.HashSet)
Example 7 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerValidityScheduleEvaluator method isApplicable.
public boolean isApplicable(long accessTime) {
if (LOG.isDebugEnabled()) {
LOG.debug("===> isApplicable(accessTime=" + accessTime + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerValidityScheduleEvaluator.isApplicable(accessTime=" + accessTime + ")");
}
long startTimeInMSs = startTime == null ? 0 : startTime.getTime();
long endTimeInMSs = endTime == null ? 0 : endTime.getTime();
if (StringUtils.isNotBlank(timeZone)) {
TimeZone targetTZ = TimeZone.getTimeZone(timeZone);
if (startTimeInMSs > 0) {
startTimeInMSs = getAdjustedTime(startTimeInMSs, targetTZ);
}
if (endTimeInMSs > 0) {
endTimeInMSs = getAdjustedTime(endTimeInMSs, targetTZ);
}
}
if ((startTimeInMSs == 0 || accessTime >= startTimeInMSs) && (endTimeInMSs == 0 || accessTime <= endTimeInMSs)) {
if (CollectionUtils.isEmpty(recurrenceEvaluators)) {
ret = true;
} else {
Calendar now = new GregorianCalendar();
now.setTime(new Date(accessTime));
for (RangerRecurrenceEvaluator recurrenceEvaluator : recurrenceEvaluators) {
ret = recurrenceEvaluator.isApplicable(now);
if (ret) {
break;
}
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<=== isApplicable(accessTime=" + accessTime + ") :" + ret);
}
return ret;
}
Also used :
TimeZone(java.util.TimeZone)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
GregorianCalendar(java.util.GregorianCalendar)
Calendar(java.util.Calendar)
GregorianCalendar(java.util.GregorianCalendar)
Date(java.util.Date)
Example 8 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isCompleteMatch.
@Override
public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.applyPolicyMatch()");
}
boolean ret = false;
Collection<String> resourceKeys = resources == null ? null : resources.keySet();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
boolean keysMatch = resourceKeys != null && policyKeys != null && CollectionUtils.isEqualCollection(resourceKeys, policyKeys);
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
RangerPolicyResource resourceValues = resources.get(resourceName);
RangerPolicyResource policyValues = policyResources == null ? null : policyResources.get(resourceName);
if (resourceValues == null || CollectionUtils.isEmpty(resourceValues.getValues())) {
ret = (policyValues == null || CollectionUtils.isEmpty(policyValues.getValues()));
} else if (policyValues != null && CollectionUtils.isNotEmpty(policyValues.getValues())) {
ret = CollectionUtils.isEqualCollection(resourceValues.getValues(), policyValues.getValues());
}
if (!ret) {
break;
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 9 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.delegateAdminMatch()");
}
if (serviceDef != null && serviceDef.getResources() != null) {
Collection<String> resourceKeys = resources == null ? null : resources.keySet();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
boolean keysMatch = CollectionUtils.isEmpty(resourceKeys) || (policyKeys != null && policyKeys.containsAll(resourceKeys));
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
RangerPolicyResource resourceValues = resources == null ? null : resources.get(resourceName);
List<String> values = resourceValues == null ? null : resourceValues.getValues();
RangerResourceMatcher matcher = allMatchers == null ? null : allMatchers.get(resourceName);
if (matcher != null) {
if (CollectionUtils.isNotEmpty(values)) {
for (String value : values) {
ret = matcher.isMatch(value, evalContext);
if (!ret) {
break;
}
}
} else {
ret = matcher.isMatchAny();
}
} else {
ret = CollectionUtils.isEmpty(values);
}
if (!ret) {
break;
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret);
}
return ret;
}
Also used :
RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 10 with RangerPerfTracer
use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.
the class ServiceREST method getServiceDefByName.
@GET
@Path("/definitions/name/{name}")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF_BY_NAME + "\")")
public RangerServiceDef getServiceDefByName(@PathParam("name") String name) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServiceDefByName(serviceDefName=" + name + ")");
}
RangerServiceDef ret = null;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefByName(" + name + ")");
}
XXServiceDef xServiceDef = daoManager.getXXServiceDef().findByName(name);
if (xServiceDef != null) {
if (!bizUtil.hasAccess(xServiceDef, null)) {
throw restErrorUtil.createRESTException("User is not allowed to access service-def: " + xServiceDef.getName(), MessageEnums.OPER_NO_PERMISSION);
}
}
ret = svcStore.getServiceDefByName(name);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("getServiceDefByName(" + name + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
if (ret == null) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getServiceDefByName(" + name + "): " + ret);
}
return ret;
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Aggregations
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75
WebApplicationException (javax.ws.rs.WebApplicationException)36
Path (javax.ws.rs.Path)33
Produces (javax.ws.rs.Produces)33
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21
VXString (org.apache.ranger.view.VXString)18
GET (javax.ws.rs.GET)17
PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16
RangerService (org.apache.ranger.plugin.model.RangerService)11
POST (javax.ws.rs.POST)10
ArrayList (java.util.ArrayList)9
XXServiceDef (org.apache.ranger.entity.XXServiceDef)9
RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9
JsonSyntaxException (com.google.gson.JsonSyntaxException)8
IOException (java.io.IOException)8
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6
XXService (org.apache.ranger.entity.XXService)5
