Search in sources :

Example 6 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyItemEvaluator method init.

public void init() {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyItemEvaluator(policyId=" + policyId + ", policyItem=" + policyItem + ", serviceType=" + getServiceType() + ", conditionsDisabled=" + getConditionsDisabledOption() + ")");
    }
    Set<String> accessPerms = new HashSet<String>();
    List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
    for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
        if (policyItemAccess.getIsAllowed()) {
            accessPerms.add(policyItemAccess.getType());
        }
    }
    hasAllPerms = true;
    List<RangerServiceDef.RangerAccessTypeDef> serviceAccessTypes = serviceDef.getAccessTypes();
    for (RangerServiceDef.RangerAccessTypeDef serviceAccessType : serviceAccessTypes) {
        String serviceAccessTypeName = serviceAccessType.getName();
        if (!accessPerms.contains(serviceAccessTypeName)) {
            hasAllPerms = false;
            break;
        }
    }
    if (!getConditionsDisabledOption() && CollectionUtils.isNotEmpty(policyItem.getConditions())) {
        conditionEvaluators = new ArrayList<>();
        RangerPerfTracer perf = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_INIT_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_INIT_LOG, "RangerPolicyItemEvaluator.init(policyId=" + policyId + ",policyItemIndex=" + getPolicyItemIndex() + ")");
        }
        for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
            RangerPolicyConditionDef conditionDef = getConditionDef(condition.getType());
            if (conditionDef == null) {
                LOG.error("RangerDefaultPolicyItemEvaluator(policyId=" + policyId + "): conditionDef '" + condition.getType() + "' not found. Ignoring the condition");
                continue;
            }
            RangerConditionEvaluator conditionEvaluator = newConditionEvaluator(conditionDef.getEvaluator());
            if (conditionEvaluator != null) {
                conditionEvaluator.setServiceDef(serviceDef);
                conditionEvaluator.setConditionDef(conditionDef);
                conditionEvaluator.setPolicyItemCondition(condition);
                RangerPerfTracer perfConditionInit = null;
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) {
                    perfConditionInit = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(policyId=" + policyId + ",policyItemIndex=" + getPolicyItemIndex() + ",policyConditionType=" + condition.getType() + ")");
                }
                conditionEvaluator.init();
                RangerPerfTracer.log(perfConditionInit);
                conditionEvaluators.add(conditionEvaluator);
            } else {
                LOG.error("RangerDefaultPolicyItemEvaluator(policyId=" + policyId + "): failed to instantiate condition evaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'");
            }
        }
        RangerPerfTracer.log(perf);
    }
    List<String> users = policyItem.getUsers();
    this.hasCurrentUser = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.USER_CURRENT);
    this.hasResourceOwner = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.RESOURCE_OWNER);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyItemEvaluator(policyId=" + policyId + ", conditionsCount=" + getConditionEvaluators().size() + ")");
    }
}
Also used : RangerConditionEvaluator(org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyConditionDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) HashSet(java.util.HashSet)

Example 7 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerValidityScheduleEvaluator method isApplicable.

public boolean isApplicable(long accessTime) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("===> isApplicable(accessTime=" + accessTime + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerValidityScheduleEvaluator.isApplicable(accessTime=" + accessTime + ")");
    }
    long startTimeInMSs = startTime == null ? 0 : startTime.getTime();
    long endTimeInMSs = endTime == null ? 0 : endTime.getTime();
    if (StringUtils.isNotBlank(timeZone)) {
        TimeZone targetTZ = TimeZone.getTimeZone(timeZone);
        if (startTimeInMSs > 0) {
            startTimeInMSs = getAdjustedTime(startTimeInMSs, targetTZ);
        }
        if (endTimeInMSs > 0) {
            endTimeInMSs = getAdjustedTime(endTimeInMSs, targetTZ);
        }
    }
    if ((startTimeInMSs == 0 || accessTime >= startTimeInMSs) && (endTimeInMSs == 0 || accessTime <= endTimeInMSs)) {
        if (CollectionUtils.isEmpty(recurrenceEvaluators)) {
            ret = true;
        } else {
            Calendar now = new GregorianCalendar();
            now.setTime(new Date(accessTime));
            for (RangerRecurrenceEvaluator recurrenceEvaluator : recurrenceEvaluators) {
                ret = recurrenceEvaluator.isApplicable(now);
                if (ret) {
                    break;
                }
            }
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<=== isApplicable(accessTime=" + accessTime + ") :" + ret);
    }
    return ret;
}
Also used : TimeZone(java.util.TimeZone) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) GregorianCalendar(java.util.GregorianCalendar) Calendar(java.util.Calendar) GregorianCalendar(java.util.GregorianCalendar) Date(java.util.Date)

Example 8 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyResourceMatcher method isCompleteMatch.

@Override
public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + ")");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.applyPolicyMatch()");
    }
    boolean ret = false;
    Collection<String> resourceKeys = resources == null ? null : resources.keySet();
    Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
    boolean keysMatch = resourceKeys != null && policyKeys != null && CollectionUtils.isEqualCollection(resourceKeys, policyKeys);
    if (keysMatch) {
        for (RangerResourceDef resourceDef : serviceDef.getResources()) {
            String resourceName = resourceDef.getName();
            RangerPolicyResource resourceValues = resources.get(resourceName);
            RangerPolicyResource policyValues = policyResources == null ? null : policyResources.get(resourceName);
            if (resourceValues == null || CollectionUtils.isEmpty(resourceValues.getValues())) {
                ret = (policyValues == null || CollectionUtils.isEmpty(policyValues.getValues()));
            } else if (policyValues != null && CollectionUtils.isNotEmpty(policyValues.getValues())) {
                ret = CollectionUtils.isEqualCollection(resourceValues.getValues(), policyValues.getValues());
            }
            if (!ret) {
                break;
            }
        }
    } else {
        if (LOG.isDebugEnabled()) {
            LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + "): " + ret);
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Example 9 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class RangerDefaultPolicyResourceMatcher method isMatch.

@Override
public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.delegateAdminMatch()");
    }
    if (serviceDef != null && serviceDef.getResources() != null) {
        Collection<String> resourceKeys = resources == null ? null : resources.keySet();
        Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
        boolean keysMatch = CollectionUtils.isEmpty(resourceKeys) || (policyKeys != null && policyKeys.containsAll(resourceKeys));
        if (keysMatch) {
            for (RangerResourceDef resourceDef : serviceDef.getResources()) {
                String resourceName = resourceDef.getName();
                RangerPolicyResource resourceValues = resources == null ? null : resources.get(resourceName);
                List<String> values = resourceValues == null ? null : resourceValues.getValues();
                RangerResourceMatcher matcher = allMatchers == null ? null : allMatchers.get(resourceName);
                if (matcher != null) {
                    if (CollectionUtils.isNotEmpty(values)) {
                        for (String value : values) {
                            ret = matcher.isMatch(value, evalContext);
                            if (!ret) {
                                break;
                            }
                        }
                    } else {
                        ret = matcher.isMatchAny();
                    }
                } else {
                    ret = CollectionUtils.isEmpty(values);
                }
                if (!ret) {
                    break;
                }
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("isMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
            }
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret);
    }
    return ret;
}
Also used : RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Example 10 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method getServiceDefByName.

@GET
@Path("/definitions/name/{name}")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF_BY_NAME + "\")")
public RangerServiceDef getServiceDefByName(@PathParam("name") String name) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.getServiceDefByName(serviceDefName=" + name + ")");
    }
    RangerServiceDef ret = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefByName(" + name + ")");
        }
        XXServiceDef xServiceDef = daoManager.getXXServiceDef().findByName(name);
        if (xServiceDef != null) {
            if (!bizUtil.hasAccess(xServiceDef, null)) {
                throw restErrorUtil.createRESTException("User is not allowed to access service-def: " + xServiceDef.getName(), MessageEnums.OPER_NO_PERMISSION);
            }
        }
        ret = svcStore.getServiceDefByName(name);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("getServiceDefByName(" + name + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (ret == null) {
        throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.getServiceDefByName(" + name + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Aggregations

RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75 WebApplicationException (javax.ws.rs.WebApplicationException)36 Path (javax.ws.rs.Path)33 Produces (javax.ws.rs.Produces)33 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21 VXString (org.apache.ranger.view.VXString)18 GET (javax.ws.rs.GET)17 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16 RangerService (org.apache.ranger.plugin.model.RangerService)11 POST (javax.ws.rs.POST)10 ArrayList (java.util.ArrayList)9 XXServiceDef (org.apache.ranger.entity.XXServiceDef)9 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9 SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)8 IOException (java.io.IOException)8 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6 XXService (org.apache.ranger.entity.XXService)5