Search in sources :

Example 1 with RangerRequestedResources

use of org.apache.ranger.plugin.util.RangerRequestedResources in project ranger by apache.

the class RangerHiveResourcesAccessedTogetherCondition method isMatched.

@Override
public boolean isMatched(final RangerAccessRequest request) {
    boolean ret = true;
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.isMatched(" + request + ")");
    }
    if (isInitialized && CollectionUtils.isNotEmpty(matchers)) {
        RangerRequestedResources resources = RangerAccessRequestUtil.getRequestedResourcesFromContext(request.getContext());
        ret = resources != null && !resources.isMutuallyExcluded(matchers, request.getContext());
    } else {
        LOG.error("RangerHiveResourcesAccessedTogetherCondition.isMatched() - condition is not initialized correctly and will NOT be enforced");
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.isMatched(" + request + ")" + ", result=" + ret);
    }
    return ret;
}
Also used : RangerRequestedResources(org.apache.ranger.plugin.util.RangerRequestedResources)

Example 2 with RangerRequestedResources

use of org.apache.ranger.plugin.util.RangerRequestedResources in project ranger by apache.

the class RangerHivePlugin method buildRequestContextWithAllAccessedResources.

private RangerRequestedResources buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest> requests) {
    RangerRequestedResources requestedResources = new RangerRequestedResources();
    for (RangerHiveAccessRequest request : requests) {
        // Build list of all things requested and put it in the context of each request
        RangerAccessRequestUtil.setRequestedResourcesInContext(request.getContext(), requestedResources);
        RangerHiveResource resource = (RangerHiveResource) request.getResource();
        if (resource.getObjectType() == HiveObjectType.COLUMN && StringUtils.contains(resource.getColumn(), COLUMN_SEP)) {
            String[] columns = StringUtils.split(resource.getColumn(), COLUMN_SEP);
            // in case of multiple columns, original request is not sent to the plugin; hence service-def will not be set
            resource.setServiceDef(hivePlugin.getServiceDef());
            for (String column : columns) {
                if (column != null) {
                    column = column.trim();
                }
                if (StringUtils.isBlank(column)) {
                    continue;
                }
                RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column);
                colResource.setServiceDef(hivePlugin.getServiceDef());
                requestedResources.addRequestedResource(colResource);
            }
        } else {
            resource.setServiceDef(hivePlugin.getServiceDef());
            requestedResources.addRequestedResource(resource);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("RangerHiveAuthorizer.buildRequestContextWithAllAccessedResources() - " + requestedResources);
    }
    return requestedResources;
}
Also used : RangerRequestedResources(org.apache.ranger.plugin.util.RangerRequestedResources)

Example 3 with RangerRequestedResources

use of org.apache.ranger.plugin.util.RangerRequestedResources in project ranger by apache.

the class TestPolicyEngine method runTests.

private void runTests(InputStreamReader reader, String testName) {
    PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
    assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
    ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setServiceName(testCase.serviceName);
    servicePolicies.setServiceDef(testCase.serviceDef);
    servicePolicies.setPolicies(testCase.policies);
    if (StringUtils.isNotBlank(testCase.auditMode)) {
        servicePolicies.setAuditMode(testCase.auditMode);
    }
    if (null != testCase.tagPolicyInfo) {
        ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
        tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
        tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
        tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
        if (StringUtils.isNotBlank(testCase.auditMode)) {
            tagPolicies.setAuditMode(testCase.auditMode);
        }
        servicePolicies.setTagPolicies(tagPolicies);
    }
    RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
    policyEngineOptions.disableTagPolicyEvaluation = false;
    boolean useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
    String trustedProxyAddressString = RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
    String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
    if (trustedProxyAddresses != null) {
        for (int i = 0; i < trustedProxyAddresses.length; i++) {
            trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
        }
    }
    RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
    policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
    policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
    long requestCount = 0L;
    RangerAccessRequest request = null;
    for (TestData test : testCase.tests) {
        request = test.request;
        if ((requestCount++ % 10) == 1) {
            policyEngine.reorderPolicyEvaluators();
        }
        if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) || request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
            // Create a new AccessRequest
            RangerAccessRequestImpl newRequest = new RangerAccessRequestImpl(request.getResource(), request.getAccessType(), request.getUser(), request.getUserGroups());
            newRequest.setClientType(request.getClientType());
            newRequest.setAccessTime(request.getAccessTime());
            newRequest.setAction(request.getAction());
            newRequest.setRemoteIPAddress(request.getRemoteIPAddress());
            newRequest.setForwardedAddresses(request.getForwardedAddresses());
            newRequest.setRequestData(request.getRequestData());
            newRequest.setSessionId(request.getSessionId());
            Map<String, Object> context = request.getContext();
            String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
            context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
            if (!StringUtils.isEmpty(tagsJsonString)) {
                try {
                    Type setType = new TypeToken<Set<RangerTagForEval>>() {
                    }.getType();
                    Set<RangerTagForEval> tags = gsonBuilder.fromJson(tagsJsonString, setType);
                    context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tags);
                } catch (Exception e) {
                    System.err.println("TestPolicyEngine.runTests(): error parsing TAGS JSON string in file " + testName + ", tagsJsonString=" + tagsJsonString + ", exception=" + e);
                }
            } else if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
                String resourcesJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
                context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
                if (!StringUtils.isEmpty(resourcesJsonString)) {
                    try {
                        /*
							Reader stringReader = new StringReader(resourcesJsonString);
							RangerRequestedResources resources = gsonBuilder.fromJson(stringReader, RangerRequestedResources.class);
							*/
                        Type myType = new TypeToken<RangerRequestedResources>() {
                        }.getType();
                        RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, myType);
                        context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
                    } catch (Exception e) {
                        System.err.println("TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" + resourcesJsonString + ", exception=" + e);
                    }
                }
            }
            newRequest.setContext(context);
            // accessResource.ServiceDef is set here, so that we can skip call to policyEngine.preProcess() which
            // sets the serviceDef in the resource AND calls enrichers. We dont want enrichers to be called when
            // context already contains tags -- This may change when we want enrichers to enrich request in the
            // presence of tags!!!
            // Safe cast
            RangerAccessResourceImpl accessResource = (RangerAccessResourceImpl) request.getResource();
            accessResource.setServiceDef(testCase.serviceDef);
            request = newRequest;
        } else if (!request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
            policyEngine.preProcess(request);
        }
        RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
        if (test.result != null) {
            RangerAccessResult expected = test.result;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
            assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.dataMaskResult != null) {
            RangerAccessResult expected = test.dataMaskResult;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
            assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
            assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.rowFilterResult != null) {
            RangerAccessResult expected = test.rowFilterResult;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.resourceAccessInfo != null) {
            RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
            RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers());
            assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(), result.getAllowedGroups());
            assertEquals("deniedUsers mismatched! - " + test.name, expected.getDeniedUsers(), result.getDeniedUsers());
            assertEquals("deniedGroups mismatched! - " + test.name, expected.getDeniedGroups(), result.getDeniedGroups());
        }
    }
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) Set(java.util.Set) TestData(org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData) RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval) RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler) RangerRequestedResources(org.apache.ranger.plugin.util.RangerRequestedResources) JsonParseException(com.google.gson.JsonParseException) Type(java.lang.reflect.Type) TypeToken(com.google.gson.reflect.TypeToken)

Example 4 with RangerRequestedResources

use of org.apache.ranger.plugin.util.RangerRequestedResources in project ranger by apache.

the class RangerHiveResourcesNotAccessedTogetherCondition method isMatched.

@Override
public boolean isMatched(final RangerAccessRequest request) {
    boolean ret = true;
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerHiveResourcesNotAccessedTogetherCondition.isMatched(" + request + ")");
    }
    if (isInitialized && CollectionUtils.isNotEmpty(matchers)) {
        RangerRequestedResources resources = RangerAccessRequestUtil.getRequestedResourcesFromContext(request.getContext());
        ret = resources == null || resources.isMutuallyExcluded(matchers, request.getContext());
    } else {
        LOG.error("RangerHiveResourcesNotAccessedTogetherCondition.isMatched() - Enforcer is not initialized correctly, Mutual Exclusion will NOT be enforced");
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerHiveResourcesNotAccessedTogetherCondition.isMatched(" + request + ")" + ", result=" + ret);
    }
    return ret;
}
Also used : RangerRequestedResources(org.apache.ranger.plugin.util.RangerRequestedResources)

Aggregations

RangerRequestedResources (org.apache.ranger.plugin.util.RangerRequestedResources)4 JsonParseException (com.google.gson.JsonParseException)1 TypeToken (com.google.gson.reflect.TypeToken)1 Type (java.lang.reflect.Type)1 Set (java.util.Set)1 RangerDefaultAuditHandler (org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)1 RangerTagForEval (org.apache.ranger.plugin.contextenricher.RangerTagForEval)1 TestData (org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData)1 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)1