use of org.apache.ranger.plugin.util.RangerRequestedResources in project ranger by apache.
the class RangerHiveResourcesAccessedTogetherCondition method isMatched.
@Override
public boolean isMatched(final RangerAccessRequest request) {
boolean ret = true;
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.isMatched(" + request + ")");
}
if (isInitialized && CollectionUtils.isNotEmpty(matchers)) {
RangerRequestedResources resources = RangerAccessRequestUtil.getRequestedResourcesFromContext(request.getContext());
ret = resources != null && !resources.isMutuallyExcluded(matchers, request.getContext());
} else {
LOG.error("RangerHiveResourcesAccessedTogetherCondition.isMatched() - condition is not initialized correctly and will NOT be enforced");
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.isMatched(" + request + ")" + ", result=" + ret);
}
return ret;
}
use of org.apache.ranger.plugin.util.RangerRequestedResources in project ranger by apache.
the class RangerHivePlugin method buildRequestContextWithAllAccessedResources.
private RangerRequestedResources buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest> requests) {
RangerRequestedResources requestedResources = new RangerRequestedResources();
for (RangerHiveAccessRequest request : requests) {
// Build list of all things requested and put it in the context of each request
RangerAccessRequestUtil.setRequestedResourcesInContext(request.getContext(), requestedResources);
RangerHiveResource resource = (RangerHiveResource) request.getResource();
if (resource.getObjectType() == HiveObjectType.COLUMN && StringUtils.contains(resource.getColumn(), COLUMN_SEP)) {
String[] columns = StringUtils.split(resource.getColumn(), COLUMN_SEP);
// in case of multiple columns, original request is not sent to the plugin; hence service-def will not be set
resource.setServiceDef(hivePlugin.getServiceDef());
for (String column : columns) {
if (column != null) {
column = column.trim();
}
if (StringUtils.isBlank(column)) {
continue;
}
RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column);
colResource.setServiceDef(hivePlugin.getServiceDef());
requestedResources.addRequestedResource(colResource);
}
} else {
resource.setServiceDef(hivePlugin.getServiceDef());
requestedResources.addRequestedResource(resource);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RangerHiveAuthorizer.buildRequestContextWithAllAccessedResources() - " + requestedResources);
}
return requestedResources;
}
use of org.apache.ranger.plugin.util.RangerRequestedResources in project ranger by apache.
the class TestPolicyEngine method runTests.
private void runTests(InputStreamReader reader, String testName) {
PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setServiceName(testCase.serviceName);
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
if (StringUtils.isNotBlank(testCase.auditMode)) {
servicePolicies.setAuditMode(testCase.auditMode);
}
if (null != testCase.tagPolicyInfo) {
ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
if (StringUtils.isNotBlank(testCase.auditMode)) {
tagPolicies.setAuditMode(testCase.auditMode);
}
servicePolicies.setTagPolicies(tagPolicies);
}
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
policyEngineOptions.disableTagPolicyEvaluation = false;
boolean useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
long requestCount = 0L;
RangerAccessRequest request = null;
for (TestData test : testCase.tests) {
request = test.request;
if ((requestCount++ % 10) == 1) {
policyEngine.reorderPolicyEvaluators();
}
if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) || request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
// Create a new AccessRequest
RangerAccessRequestImpl newRequest = new RangerAccessRequestImpl(request.getResource(), request.getAccessType(), request.getUser(), request.getUserGroups());
newRequest.setClientType(request.getClientType());
newRequest.setAccessTime(request.getAccessTime());
newRequest.setAction(request.getAction());
newRequest.setRemoteIPAddress(request.getRemoteIPAddress());
newRequest.setForwardedAddresses(request.getForwardedAddresses());
newRequest.setRequestData(request.getRequestData());
newRequest.setSessionId(request.getSessionId());
Map<String, Object> context = request.getContext();
String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
if (!StringUtils.isEmpty(tagsJsonString)) {
try {
Type setType = new TypeToken<Set<RangerTagForEval>>() {
}.getType();
Set<RangerTagForEval> tags = gsonBuilder.fromJson(tagsJsonString, setType);
context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tags);
} catch (Exception e) {
System.err.println("TestPolicyEngine.runTests(): error parsing TAGS JSON string in file " + testName + ", tagsJsonString=" + tagsJsonString + ", exception=" + e);
}
} else if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
String resourcesJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
if (!StringUtils.isEmpty(resourcesJsonString)) {
try {
/*
Reader stringReader = new StringReader(resourcesJsonString);
RangerRequestedResources resources = gsonBuilder.fromJson(stringReader, RangerRequestedResources.class);
*/
Type myType = new TypeToken<RangerRequestedResources>() {
}.getType();
RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, myType);
context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
} catch (Exception e) {
System.err.println("TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" + resourcesJsonString + ", exception=" + e);
}
}
}
newRequest.setContext(context);
// accessResource.ServiceDef is set here, so that we can skip call to policyEngine.preProcess() which
// sets the serviceDef in the resource AND calls enrichers. We dont want enrichers to be called when
// context already contains tags -- This may change when we want enrichers to enrich request in the
// presence of tags!!!
// Safe cast
RangerAccessResourceImpl accessResource = (RangerAccessResourceImpl) request.getResource();
accessResource.setServiceDef(testCase.serviceDef);
request = newRequest;
} else if (!request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
policyEngine.preProcess(request);
}
RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
if (test.result != null) {
RangerAccessResult expected = test.result;
RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.dataMaskResult != null) {
RangerAccessResult expected = test.dataMaskResult;
RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.rowFilterResult != null) {
RangerAccessResult expected = test.rowFilterResult;
RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
assertNotNull("result was null! - " + test.name, result);
assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
}
if (test.resourceAccessInfo != null) {
RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request);
assertNotNull("result was null! - " + test.name, result);
assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers());
assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(), result.getAllowedGroups());
assertEquals("deniedUsers mismatched! - " + test.name, expected.getDeniedUsers(), result.getDeniedUsers());
assertEquals("deniedGroups mismatched! - " + test.name, expected.getDeniedGroups(), result.getDeniedGroups());
}
}
}
use of org.apache.ranger.plugin.util.RangerRequestedResources in project ranger by apache.
the class RangerHiveResourcesNotAccessedTogetherCondition method isMatched.
@Override
public boolean isMatched(final RangerAccessRequest request) {
boolean ret = true;
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveResourcesNotAccessedTogetherCondition.isMatched(" + request + ")");
}
if (isInitialized && CollectionUtils.isNotEmpty(matchers)) {
RangerRequestedResources resources = RangerAccessRequestUtil.getRequestedResourcesFromContext(request.getContext());
ret = resources == null || resources.isMutuallyExcluded(matchers, request.getContext());
} else {
LOG.error("RangerHiveResourcesNotAccessedTogetherCondition.isMatched() - Enforcer is not initialized correctly, Mutual Exclusion will NOT be enforced");
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveResourcesNotAccessedTogetherCondition.isMatched(" + request + ")" + ", result=" + ret);
}
return ret;
}
Aggregations