Example 6 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class RangerPolicyAdminCache method getServicePoliciesAdmin.
final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions options) {
if (serviceName == null || svcStore == null || roleStore == null || zoneStore == null) {
LOG.warn("Cannot get policy-admin for null serviceName or serviceStore or roleStore or zoneStore");
return null;
}
long policyVersion;
long roleVersion;
RangerRoles roles;
boolean isRolesUpdated = true;
RangerPolicyAdminWrapper ret = policyAdminCache.get(serviceName);
try {
if (ret == null) {
policyVersion = -1L;
roleVersion = -1L;
roles = roleStore.getRoles(serviceName, roleVersion);
if (roles == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("There are no roles in ranger-admin for service:" + serviceName + "]");
}
}
} else {
policyVersion = ret.getPolicyAdmin().getPolicyVersion();
roleVersion = ret.getPolicyAdmin().getRoleVersion();
roles = roleStore.getRoles(serviceName, roleVersion);
if (roles == null) {
// No changes to roles
roles = roleStore.getRoles(serviceName, -1L);
isRolesUpdated = false;
}
}
ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion, ServiceDBStore.isSupportsPolicyDeltas());
if (policies != null) {
ret = addOrUpdatePolicyAdmin(ret, policies, roles, options);
if (ret == null) {
LOG.error("getPolicyAdmin(" + serviceName + "): failed to build engine from policies from service-store");
} else {
if (isRolesUpdated) {
ret.getPolicyAdmin().setRoles(roles);
}
}
}
} catch (Exception exception) {
LOG.error("getPolicyAdmin(" + serviceName + "): failed to get latest policies from service-store", exception);
}
if (ret == null) {
LOG.error("Policy-engine is not built! Returning null policy-engine!");
} else {
ret.getPolicyAdmin().setServiceStore(svcStore);
}
return ret == null ? null : ret.getPolicyAdmin();
}
Also used :
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
Example 7 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class TestPolicyEngine method runTests.
private void runTests(InputStreamReader reader, String testName) {
PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicyVersion(100L);
servicePolicies.setServiceName(testCase.serviceName);
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
servicePolicies.setSecurityZones(testCase.securityZones);
servicePolicies.setServiceConfig(testCase.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
servicePolicies.setAuditMode(testCase.auditMode);
}
if (null != testCase.tagPolicyInfo) {
ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
tagPolicies.setServiceConfig(testCase.tagPolicyInfo.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
tagPolicies.setAuditMode(testCase.auditMode);
}
servicePolicies.setTagPolicies(tagPolicies);
}
boolean useForwardedIPAddress = pluginContext.getConfig().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = pluginContext.getConfig().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
RangerRoles roles = new RangerRoles();
roles.setServiceName(testCase.serviceName);
roles.setRoleVersion(-1L);
Set<RangerRole> rolesSet = new HashSet<>();
Map<String, Set<String>> userRoleMapping = testCase.userRoles;
Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
Map<String, Set<String>> roleRoleMapping = testCase.roleRoles;
if (userRoleMapping != null) {
for (Map.Entry<String, Set<String>> userRole : userRoleMapping.entrySet()) {
String user = userRole.getKey();
Set<String> userRoles = userRole.getValue();
RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(user, true);
List<RangerRole.RoleMember> userRoleMembers = Arrays.asList(userRoleMember);
for (String usrRole : userRoles) {
RangerRole rangerUserRole = new RangerRole(usrRole, usrRole, null, userRoleMembers, null);
rolesSet.add(rangerUserRole);
}
}
}
if (groupRoleMapping != null) {
for (Map.Entry<String, Set<String>> groupRole : groupRoleMapping.entrySet()) {
String group = groupRole.getKey();
Set<String> groupRoles = groupRole.getValue();
RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(group, true);
List<RangerRole.RoleMember> groupRoleMembers = Arrays.asList(groupRoleMember);
for (String grpRole : groupRoles) {
RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, null, groupRoleMembers);
rolesSet.add(rangerGroupRole);
}
}
}
if (roleRoleMapping != null) {
for (Map.Entry<String, Set<String>> roleRole : roleRoleMapping.entrySet()) {
String role = roleRole.getKey();
Set<String> roleRoles = roleRole.getValue();
RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(role, true);
List<RangerRole.RoleMember> roleRoleMembers = Arrays.asList(roleRoleMember);
for (String rleRole : roleRoles) {
RangerRole rangerRoleRole = new RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers);
rolesSet.add(rangerRoleRole);
}
}
}
roles.setRangerRoles(rolesSet);
RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions();
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
setPluginConfig(pluginContext.getConfig(), ".super.users", testCase.superUsers);
setPluginConfig(pluginContext.getConfig(), ".super.groups", testCase.superGroups);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", testCase.auditExcludedUsers);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", testCase.auditExcludedGroups);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", testCase.auditExcludedRoles);
// so that setSuperUsersAndGroups(), setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
new RangerBasePlugin(pluginContext.getConfig());
RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.tests);
if (testCase.updatedPolicies != null) {
servicePolicies.setPolicyDeltas(testCase.updatedPolicies.policyDeltas);
servicePolicies.setSecurityZones(testCase.updatedPolicies.securityZones);
RangerPolicyEngine updatedPolicyEngine = RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
RangerPolicyEngine updatedPolicyEngineForEvaluatingWithACLs = RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies);
runTestCaseTests(updatedPolicyEngine, updatedPolicyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.updatedTests);
}
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
Set(java.util.Set)
HashSet(java.util.HashSet)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 8 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class TestPolicyEngineForDeltas method runTests.
private void runTests(InputStreamReader reader, String testName) {
PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.testsInfo != null && testCase.testsInfo.tests != null);
ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicyVersion(100L);
servicePolicies.setServiceName(testCase.serviceName);
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
servicePolicies.setSecurityZones(testCase.securityZones);
servicePolicies.setServiceConfig(testCase.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
servicePolicies.setAuditMode(testCase.auditMode);
}
if (null != testCase.tagPolicyInfo) {
ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
tagPolicies.setServiceConfig(testCase.tagPolicyInfo.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
tagPolicies.setAuditMode(testCase.auditMode);
}
servicePolicies.setTagPolicies(tagPolicies);
}
boolean useForwardedIPAddress = pluginContext.getConfig().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = pluginContext.getConfig().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
RangerRoles roles = new RangerRoles();
roles.setServiceName(testCase.serviceName);
roles.setRoleVersion(-1L);
Set<RangerRole> rolesSet = new HashSet<>();
Map<String, Set<String>> userRoleMapping = testCase.userRoles;
Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
Map<String, Set<String>> roleRoleMapping = testCase.roleRoles;
if (userRoleMapping != null) {
for (Map.Entry<String, Set<String>> userRole : userRoleMapping.entrySet()) {
String user = userRole.getKey();
Set<String> userRoles = userRole.getValue();
RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(user, true);
List<RangerRole.RoleMember> userRoleMembers = Arrays.asList(userRoleMember);
for (String usrRole : userRoles) {
RangerRole rangerUserRole = new RangerRole(usrRole, usrRole, null, userRoleMembers, null);
rolesSet.add(rangerUserRole);
}
}
}
if (groupRoleMapping != null) {
for (Map.Entry<String, Set<String>> groupRole : groupRoleMapping.entrySet()) {
String group = groupRole.getKey();
Set<String> groupRoles = groupRole.getValue();
RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(group, true);
List<RangerRole.RoleMember> groupRoleMembers = Arrays.asList(groupRoleMember);
for (String grpRole : groupRoles) {
RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, null, groupRoleMembers);
rolesSet.add(rangerGroupRole);
}
}
}
if (roleRoleMapping != null) {
for (Map.Entry<String, Set<String>> roleRole : roleRoleMapping.entrySet()) {
String role = roleRole.getKey();
Set<String> roleRoles = roleRole.getValue();
RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(role, true);
List<RangerRole.RoleMember> roleRoleMembers = Arrays.asList(roleRoleMember);
for (String rleRole : roleRoles) {
RangerRole rangerRoleRole = new RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers);
rolesSet.add(rangerRoleRole);
}
}
}
roles.setRangerRoles(rolesSet);
RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions();
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
setPluginConfig(pluginContext.getConfig(), ".super.users", testCase.superUsers);
setPluginConfig(pluginContext.getConfig(), ".super.groups", testCase.superGroups);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", testCase.auditExcludedUsers);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", testCase.auditExcludedGroups);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", testCase.auditExcludedRoles);
// so that setSuperUsersAndGroups(), setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
new RangerBasePlugin(pluginContext.getConfig());
RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
PolicyEngineTestCase.TestsInfo testsInfo = testCase.testsInfo;
do {
runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testsInfo.tests);
if (testsInfo.updatedPolicies != null && CollectionUtils.isNotEmpty(testsInfo.updatedPolicies.policyDeltas)) {
servicePolicies.setPolicyDeltas(testsInfo.updatedPolicies.policyDeltas);
servicePolicies.setPolicies(null);
if (MapUtils.isNotEmpty(testsInfo.updatedPolicies.securityZones)) {
servicePolicies.setSecurityZones(testsInfo.updatedPolicies.securityZones);
}
policyEngine = (RangerPolicyEngineImpl) RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
policyEngineForEvaluatingWithACLs = (RangerPolicyEngineImpl) RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies);
if (policyEngine != null && policyEngineForEvaluatingWithACLs != null) {
testsInfo = testsInfo.updatedTestsInfo;
} else {
testsInfo = null;
}
} else {
testsInfo = null;
}
} while (testsInfo != null && testsInfo.tests != null);
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
HashSet(java.util.HashSet)
Set(java.util.Set)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 9 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class RangerRoleCache method getLatestRangerRoleOrCached.
public RangerRoles getLatestRangerRoleOrCached(String serviceName, RoleDBStore roleDBStore, Long lastKnownRoleVersion, Long rangerRoleVersionInDB) throws Exception {
final RangerRoles ret;
if (lastKnownRoleVersion == null || !lastKnownRoleVersion.equals(rangerRoleVersionInDB)) {
roleCacheWrapper = new RangerRoleCacheWrapper();
ret = roleCacheWrapper.getLatestRangerRoles(serviceName, roleDBStore, lastKnownRoleVersion, rangerRoleVersionInDB);
} else if (lastKnownRoleVersion.equals(rangerRoleVersionInDB)) {
ret = null;
} else {
ret = roleCacheWrapper.getRoles();
}
return ret;
}
Also used :
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
Aggregations
RangerRoles (org.apache.ranger.plugin.util.RangerRoles)9
RangerRole (org.apache.ranger.plugin.model.RangerRole)4
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)3
HashSet (java.util.HashSet)2
Map (java.util.Map)2
Set (java.util.Set)2
RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)2
IOException (java.io.IOException)1
ArrayList (java.util.ArrayList)1
SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)1
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)1
HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)1
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1
XXService (org.apache.ranger.entity.XXService)1
XXServiceDef (org.apache.ranger.entity.XXServiceDef)1
RangerService (org.apache.ranger.plugin.model.RangerService)1
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)1
