Search in sources :

Example 21 with ServicePolicies

use of org.apache.ranger.plugin.util.ServicePolicies in project ranger by apache.

the class AssetREST method getResourceJSON.

@GET
@Path("/policyList/{repository}")
@Encoded
public String getResourceJSON(@Context HttpServletRequest request, @PathParam("repository") String repository) {
    String epoch = request.getParameter("epoch");
    X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
    String ipAddress = request.getHeader("X-FORWARDED-FOR");
    boolean isSecure = request.isSecure();
    String policyCount = request.getParameter("policyCount");
    String agentId = request.getParameter("agentId");
    Long lastKnowPolicyVersion = Long.valueOf(-1);
    if (ipAddress == null) {
        ipAddress = request.getRemoteAddr();
    }
    boolean httpEnabled = PropertiesUtil.getBooleanProperty("ranger.service.http.enabled", true);
    ServicePolicies servicePolicies = null;
    try {
        servicePolicies = serviceREST.getServicePoliciesIfUpdated(repository, lastKnowPolicyVersion, 0L, agentId, "", request);
    } catch (Exception excp) {
        logger.error("failed to retrieve policies for repository " + repository, excp);
    }
    RangerService service = serviceUtil.getServiceByName(repository);
    List<RangerPolicy> policies = servicePolicies != null ? servicePolicies.getPolicies() : null;
    long policyUpdTime = (servicePolicies != null && servicePolicies.getPolicyUpdateTime() != null) ? servicePolicies.getPolicyUpdateTime().getTime() : 0l;
    VXAsset vAsset = serviceUtil.toVXAsset(service);
    List<VXResource> vResourceList = new ArrayList<VXResource>();
    if (policies != null) {
        for (RangerPolicy policy : policies) {
            vResourceList.add(serviceUtil.toVXResource(policy, service));
        }
    }
    String file = assetMgr.getLatestRepoPolicy(vAsset, vResourceList, policyUpdTime, certchain, httpEnabled, epoch, ipAddress, isSecure, policyCount, agentId);
    return file;
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerService(org.apache.ranger.plugin.model.RangerService) Path(javax.ws.rs.Path) Encoded(javax.ws.rs.Encoded) GET(javax.ws.rs.GET)

Example 22 with ServicePolicies

use of org.apache.ranger.plugin.util.ServicePolicies in project ranger by apache.

the class ServiceREST method getPolicyEngine.

private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception {
    ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);
    RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, defaultAdminOptions);
    return ret;
}
Also used : RangerPolicyEngineImpl(org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl) ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)

Example 23 with ServicePolicies

use of org.apache.ranger.plugin.util.ServicePolicies in project ranger by apache.

the class ServiceREST method getSecureServicePoliciesIfUpdated.

@GET
@Path("/secure/policies/download/{serviceName}")
@Produces({ "application/json", "application/xml" })
public ServicePolicies getSecureServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam("lastKnownVersion") Long lastKnownVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")");
    }
    ServicePolicies ret = null;
    int httpCode = HttpServletResponse.SC_OK;
    String logMsg = null;
    RangerPerfTracer perf = null;
    boolean isAllowed = false;
    boolean isAdmin = bizUtil.isAdmin();
    boolean isKeyAdmin = bizUtil.isKeyAdmin();
    request.setAttribute("downloadPolicy", "secure");
    Long downloadedVersion = null;
    boolean isValid = false;
    try {
        isValid = serviceUtil.isValidService(serviceName, request);
    } catch (WebApplicationException webException) {
        httpCode = webException.getResponse().getStatus();
        logMsg = webException.getResponse().getEntity().toString();
    } catch (Exception e) {
        httpCode = HttpServletResponse.SC_BAD_REQUEST;
        logMsg = e.getMessage();
    }
    if (isValid) {
        if (lastKnownVersion == null) {
            lastKnownVersion = Long.valueOf(-1);
        }
        try {
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getSecureServicePoliciesIfUpdated(serviceName=" + serviceName + ",lastKnownVersion=" + lastKnownVersion + ",lastActivationTime=" + lastActivationTime + ")");
            }
            XXService xService = daoManager.getXXService().findByName(serviceName);
            XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
            RangerService rangerService = null;
            if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
                rangerService = svcStore.getServiceByNameForDP(serviceName);
                if (isKeyAdmin) {
                    isAllowed = true;
                } else {
                    if (rangerService != null) {
                        isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download);
                        if (!isAllowed) {
                            isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
                        }
                    }
                }
            } else {
                rangerService = svcStore.getServiceByName(serviceName);
                if (isAdmin) {
                    isAllowed = true;
                } else {
                    if (rangerService != null) {
                        isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download);
                        if (!isAllowed) {
                            isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
                        }
                    }
                }
            }
            if (isAllowed) {
                ServicePolicies servicePolicies = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion);
                if (servicePolicies == null) {
                    downloadedVersion = lastKnownVersion;
                    httpCode = HttpServletResponse.SC_NOT_MODIFIED;
                    logMsg = "No change since last update";
                } else {
                    downloadedVersion = servicePolicies.getPolicyVersion();
                    ret = filterServicePolicies(servicePolicies);
                    httpCode = HttpServletResponse.SC_OK;
                    logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : 0) + " policies. Policy version=" + ret.getPolicyVersion();
                }
            } else {
                LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ") failed as User doesn't have permission to download Policy");
                httpCode = HttpServletResponse.SC_UNAUTHORIZED;
                logMsg = "User doesn't have permission to download policy";
            }
        } catch (Throwable excp) {
            LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ") failed");
            httpCode = HttpServletResponse.SC_BAD_REQUEST;
            logMsg = excp.getMessage();
        } finally {
            createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, clusterName, request);
            RangerPerfTracer.log(perf);
        }
    }
    assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_POLICIES, downloadedVersion, lastKnownVersion, lastActivationTime, httpCode);
    if (httpCode != HttpServletResponse.SC_OK) {
        boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED;
        throw restErrorUtil.createRESTException(httpCode, logMsg, logError);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) VXString(org.apache.ranger.view.VXString) RangerService(org.apache.ranger.plugin.model.RangerService) XXService(org.apache.ranger.entity.XXService) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET)

Example 24 with ServicePolicies

use of org.apache.ranger.plugin.util.ServicePolicies in project ranger by apache.

the class TestPolicyEngine method runTests.

private void runTests(InputStreamReader reader, String testName) {
    PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
    assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
    ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setServiceName(testCase.serviceName);
    servicePolicies.setServiceDef(testCase.serviceDef);
    servicePolicies.setPolicies(testCase.policies);
    if (StringUtils.isNotBlank(testCase.auditMode)) {
        servicePolicies.setAuditMode(testCase.auditMode);
    }
    if (null != testCase.tagPolicyInfo) {
        ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
        tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
        tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
        tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
        if (StringUtils.isNotBlank(testCase.auditMode)) {
            tagPolicies.setAuditMode(testCase.auditMode);
        }
        servicePolicies.setTagPolicies(tagPolicies);
    }
    RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
    policyEngineOptions.disableTagPolicyEvaluation = false;
    boolean useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
    String trustedProxyAddressString = RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
    String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
    if (trustedProxyAddresses != null) {
        for (int i = 0; i < trustedProxyAddresses.length; i++) {
            trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
        }
    }
    RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
    policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
    policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
    long requestCount = 0L;
    RangerAccessRequest request = null;
    for (TestData test : testCase.tests) {
        request = test.request;
        if ((requestCount++ % 10) == 1) {
            policyEngine.reorderPolicyEvaluators();
        }
        if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) || request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
            // Create a new AccessRequest
            RangerAccessRequestImpl newRequest = new RangerAccessRequestImpl(request.getResource(), request.getAccessType(), request.getUser(), request.getUserGroups());
            newRequest.setClientType(request.getClientType());
            newRequest.setAccessTime(request.getAccessTime());
            newRequest.setAction(request.getAction());
            newRequest.setRemoteIPAddress(request.getRemoteIPAddress());
            newRequest.setForwardedAddresses(request.getForwardedAddresses());
            newRequest.setRequestData(request.getRequestData());
            newRequest.setSessionId(request.getSessionId());
            Map<String, Object> context = request.getContext();
            String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
            context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
            if (!StringUtils.isEmpty(tagsJsonString)) {
                try {
                    Type setType = new TypeToken<Set<RangerTagForEval>>() {
                    }.getType();
                    Set<RangerTagForEval> tags = gsonBuilder.fromJson(tagsJsonString, setType);
                    context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tags);
                } catch (Exception e) {
                    System.err.println("TestPolicyEngine.runTests(): error parsing TAGS JSON string in file " + testName + ", tagsJsonString=" + tagsJsonString + ", exception=" + e);
                }
            } else if (request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
                String resourcesJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
                context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
                if (!StringUtils.isEmpty(resourcesJsonString)) {
                    try {
                        /*
							Reader stringReader = new StringReader(resourcesJsonString);
							RangerRequestedResources resources = gsonBuilder.fromJson(stringReader, RangerRequestedResources.class);
							*/
                        Type myType = new TypeToken<RangerRequestedResources>() {
                        }.getType();
                        RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, myType);
                        context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
                    } catch (Exception e) {
                        System.err.println("TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" + resourcesJsonString + ", exception=" + e);
                    }
                }
            }
            newRequest.setContext(context);
            // accessResource.ServiceDef is set here, so that we can skip call to policyEngine.preProcess() which
            // sets the serviceDef in the resource AND calls enrichers. We dont want enrichers to be called when
            // context already contains tags -- This may change when we want enrichers to enrich request in the
            // presence of tags!!!
            // Safe cast
            RangerAccessResourceImpl accessResource = (RangerAccessResourceImpl) request.getResource();
            accessResource.setServiceDef(testCase.serviceDef);
            request = newRequest;
        } else if (!request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
            policyEngine.preProcess(request);
        }
        RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
        if (test.result != null) {
            RangerAccessResult expected = test.result;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
            assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.dataMaskResult != null) {
            RangerAccessResult expected = test.dataMaskResult;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
            assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
            assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.rowFilterResult != null) {
            RangerAccessResult expected = test.rowFilterResult;
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
        if (test.resourceAccessInfo != null) {
            RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
            RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers());
            assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(), result.getAllowedGroups());
            assertEquals("deniedUsers mismatched! - " + test.name, expected.getDeniedUsers(), result.getDeniedUsers());
            assertEquals("deniedGroups mismatched! - " + test.name, expected.getDeniedGroups(), result.getDeniedGroups());
        }
    }
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) Set(java.util.Set) TestData(org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData) RangerTagForEval(org.apache.ranger.plugin.contextenricher.RangerTagForEval) RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler) RangerRequestedResources(org.apache.ranger.plugin.util.RangerRequestedResources) JsonParseException(com.google.gson.JsonParseException) Type(java.lang.reflect.Type) TypeToken(com.google.gson.reflect.TypeToken)

Example 25 with ServicePolicies

use of org.apache.ranger.plugin.util.ServicePolicies in project ranger by apache.

the class TestPolicyEngine method runTests.

private void runTests(InputStreamReader reader, String testName) {
    try {
        PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
        assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
        ServicePolicies servicePolicies = new ServicePolicies();
        servicePolicies.setServiceName(testCase.serviceName);
        servicePolicies.setServiceDef(testCase.serviceDef);
        servicePolicies.setPolicies(testCase.policies);
        RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
        RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
        RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler();
        for (TestData test : testCase.tests) {
            RangerAccessResult expected = test.result;
            RangerAccessRequest request = test.request;
            policyEngine.preProcess(request);
            RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
            assertNotNull("result was null! - " + test.name, result);
            assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
            assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
            assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
        }
    } catch (Throwable excp) {
        excp.printStackTrace();
    }
}
Also used : RangerPolicyEngineImpl(org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl) RangerAccessResultProcessor(org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor) ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) TestData(org.apache.ranger.authorization.hbase.TestPolicyEngine.PolicyEngineTestCase.TestData) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler) RangerAccessRequest(org.apache.ranger.plugin.policyengine.RangerAccessRequest) RangerPolicyEngineOptions(org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions)

Aggregations

ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)31 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)16 ArrayList (java.util.ArrayList)13 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)13 Test (org.junit.Test)13 HashMap (java.util.HashMap)10 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)8 RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)8 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)8 VXString (org.apache.ranger.view.VXString)7 IOException (java.io.IOException)5 Date (java.util.Date)4 WebApplicationException (javax.ws.rs.WebApplicationException)4 UnknownHostException (java.net.UnknownHostException)3 GET (javax.ws.rs.GET)3 Path (javax.ws.rs.Path)3 AccessPolicy (org.apache.nifi.authorization.AccessPolicy)3 XXService (org.apache.ranger.entity.XXService)3 RangerService (org.apache.ranger.plugin.model.RangerService)3 RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)3