Java Code Examples for org.apache.ranger.plugin.model.RangerServiceDef#RangerResourceDef
The following examples show how to use
org.apache.ranger.plugin.model.RangerServiceDef#RangerResourceDef .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: RangerServiceHdfs.java From ranger with Apache License 2.0 | 6 votes |
|
private Map<String, RangerPolicy.RangerPolicyResource> createKMSAuditResource(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceHdfs.createKMSAuditResource()");
}
Map<String, RangerPolicy.RangerPolicyResource> resourceMap = super.createDefaultPolicyResource(resourceHierarchy);
RangerPolicy.RangerPolicyResource pathResource = resourceMap.get(RangerHdfsAuthorizer.KEY_RESOURCE_PATH);
if (pathResource != null) {
pathResource.setValue(AUDITTOHDFS_KMS_PATH);
} else {
LOG.error("Internal error: Could not find RangerPolicyResource corresponding to " + RangerHdfsAuthorizer.KEY_RESOURCE_PATH + " in default policy-resource");
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceHdfs.createKMSAuditResource():" + resourceMap);
}
return resourceMap;
}
Example 2
| Source File: PatchForTagServiceDefUpdate_J10028.java From ranger with Apache License 2.0 | 6 votes |
|
private void addOrUpdateResourceDefForTagResource(List<RangerServiceDef.RangerResourceDef> resourceDefs, RangerServiceDef.RangerResourceDef tagResourceDef) {
RangerServiceDef.RangerResourceDef tagResourceDefInResourceDefs = getResourceDefForTagResource(resourceDefs);
if (tagResourceDefInResourceDefs == null) {
resourceDefs.add(tagResourceDef);
} else {
tagResourceDefInResourceDefs.setDescription(tagResourceDef.getDescription());
tagResourceDefInResourceDefs.setLabel(tagResourceDef.getLabel());
tagResourceDefInResourceDefs.setValidationMessage(tagResourceDef.getValidationMessage());
tagResourceDefInResourceDefs.setValidationRegEx(tagResourceDef.getValidationRegEx());
tagResourceDefInResourceDefs.setRbKeyDescription(tagResourceDef.getRbKeyDescription());
tagResourceDefInResourceDefs.setRbKeyLabel(tagResourceDef.getRbKeyLabel());
tagResourceDefInResourceDefs.setRbKeyValidationMessage(tagResourceDef.getRbKeyValidationMessage());
tagResourceDefInResourceDefs.setUiHint(tagResourceDef.getUiHint());
tagResourceDefInResourceDefs.setMatcher(tagResourceDef.getMatcher());
tagResourceDefInResourceDefs.setMatcherOptions(tagResourceDef.getMatcherOptions());
tagResourceDefInResourceDefs.setLookupSupported(tagResourceDef.getLookupSupported());
tagResourceDefInResourceDefs.setExcludesSupported(tagResourceDef.getExcludesSupported());
tagResourceDefInResourceDefs.setRecursiveSupported(tagResourceDef.getRecursiveSupported());
tagResourceDefInResourceDefs.setMandatory(tagResourceDef.getMandatory());
tagResourceDefInResourceDefs.setLevel(tagResourceDef.getLevel());
tagResourceDefInResourceDefs.setIsValidLeaf(tagResourceDef.getIsValidLeaf());
tagResourceDefInResourceDefs.setParent(tagResourceDef.getParent());
}
}
Example 3
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private void updateTrie(Map<String, RangerResourceTrie> trieMap, Integer policyDeltaType, RangerPolicyEvaluator oldEvaluator, RangerPolicyEvaluator newEvaluator) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.updateTrie(policyDeltaType=" + policyDeltaType + "): ");
}
for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceDefName = resourceDef.getName();
RangerResourceTrie<RangerPolicyEvaluator> trie = trieMap.get(resourceDefName);
if (trie == null) {
if (RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE == policyDeltaType || RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE == policyDeltaType) {
LOG.warn("policyDeltaType is not for POLICY_CREATE and trie for resourceDef:[" + resourceDefName + "] was null! Should not have happened!!");
}
trie = new RangerResourceTrie<>(resourceDef, new ArrayList<>(), true, pluginContext);
trieMap.put(resourceDefName, trie);
}
if (policyDeltaType == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
addEvaluatorToTrie(newEvaluator, trie, resourceDefName);
} else if (policyDeltaType == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
removeEvaluatorFromTrie(oldEvaluator, trie, resourceDefName);
} else if (policyDeltaType == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) {
removeEvaluatorFromTrie(oldEvaluator, trie, resourceDefName);
addEvaluatorToTrie(newEvaluator, trie, resourceDefName);
} else {
LOG.error("policyDeltaType:" + policyDeltaType + " is currently not handled, policy-id:[" + oldEvaluator.getPolicy().getId() +"]");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.updateTrie(policyDeltaType=" + policyDeltaType + "): ");
}
}
Example 4
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private Map<String, RangerResourceTrie> createResourceTrieMap(List<RangerPolicyEvaluator> evaluators, boolean optimizeTrieForRetrieval) {
final Map<String, RangerResourceTrie> ret;
if (serviceDef != null && CollectionUtils.isNotEmpty(serviceDef.getResources())) {
ret = new HashMap<>();
for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
ret.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, evaluators, optimizeTrieForRetrieval, pluginContext));
}
} else {
ret = null;
}
return ret;
}
Example 5
| Source File: PatchForAtlasToAddEntityLabelAndBusinessMetadata_J10034.java From ranger with Apache License 2.0 | 5 votes |
|
private boolean checkResourcePresent(List<RangerServiceDef.RangerResourceDef> resourceDefs) {
boolean ret = false;
for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (ATLAS_RESOURCES.contains(resourceDef.getName())) {
ret = true;
break;
}
}
return ret;
}
Example 6
| Source File: AbstractServiceStore.java From ranger with Apache License 2.0 | 5 votes |
|
private RangerServiceDef.RangerResourceDef getResourceDefForTagResource(List<RangerServiceDef.RangerResourceDef> resourceDefs) {
RangerServiceDef.RangerResourceDef ret = null;
if (CollectionUtils.isNotEmpty(resourceDefs)) {
for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (resourceDef.getName().equals(RangerServiceTag.TAG_RESOURCE_NAME)) {
ret = resourceDef;
break;
}
}
}
return ret;
}
Example 7
| Source File: PatchForHiveServiceDefUpdate_J10017.java From ranger with Apache License 2.0 | 5 votes |
|
private boolean checkHiveGlobalresourcePresent(List<RangerServiceDef.RangerResourceDef> resourceDefs) {
boolean ret = false;
for(RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (HIVE_GLOBAL_RESOURCE_NAME.equals(resourceDef.getName()) ) {
ret = true ;
break;
}
}
return ret;
}
Example 8
| Source File: PatchForHiveServiceDefUpdate_J10017.java From ranger with Apache License 2.0 | 5 votes |
|
private boolean updateServiceDef(RangerServiceDef serviceDef, RangerServiceDef embeddedHiveServiceDef ) throws Exception {
boolean ret = false;
List<RangerServiceDef.RangerResourceDef> embeddedHiveResourceDefs = null;
List<RangerServiceDef.RangerAccessTypeDef> embeddedHiveAccessTypes = null;
embeddedHiveResourceDefs = embeddedHiveServiceDef.getResources();
embeddedHiveAccessTypes = embeddedHiveServiceDef.getAccessTypes();
if (checkHiveGlobalresourcePresent(embeddedHiveResourceDefs)) {
// This is to check if HIVESERVICE def is added to the resource definition, if so update the resource def and accessType def
if (embeddedHiveResourceDefs != null) {
serviceDef.setResources(embeddedHiveResourceDefs);
}
if (embeddedHiveAccessTypes != null) {
if(!embeddedHiveAccessTypes.toString().equalsIgnoreCase(serviceDef.getAccessTypes().toString())) {
serviceDef.setAccessTypes(embeddedHiveAccessTypes);
}
}
ret = true;
}
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(serviceDef, Action.UPDATE);
svcStore.updateServiceDef(serviceDef);
return ret;
}
Example 9
| Source File: PatchForHiveServiceDefUpdate_J10007.java From ranger with Apache License 2.0 | 5 votes |
|
private boolean checkURLresourcePresent(List<RangerServiceDef.RangerResourceDef> resourceDefs) {
boolean ret = false;
for(RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if ( URL_RESOURCE_NAME.equals(resourceDef.getName()) ) {
ret = true ;
break;
}
}
return ret;
}
Example 10
| Source File: EmbeddedServiceDefsUtil.java From ranger with Apache License 2.0 | 5 votes |
|
public static boolean isRecursiveEnabled(final RangerServiceDef rangerServiceDef, final String resourceDefName) {
boolean ret = false;
List<RangerServiceDef.RangerResourceDef> resourceDefs = rangerServiceDef.getResources();
for(RangerServiceDef.RangerResourceDef resourceDef:resourceDefs) {
if (resourceDefName.equals(resourceDef.getName())) {
ret = resourceDef.getRecursiveSupported();
break;
}
}
return ret;
}
Example 11
| Source File: RangerBaseService.java From ranger with Apache License 2.0 | 5 votes |
|
private RangerPolicy getDefaultPolicy(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerBaseService.getDefaultPolicy()");
}
RangerPolicy policy = new RangerPolicy();
String policyName=buildPolicyName(resourceHierarchy);
policy.setIsEnabled(true);
policy.setVersion(1L);
policy.setName(policyName);
policy.setService(service.getName());
policy.setDescription("Policy for " + policyName);
policy.setIsAuditEnabled(true);
policy.setResources(createDefaultPolicyResource(resourceHierarchy));
List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
//Create Default policy item for the service user
RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(policy.getResources());
policyItems.add(policyItem);
policy.setPolicyItems(policyItems);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerBaseService.getDefaultPolicy()" + policy);
}
return policy;
}
Example 12
| Source File: PatchForKafkaServiceDefUpdate_J10033.java From ranger with Apache License 2.0 | 5 votes |
|
private boolean checkNewKafkaresourcePresent(List<RangerServiceDef.RangerResourceDef> resourceDefs) {
boolean ret = false;
for(RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (CONSUMERGROUP_RESOURCE_NAME.equals(resourceDef.getName()) ) {
ret = true ;
break;
}
}
return ret;
}
Example 13
| Source File: PatchForHiveServiceDefUpdate_J10007.java From ranger with Apache License 2.0 | 4 votes |
|
private void updateHiveServiceDef(){
RangerServiceDef ret = null;
RangerServiceDef embeddedHiveServiceDef = null;
RangerServiceDef dbHiveServiceDef = null;
List<RangerServiceDef.RangerResourceDef> embeddedHiveResourceDefs = null;
List<RangerServiceDef.RangerAccessTypeDef> embeddedHiveAccessTypes = null;
XXServiceDef xXServiceDefObj = null;
try{
embeddedHiveServiceDef=EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME);
if(embeddedHiveServiceDef!=null){
xXServiceDefObj = daoMgr.getXXServiceDef().findByName(SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME);
Map<String, String> serviceDefOptionsPreUpdate=null;
String jsonStrPreUpdate=null;
if(xXServiceDefObj!=null) {
jsonStrPreUpdate=xXServiceDefObj.getDefOptions();
serviceDefOptionsPreUpdate=jsonStringToMap(jsonStrPreUpdate);
xXServiceDefObj=null;
}
dbHiveServiceDef=svcDBStore.getServiceDefByName(SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME);
if(dbHiveServiceDef!=null){
embeddedHiveResourceDefs = embeddedHiveServiceDef.getResources();
embeddedHiveAccessTypes = embeddedHiveServiceDef.getAccessTypes();
if (checkURLresourcePresent(embeddedHiveResourceDefs)) {
// This is to check if URL def is added to the resource definition, if so update the resource def and accessType def
if (embeddedHiveResourceDefs != null) {
dbHiveServiceDef.setResources(embeddedHiveResourceDefs);
}
if (embeddedHiveAccessTypes != null) {
if(!embeddedHiveAccessTypes.toString().equalsIgnoreCase(dbHiveServiceDef.getAccessTypes().toString())) {
dbHiveServiceDef.setAccessTypes(embeddedHiveAccessTypes);
}
}
}
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(dbHiveServiceDef, Action.UPDATE);
ret = svcStore.updateServiceDef(dbHiveServiceDef);
if(ret==null){
logger.error("Error while updating "+SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME+"service-def");
throw new RuntimeException("Error while updating "+SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME+"service-def");
}
xXServiceDefObj = daoMgr.getXXServiceDef().findByName(SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME);
if(xXServiceDefObj!=null) {
String jsonStrPostUpdate=xXServiceDefObj.getDefOptions();
Map<String, String> serviceDefOptionsPostUpdate=jsonStringToMap(jsonStrPostUpdate);
if (serviceDefOptionsPostUpdate != null && serviceDefOptionsPostUpdate.containsKey(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES)) {
if(serviceDefOptionsPreUpdate == null || !serviceDefOptionsPreUpdate.containsKey(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES)) {
String preUpdateValue = serviceDefOptionsPreUpdate == null ? null : serviceDefOptionsPreUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
if (preUpdateValue == null) {
serviceDefOptionsPostUpdate.remove(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
} else {
serviceDefOptionsPostUpdate.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, preUpdateValue);
}
xXServiceDefObj.setDefOptions(mapToJsonString(serviceDefOptionsPostUpdate));
daoMgr.getXXServiceDef().update(xXServiceDefObj);
}
}
}
}
}
}catch(Exception e)
{
logger.error("Error while updating "+SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME+"service-def", e);
}
}
Example 14
| Source File: RangerServiceResourceMatcher.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public boolean isAncestorOf(RangerServiceDef.RangerResourceDef resourceDef) {
return ServiceDefUtil.isAncestorOf(policyResourceMatcher.getServiceDef(), leafResourceDef, resourceDef);
}
Example 15
| Source File: RangerZoneResourceMatcher.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public boolean isAncestorOf(RangerServiceDef.RangerResourceDef resourceDef) {
return ServiceDefUtil.isAncestorOf(policyResourceMatcher.getServiceDef(), leafResourceDef, resourceDef);
}
Example 16
| Source File: PatchForPrestoToSupportPresto333_J10038.java From ranger with Apache License 2.0 | 4 votes |
|
private void addPresto333Support() throws Exception {
RangerServiceDef ret = null;
RangerServiceDef embeddedPrestoServiceDef = null;
XXServiceDef xXServiceDefObj = null;
RangerServiceDef dbPrestoServiceDef = null;
List<RangerServiceDef.RangerResourceDef> embeddedPrestoResourceDefs = null;
List<RangerServiceDef.RangerAccessTypeDef> embeddedPrestoAccessTypes = null;
embeddedPrestoServiceDef = EmbeddedServiceDefsUtil.instance()
.getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME);
if (embeddedPrestoServiceDef != null) {
xXServiceDefObj = daoMgr.getXXServiceDef()
.findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME);
if (xXServiceDefObj == null) {
logger.info(xXServiceDefObj + ": service-def not found. No patching is needed");
return;
}
dbPrestoServiceDef = svcDBStore.getServiceDefByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME);
embeddedPrestoResourceDefs = embeddedPrestoServiceDef.getResources();
embeddedPrestoAccessTypes = embeddedPrestoServiceDef.getAccessTypes();
if (checkResourcePresent(PRESTO_RESOURCES, embeddedPrestoResourceDefs)) {
dbPrestoServiceDef.setResources(embeddedPrestoResourceDefs);
if (checkAccessPresent(PRESTO_ACCESS_TYPES, embeddedPrestoAccessTypes)) {
dbPrestoServiceDef.setAccessTypes(embeddedPrestoAccessTypes);
}
}
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(dbPrestoServiceDef, RangerValidator.Action.UPDATE);
ret = svcStore.updateServiceDef(dbPrestoServiceDef);
if (ret == null) {
logger.error("Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME
+ " service-def");
throw new RuntimeException("Error while updating "
+ EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def");
}
}
}
Example 17
| Source File: PolicyEngine.java From ranger with Apache License 2.0 | 4 votes |
|
private void buildZoneTrie(ServicePolicies servicePolicies) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.buildZoneTrie()");
}
Map<String, ServicePolicies.SecurityZoneInfo> securityZones = servicePolicies.getSecurityZones();
if (MapUtils.isNotEmpty(securityZones)) {
RangerServiceDef serviceDef = servicePolicies.getServiceDef();
List<RangerZoneResourceMatcher> matchers = new ArrayList<>();
for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> securityZone : securityZones.entrySet()) {
String zoneName = securityZone.getKey();
ServicePolicies.SecurityZoneInfo zoneDetails = securityZone.getValue();
if (LOG.isDebugEnabled()) {
LOG.debug("Building matchers for zone:[" + zoneName +"]");
}
for (Map<String, List<String>> resource : zoneDetails.getResources()) {
if (LOG.isDebugEnabled()) {
LOG.debug("Building matcher for resource:[" + resource + "] in zone:[" + zoneName +"]");
}
Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();
for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
String resourceDefName = entry.getKey();
List<String> resourceValues = entry.getValue();
RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource();
policyResource.setIsExcludes(false);
policyResource.setIsRecursive(EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef, resourceDefName));
policyResource.setValues(resourceValues);
policyResources.put(resourceDefName, policyResource);
}
matchers.add(new RangerZoneResourceMatcher(zoneName, policyResources, serviceDef));
if (LOG.isDebugEnabled()) {
LOG.debug("Built matcher for resource:[" + resource +"] in zone:[" + zoneName + "]");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Built all matchers for zone:[" + zoneName +"]");
}
if (zoneDetails.getContainsAssociatedTagService()) {
zoneTagServiceMap.put(zoneName, zoneName);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Built matchers for all Zones");
}
for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers));
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyEngine.buildZoneTrie()");
}
}
Example 18
| Source File: RangerServiceYarn.java From ranger with Apache License 2.0 | 4 votes |
|
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceYarn.getDefaultRangerPolicies() ");
}
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
String queueResourceName = RangerYarnAuthorizer.KEY_RESOURCE_QUEUE;
for (RangerPolicy defaultPolicy : ret) {
if(defaultPolicy.getName().contains("all")){
RangerPolicy.RangerPolicyResource queuePolicyResource = defaultPolicy.getResources().get(queueResourceName);
if (StringUtils.isNotBlank(lookUpUser)) {
RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_SUBMIT_APP)));
policyItemForLookupUser.setDelegateAdmin(false);
defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
}
if (queuePolicyResource != null) {
List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
RangerServiceDef.RangerResourceDef queueResourceDef = null;
for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (resourceDef.getName().equals(queueResourceName)) {
queueResourceDef = resourceDef;
break;
}
}
if (queueResourceDef != null) {
queuePolicyResource.setValue(RangerAbstractResourceMatcher.WILDCARD_ASTERISK);
} else {
LOG.warn("No resourceDef found in YARN service-definition for '" + queueResourceName + "'");
}
} else {
LOG.warn("No '" + queueResourceName + "' found in default policy");
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceYarn.getDefaultRangerPolicies() : " + ret);
}
return ret;
}
Example 19
| Source File: RangerServiceHdfs.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceHdfs.getDefaultRangerPolicies() ");
}
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
String pathResourceName = RangerHdfsAuthorizer.KEY_RESOURCE_PATH;
for (RangerPolicy defaultPolicy : ret) {
if(defaultPolicy.getName().contains("all")){
if (StringUtils.isNotBlank(lookUpUser)) {
RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_READ)));
policyItemForLookupUser.setDelegateAdmin(false);
defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
}
RangerPolicy.RangerPolicyResource pathPolicyResource = defaultPolicy.getResources().get(pathResourceName);
if (pathPolicyResource != null) {
List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
RangerServiceDef.RangerResourceDef pathResourceDef = null;
for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (resourceDef.getName().equals(pathResourceName)) {
pathResourceDef = resourceDef;
break;
}
}
if (pathResourceDef != null) {
String pathSeparator = pathResourceDef.getMatcherOptions().get(RangerPathResourceMatcher.OPTION_PATH_SEPARATOR);
if (StringUtils.isBlank(pathSeparator)) {
pathSeparator = Character.toString(RangerPathResourceMatcher.DEFAULT_PATH_SEPARATOR_CHAR);
}
String value = pathSeparator + RangerAbstractResourceMatcher.WILDCARD_ASTERISK;
pathPolicyResource.setValue(value);
} else {
LOG.warn("No resourceDef found in HDFS service-definition for '" + pathResourceName + "'");
}
} else {
LOG.warn("No '" + pathResourceName + "' found in default policy");
}
}
}
try {
// we need to create one policy for keyadmin user for audit to HDFS
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.filterHierarchies_containsOnlyMandatoryResources(RangerPolicy.POLICY_TYPE_ACCESS)) {
RangerPolicy policy = getPolicyForKMSAudit(aHierarchy);
if (policy != null) {
ret.add(policy);
}
}
} catch (Exception e) {
LOG.error("Error creating policy for keyadmin for audit to HDFS : " + service.getName(), e);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceHdfs.getDefaultRangerPolicies() : " + ret);
}
return ret;
}
Example 20
| Source File: RangerTagEnricher.java From ranger with Apache License 2.0 | 4 votes |
|
static public RangerServiceResourceMatcher createRangerServiceResourceMatcher(RangerServiceResource serviceResource, RangerServiceDefHelper serviceDefHelper, ResourceHierarchies hierarchies) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> createRangerServiceResourceMatcher(serviceResource=" + serviceResource + ")");
}
RangerServiceResourceMatcher ret = null;
final Collection<String> resourceKeys = serviceResource.getResourceElements().keySet();
for (int policyType : RangerPolicy.POLICY_TYPES) {
Boolean isValidHierarchy = hierarchies.isValidHierarchy(policyType, resourceKeys);
if (isValidHierarchy == null) { // hierarchy not yet validated
isValidHierarchy = Boolean.FALSE;
for (List<RangerServiceDef.RangerResourceDef> hierarchy : serviceDefHelper.getResourceHierarchies(policyType)) {
if (serviceDefHelper.hierarchyHasAllResources(hierarchy, resourceKeys)) {
isValidHierarchy = Boolean.TRUE;
break;
}
}
hierarchies.addHierarchy(policyType, resourceKeys, isValidHierarchy);
}
if (isValidHierarchy) {
RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setServiceDef(serviceDefHelper.getServiceDef());
matcher.setPolicyResources(serviceResource.getResourceElements(), policyType);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerTagEnricher.setServiceTags() - Initializing matcher with (resource=" + serviceResource
+ ", serviceDef=" + serviceDefHelper.getServiceDef() + ")");
}
matcher.setServiceDefHelper(serviceDefHelper);
matcher.init();
ret = new RangerServiceResourceMatcher(serviceResource, matcher);
break;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== createRangerServiceResourceMatcher(serviceResource=" + serviceResource + ") : [" + ret + "]");
}
return ret;
}
