Java Code Examples for org.apache.ranger.plugin.model.RangerPolicy#RangerPolicyResource
The following examples show how to use
org.apache.ranger.plugin.model.RangerPolicy#RangerPolicyResource .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: RangerBaseService.java From ranger with Apache License 2.0 | 6 votes |
|
private RangerPolicy.RangerPolicyItem createDefaultPolicyItem(Map<String, RangerPolicy.RangerPolicyResource> policyResources) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerBaseService.createDefaultPolicyItem()");
}
RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
policyItem.setUsers(getUserList());
policyItem.setGroups(getGroupList());
List<RangerPolicy.RangerPolicyItemAccess> accesses = getAllowedAccesses(policyResources);
policyItem.setAccesses(accesses);
policyItem.setDelegateAdmin(true);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerBaseService.createDefaultPolicyItem(): " + policyItem );
}
return policyItem;
}
Example 2
| Source File: RangerServiceResourceServiceBase.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
protected V mapEntityToViewBean(V vObj, T xObj) {
vObj.setGuid(xObj.getGuid());
vObj.setVersion(xObj.getVersion());
vObj.setIsEnabled(xObj.getIsEnabled());
vObj.setResourceSignature(xObj.getResourceSignature());
XXService xService = daoMgr.getXXService().getById(xObj.getServiceId());
vObj.setServiceName(xService.getName());
Map<String, RangerPolicy.RangerPolicyResource> resourceElements = getServiceResourceElements(xObj);
vObj.setResourceElements(resourceElements);
return vObj;
}
Example 3
| Source File: TestServiceREST.java From ranger with Apache License 2.0 | 6 votes |
|
@Test
public void test60getPolicyFromEventTime() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
String strdt = new Date().toString();
Set<String> userGroupsList = new HashSet<String>();
userGroupsList.add("group1");
userGroupsList.add("group2");
Mockito.when(request.getParameter("eventTime")).thenReturn(strdt);
Mockito.when(request.getParameter("policyId")).thenReturn("1");
Mockito.when(request.getParameter("versionNo")).thenReturn("1");
RangerPolicy policy = new RangerPolicy();
Map<String, RangerPolicyResource> resources = new HashMap<String, RangerPolicy.RangerPolicyResource>();
policy.setService("services");
policy.setResources(resources);
Mockito.when(svcStore.getPolicyFromEventTime(strdt, 1l)).thenReturn(null);
Mockito.when(restErrorUtil.createRESTException(Mockito.anyInt(), Mockito.anyString(), Mockito.anyBoolean()))
.thenThrow(new WebApplicationException());
thrown.expect(WebApplicationException.class);
serviceREST.getPolicyFromEventTime(request);
}
Example 4
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private void removeEvaluatorFromTrie(RangerPolicyEvaluator oldEvaluator, RangerResourceTrie<RangerPolicyEvaluator> trie, String resourceDefName) {
if (oldEvaluator != null) {
RangerPolicy.RangerPolicyResource resource = oldEvaluator.getPolicyResource().get(resourceDefName);
if (resource != null) {
trie.delete(resource, oldEvaluator);
}
}
}
Example 5
| Source File: TestServiceREST.java From ranger with Apache License 2.0 | 5 votes |
|
@Test
public void test30getPolicyFromEventTime() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
String strdt = new Date().toString();
String userName="Admin";
Set<String> userGroupsList = new HashSet<String>();
userGroupsList.add("group1");
userGroupsList.add("group2");
Mockito.when(request.getParameter("eventTime")).thenReturn(strdt);
Mockito.when(request.getParameter("policyId")).thenReturn("1");
Mockito.when(request.getParameter("versionNo")).thenReturn("1");
RangerPolicy policy=new RangerPolicy();
Map<String, RangerPolicyResource> resources=new HashMap<String, RangerPolicy.RangerPolicyResource>();
policy.setService("services");
policy.setResources(resources);
Mockito.when(svcStore.getPolicyFromEventTime(strdt, 1l)).thenReturn(policy);
Mockito.when(bizUtil.isAdmin()).thenReturn(false);
Mockito.when(bizUtil.getCurrentUserLoginId()).thenReturn(userName);
Mockito.when(restErrorUtil.createRESTException(Mockito.anyInt(), Mockito.anyString(), Mockito.anyBoolean()))
.thenThrow(new WebApplicationException());
thrown.expect(WebApplicationException.class);
RangerPolicy dbRangerPolicy = serviceREST
.getPolicyFromEventTime(request);
Assert.assertNull(dbRangerPolicy);
Mockito.verify(request).getParameter("eventTime");
Mockito.verify(request).getParameter("policyId");
Mockito.verify(request).getParameter("versionNo");
}
Example 6
| Source File: TestRangerBasePluginWithPolicies.java From nifi-registry with Apache License 2.0 | 5 votes |
|
@Test
public void testDelegateAdmin() {
final String user1 = "user-1";
final String resourceIdentifier1 = "/resource-1";
RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
policy1Item.setDelegateAdmin(true);
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi-registry");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
pluginWithPolicies.setPolicies(servicePolicies);
assertEquals(4, pluginWithPolicies.getAccessPolicies().size());
assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.READ));
assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.WRITE));
}
Example 7
| Source File: ServiceDefUtil.java From ranger with Apache License 2.0 | 5 votes |
|
public static Integer getLeafResourceLevel(RangerServiceDef serviceDef, Map<String, RangerPolicy.RangerPolicyResource> policyResource) {
Integer ret = null;
RangerResourceDef resourceDef = getLeafResourceDef(serviceDef, policyResource);
if (resourceDef != null) {
ret = resourceDef.getLevel();
}
return ret;
}
Example 8
| Source File: TestRangerBasePluginWithPolicies.java From localization_nifi with Apache License 2.0 | 5 votes |
|
@Test
public void testDoesPolicyExist() {
final String resourceIdentifier1 = "resource1";
RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
final String resourceIdentifier2 = "resource2";
RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2);
final Map<String, RangerPolicy.RangerPolicyResource> policy2Resources = new HashMap<>();
policy2Resources.put(resourceIdentifier2, resource2);
final RangerPolicy policy2 = new RangerPolicy();
policy2.setResources(policy2Resources);
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
policies.add(policy2);
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
pluginWithPolicies.setPolicies(servicePolicies);
Assert.assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1));
Assert.assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2));
Assert.assertFalse(pluginWithPolicies.doesPolicyExist("resource3"));
}
Example 9
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private boolean scrubPolicy(RangerPolicy policy) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.scrubPolicy(" + policy + ")");
}
boolean altered = false;
Long policyId = policy.getId();
Map<String, RangerPolicy.RangerPolicyResource> resourceMap = policy.getResources();
for (Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : resourceMap.entrySet()) {
String resourceName = entry.getKey();
RangerPolicy.RangerPolicyResource resource = entry.getValue();
Iterator<String> iterator = resource.getValues().iterator();
while (iterator.hasNext()) {
String value = iterator.next();
if (value == null) {
LOG.warn("RangerPolicyRepository.scrubPolicyResource: found null resource value for " + resourceName + " in policy " + policyId + "! Removing...");
iterator.remove();
altered = true;
}
}
}
scrubPolicyItems(policyId, policy.getPolicyItems());
scrubPolicyItems(policyId, policy.getAllowExceptions());
scrubPolicyItems(policyId, policy.getDenyPolicyItems());
scrubPolicyItems(policyId, policy.getDenyExceptions());
scrubPolicyItems(policyId, policy.getRowFilterPolicyItems());
scrubPolicyItems(policyId, policy.getDataMaskPolicyItems());
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.scrubPolicy(" + policy + "): " + altered);
}
return altered;
}
Example 10
| Source File: TestRangerBasePluginWithPolicies.java From nifi-registry with Apache License 2.0 | 4 votes |
|
@Test
public void testPoliciesWithoutUserGroupProvider() {
final String user1 = "user-1";
final String group1 = "group-1";
final String resourceIdentifier1 = "/resource-1";
RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final String resourceIdentifier2 = "/resource-2";
RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2);
final Map<String, RangerPolicy.RangerPolicyResource> policy2Resources = new HashMap<>();
policy2Resources.put(resourceIdentifier2, resource2);
final RangerPolicy.RangerPolicyItem policy2Item = new RangerPolicy.RangerPolicyItem();
policy2Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
final RangerPolicy policy2 = new RangerPolicy();
policy2.setResources(policy2Resources);
policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
policies.add(policy2);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi-registry");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the two ranger policies converted into 3 nifi-registry access policies
final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
assertEquals(3, accessPolicies.size());
// resource 1 -> read but no write
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
// read
final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
assertNotNull(readResource1);
assertTrue(accessPolicies.contains(readResource1));
assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
assertEquals(1, readResource1.getUsers().size());
assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
assertTrue(readResource1.getGroups().isEmpty());
// but no write
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
// resource 2 -> read and write
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
// read
final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(readResource2);
assertTrue(accessPolicies.contains(readResource2));
assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
assertTrue(readResource2.getUsers().isEmpty());
assertEquals(1, readResource2.getGroups().size());
assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
// and write
final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(writeResource2);
assertTrue(accessPolicies.contains(writeResource2));
assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
assertTrue(writeResource2.getUsers().isEmpty());
assertEquals(1, writeResource2.getGroups().size());
assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
// resource 3 -> no read or write
assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));
// no read or write
assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
}
Example 11
| Source File: PolicyEngine.java From ranger with Apache License 2.0 | 4 votes |
|
private void buildZoneTrie(ServicePolicies servicePolicies) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.buildZoneTrie()");
}
Map<String, ServicePolicies.SecurityZoneInfo> securityZones = servicePolicies.getSecurityZones();
if (MapUtils.isNotEmpty(securityZones)) {
RangerServiceDef serviceDef = servicePolicies.getServiceDef();
List<RangerZoneResourceMatcher> matchers = new ArrayList<>();
for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> securityZone : securityZones.entrySet()) {
String zoneName = securityZone.getKey();
ServicePolicies.SecurityZoneInfo zoneDetails = securityZone.getValue();
if (LOG.isDebugEnabled()) {
LOG.debug("Building matchers for zone:[" + zoneName +"]");
}
for (Map<String, List<String>> resource : zoneDetails.getResources()) {
if (LOG.isDebugEnabled()) {
LOG.debug("Building matcher for resource:[" + resource + "] in zone:[" + zoneName +"]");
}
Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();
for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
String resourceDefName = entry.getKey();
List<String> resourceValues = entry.getValue();
RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource();
policyResource.setIsExcludes(false);
policyResource.setIsRecursive(EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef, resourceDefName));
policyResource.setValues(resourceValues);
policyResources.put(resourceDefName, policyResource);
}
matchers.add(new RangerZoneResourceMatcher(zoneName, policyResources, serviceDef));
if (LOG.isDebugEnabled()) {
LOG.debug("Built matcher for resource:[" + resource +"] in zone:[" + zoneName + "]");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Built all matchers for zone:[" + zoneName +"]");
}
if (zoneDetails.getContainsAssociatedTagService()) {
zoneTagServiceMap.put(zoneName, zoneName);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Built matchers for all Zones");
}
for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers));
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyEngine.buildZoneTrie()");
}
}
Example 12
| Source File: ServiceUtil.java From ranger with Apache License 2.0 | 4 votes |
|
public VXResource toVXResource(RangerPolicy policy, RangerService service) {
if(policy == null || service == null || toAssetType(service.getType()) == null) {
return null;
}
VXResource ret = new VXResource();
rangerObjectToDataObject(policy, ret);
ret.setAssetName(policy.getService());
ret.setAssetId(service.getId());
ret.setAssetType(toAssetType(service.getType()));
ret.setPolicyName(policy.getName());
ret.setDescription(policy.getDescription());
ret.setGuid(policy.getGuid());
ret.setResourceStatus(policy.getIsEnabled() ? RangerCommonEnums.STATUS_ENABLED : RangerCommonEnums.STATUS_DISABLED);
List<VXAuditMap> auditList = null;
if(policy.getIsAuditEnabled()) {
VXAuditMap auditMap = new VXAuditMap();
auditMap.setResourceId(policy.getId());
auditMap.setAuditType(AppConstants.XA_AUDIT_TYPE_ALL);
auditList = new ArrayList<VXAuditMap>();
auditList.add(auditMap);
}
ret.setAuditList(auditList);
for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) {
RangerPolicy.RangerPolicyResource res = e.getValue();
String resType = e.getKey();
String resString = getResourceString(res.getValues());
if("path".equalsIgnoreCase(resType)) {
ret.setName(resString);
ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? RangerCommonEnums.BOOL_TRUE : RangerCommonEnums.BOOL_FALSE);
} else if("table".equalsIgnoreCase(resType)) {
ret.setTables(resString);
ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? RangerCommonEnums.POLICY_EXCLUSION : RangerCommonEnums.POLICY_INCLUSION);
} else if("column-family".equalsIgnoreCase(resType)) {
ret.setColumnFamilies(resString);
} else if("column".equalsIgnoreCase(resType)) {
ret.setColumns(resString);
ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? RangerCommonEnums.POLICY_EXCLUSION : RangerCommonEnums.POLICY_INCLUSION);
} else if("database".equalsIgnoreCase(resType)) {
ret.setDatabases(resString);
} else if("udf".equalsIgnoreCase(resType)) {
ret.setUdfs(resString);
} else if("topology".equalsIgnoreCase(resType)) {
ret.setTopologies(resString);
} else if("service".equalsIgnoreCase(resType)) {
ret.setServices(resString);
} else if(resType.equalsIgnoreCase("hiveservice")) {
ret.setHiveServices(resString);
}
}
updateResourceName(ret);
List<VXPermMap> permMapList = getVXPermMapList(policy);
ret.setPermMapList(permMapList);
return ret;
}
Example 13
| Source File: ServiceUtil.java From ranger with Apache License 2.0 | 4 votes |
|
public VXPolicy toVXPolicy(RangerPolicy policy, RangerService service) {
if(policy == null || service == null || toAssetType(service.getType()) == null) {
return null;
}
VXPolicy ret = new VXPolicy();
rangerObjectToDataObject(policy, ret);
ret.setPolicyName(StringUtils.trim(policy.getName()));
ret.setDescription(policy.getDescription());
ret.setRepositoryName(policy.getService());
ret.setIsEnabled(policy.getIsEnabled() ? true : false);
ret.setRepositoryType(service.getType());
ret.setIsAuditEnabled(policy.getIsAuditEnabled());
if (policy.getVersion() != null ) {
ret.setVersion(policy.getVersion().toString());
} else {
ret.setVersion(version);
}
for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) {
RangerPolicy.RangerPolicyResource res = e.getValue();
String resType = e.getKey();
String resString = getResourceString(res.getValues());
if("path".equalsIgnoreCase(resType)) {
ret.setResourceName(resString);
ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? true : false);
} else if("table".equalsIgnoreCase(resType)) {
ret.setTables(resString);
ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION));
} else if("column-family".equalsIgnoreCase(resType)) {
ret.setColumnFamilies(resString);
} else if("column".equalsIgnoreCase(resType)) {
ret.setColumns(resString);
ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION));
} else if("database".equalsIgnoreCase(resType)) {
ret.setDatabases(resString);
} else if("udf".equalsIgnoreCase(resType)) {
ret.setUdfs(resString);
} else if("topology".equalsIgnoreCase(resType)) {
ret.setTopologies(resString);
} else if("service".equalsIgnoreCase(resType)) {
ret.setServices(resString);
} else if(resType.equalsIgnoreCase("hiveservice")) {
ret.setHiveServices(resString);
}
}
updateResourceName(ret);
List<VXPermMap> vXPermMapList = getVXPermMapList(policy);
List<VXPermObj> vXPermObjList = mapPermMapToPermObj(vXPermMapList);
ret.setPermMapList(vXPermObjList);
return ret;
}
Example 14
| Source File: PatchForKafkaServiceDefUpdate_J10025.java From ranger with Apache License 2.0 | 4 votes |
|
private RangerPolicy getRangerPolicy(String newResource, XXPortalUser xxPortalUser, XXService xxService) {
RangerPolicy policy = new RangerPolicy();
List<RangerPolicy.RangerPolicyItemAccess> accesses = getPolicyItemAccesses();
List<String> users = new ArrayList<>(DEFAULT_POLICY_USERS);
List<String> groups = new ArrayList<>();
List<RangerPolicy.RangerPolicyItemCondition> conditions = new ArrayList<>();
List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<>();
RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
rangerPolicyItem.setAccesses(accesses);
rangerPolicyItem.setConditions(conditions);
rangerPolicyItem.setGroups(groups);
rangerPolicyItem.setUsers(users);
rangerPolicyItem.setDelegateAdmin(false);
policyItems.add(rangerPolicyItem);
Map<String, RangerPolicy.RangerPolicyResource> policyResource = new HashMap<>();
RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
rangerPolicyResource.setIsExcludes(false);
rangerPolicyResource.setIsRecursive(false);
rangerPolicyResource.setValue("*");
String policyResourceName = KAFKA_RESOURCE_CLUSTER;
if ("all - delegationtoken".equals(newResource)) {
policyResourceName = KAFKA_RESOURCE_DELEGATIONTOKEN;
}
policyResource.put(policyResourceName, rangerPolicyResource);
policy.setCreateTime(new Date());
policy.setDescription(newResource);
policy.setIsEnabled(true);
policy.setName(newResource);
policy.setCreatedBy(xxPortalUser.getLoginId());
policy.setUpdatedBy(xxPortalUser.getLoginId());
policy.setUpdateTime(new Date());
policy.setService(xxService.getName());
policy.setIsAuditEnabled(true);
policy.setPolicyItems(policyItems);
policy.setResources(policyResource);
policy.setPolicyType(0);
policy.setId(0L);
policy.setGuid("");
policy.setPolicyLabels(new ArrayList<>());
policy.setVersion(1L);
RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy);
policy.setResourceSignature(resourceSignature.getSignature());
return policy;
}
Example 15
| Source File: ServiceUtil.java From ranger with Apache License 2.0 | 4 votes |
|
public List<RangerPolicy> getMatchingPoliciesForResource(HttpServletRequest request,
List<RangerPolicy> policyLists) {
List<RangerPolicy> policies = new ArrayList<RangerPolicy>();
final String serviceTypeForTag = EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME;
if (request != null) {
String resource = request.getParameter(SearchFilter.POL_RESOURCE);
String serviceType = request.getParameter(SearchFilter.SERVICE_TYPE);
if (!StringUtil.isEmpty(resource) && !StringUtil.isEmpty(serviceType)) {
List<String> resourceList = null;
Map<String, RangerPolicy.RangerPolicyResource> rangerPolicyResourceMap = null;
RangerPolicy.RangerPolicyResource rangerPolicyResource = null;
for (RangerPolicy rangerPolicy : policyLists) {
if (rangerPolicy != null) {
if(serviceTypeForTag.equals(rangerPolicy.getServiceType())) {
policies.add(rangerPolicy);
}else {
rangerPolicyResourceMap = rangerPolicy.getResources();
if (rangerPolicyResourceMap != null) {
if (rangerPolicyResourceMap.containsKey("path")) {
rangerPolicyResource = rangerPolicyResourceMap.get("path");
if (rangerPolicyResource != null) {
resourceList = rangerPolicyResource.getValues();
if (CollectionUtils.isNotEmpty(resourceList) && resourceList.contains(resource)) {
policies.add(rangerPolicy);
}
}
} else if (rangerPolicyResourceMap.containsKey("database")) {
rangerPolicyResource = rangerPolicyResourceMap.get("database");
if (rangerPolicyResource != null) {
resourceList = rangerPolicyResource.getValues();
if (CollectionUtils.isNotEmpty(resourceList) && resourceList.contains(resource)) {
policies.add(rangerPolicy);
}
}
}
}
}
}
}
policyLists.clear();
if (CollectionUtils.isNotEmpty(policies)) {
policyLists.addAll(policies);
}
}
}
return policyLists;
}
Example 16
| Source File: PatchForKafkaServiceDefUpdate_J10033.java From ranger with Apache License 2.0 | 4 votes |
|
private RangerPolicy getRangerPolicy(String newResource, XXPortalUser xxPortalUser, XXService xxService) {
RangerPolicy policy = new RangerPolicy();
List<RangerPolicy.RangerPolicyItemAccess> accesses = getPolicyItemAccesses();
List<String> users = new ArrayList<>(DEFAULT_POLICY_USERS);
List<String> groups = new ArrayList<>(DEFAULT_POLICY_GROUP);
List<RangerPolicy.RangerPolicyItemCondition> conditions = new ArrayList<>();
List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<>();
RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
rangerPolicyItem.setAccesses(accesses);
rangerPolicyItem.setConditions(conditions);
rangerPolicyItem.setGroups(groups);
rangerPolicyItem.setUsers(users);
rangerPolicyItem.setDelegateAdmin(false);
policyItems.add(rangerPolicyItem);
Map<String, RangerPolicy.RangerPolicyResource> policyResource = new HashMap<>();
RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
rangerPolicyResource.setIsExcludes(false);
rangerPolicyResource.setIsRecursive(false);
rangerPolicyResource.setValue("*");
String policyResourceName = CONSUMERGROUP_RESOURCE_NAME;
policyResource.put(policyResourceName, rangerPolicyResource);
policy.setCreateTime(new Date());
policy.setDescription(newResource);
policy.setIsEnabled(true);
policy.setName(newResource);
policy.setCreatedBy(xxPortalUser.getLoginId());
policy.setUpdatedBy(xxPortalUser.getLoginId());
policy.setUpdateTime(new Date());
policy.setService(xxService.getName());
policy.setIsAuditEnabled(true);
policy.setPolicyItems(policyItems);
policy.setResources(policyResource);
policy.setPolicyType(0);
policy.setId(0L);
policy.setGuid("");
policy.setPolicyLabels(new ArrayList<>());
policy.setVersion(1L);
RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy);
policy.setResourceSignature(resourceSignature.getSignature());
return policy;
}
Example 17
| Source File: RangerServiceYarn.java From ranger with Apache License 2.0 | 4 votes |
|
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceYarn.getDefaultRangerPolicies() ");
}
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
String queueResourceName = RangerYarnAuthorizer.KEY_RESOURCE_QUEUE;
for (RangerPolicy defaultPolicy : ret) {
if(defaultPolicy.getName().contains("all")){
RangerPolicy.RangerPolicyResource queuePolicyResource = defaultPolicy.getResources().get(queueResourceName);
if (StringUtils.isNotBlank(lookUpUser)) {
RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_SUBMIT_APP)));
policyItemForLookupUser.setDelegateAdmin(false);
defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
}
if (queuePolicyResource != null) {
List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
RangerServiceDef.RangerResourceDef queueResourceDef = null;
for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (resourceDef.getName().equals(queueResourceName)) {
queueResourceDef = resourceDef;
break;
}
}
if (queueResourceDef != null) {
queuePolicyResource.setValue(RangerAbstractResourceMatcher.WILDCARD_ASTERISK);
} else {
LOG.warn("No resourceDef found in YARN service-definition for '" + queueResourceName + "'");
}
} else {
LOG.warn("No '" + queueResourceName + "' found in default policy");
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceYarn.getDefaultRangerPolicies() : " + ret);
}
return ret;
}
Example 18
| Source File: AtlasHdfsResourceMapper.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public RangerServiceResource buildResource(final RangerAtlasEntity entity) throws Exception {
String qualifiedName = (String)entity.getAttributes().get(AtlasResourceMapper.ENTITY_ATTRIBUTE_QUALIFIED_NAME);
String nameServiceId = (String)entity.getAttributes().get(ENTITY_ATTRIBUTE_NAME_SERVICE_ID);
String path = null;
String clusterName = null;
if (StringUtils.isNotEmpty(qualifiedName)) {
path = getResourceNameFromQualifiedName(qualifiedName);
clusterName = getClusterNameFromQualifiedName(qualifiedName);
}
if (StringUtils.isEmpty(path)) {
path = (String) entity.getAttributes().get(ENTITY_ATTRIBUTE_PATH);
}
if (StringUtils.isEmpty(path)) {
throwExceptionWithMessage("path not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "' or '" + ENTITY_ATTRIBUTE_PATH + "'");
}
if (StringUtils.isEmpty(clusterName)) {
clusterName = (String) entity.getAttributes().get(ENTITY_ATTRIBUTE_CLUSTER_NAME);
}
if (StringUtils.isEmpty(clusterName)) {
clusterName = defaultClusterName;
}
if (StringUtils.isEmpty(clusterName)) {
throwExceptionWithMessage("clusterName not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "' or '" + ENTITY_ATTRIBUTE_CLUSTER_NAME + "'");
}
String entityGuid = entity.getGuid();
String serviceName = StringUtils.isNotBlank(nameServiceId) ? getCustomRangerServiceNameForClusterAndNameService(clusterName, nameServiceId) : getRangerServiceName(clusterName);
Boolean isExcludes = Boolean.FALSE;
Boolean isRecursive = Boolean.TRUE;
Path pathObj = new Path(path);
Map<String, RangerPolicyResource> elements = new HashMap<String, RangerPolicy.RangerPolicyResource>();
elements.put(RANGER_TYPE_HDFS_PATH, new RangerPolicyResource(pathObj.toUri().getPath(), isExcludes, isRecursive));
RangerServiceResource ret = new RangerServiceResource(entityGuid, serviceName, elements);
return ret;
}
Example 19
| Source File: RangerServiceHdfs.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceHdfs.getDefaultRangerPolicies() ");
}
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
String pathResourceName = RangerHdfsAuthorizer.KEY_RESOURCE_PATH;
for (RangerPolicy defaultPolicy : ret) {
if(defaultPolicy.getName().contains("all")){
if (StringUtils.isNotBlank(lookUpUser)) {
RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_READ)));
policyItemForLookupUser.setDelegateAdmin(false);
defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
}
RangerPolicy.RangerPolicyResource pathPolicyResource = defaultPolicy.getResources().get(pathResourceName);
if (pathPolicyResource != null) {
List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
RangerServiceDef.RangerResourceDef pathResourceDef = null;
for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
if (resourceDef.getName().equals(pathResourceName)) {
pathResourceDef = resourceDef;
break;
}
}
if (pathResourceDef != null) {
String pathSeparator = pathResourceDef.getMatcherOptions().get(RangerPathResourceMatcher.OPTION_PATH_SEPARATOR);
if (StringUtils.isBlank(pathSeparator)) {
pathSeparator = Character.toString(RangerPathResourceMatcher.DEFAULT_PATH_SEPARATOR_CHAR);
}
String value = pathSeparator + RangerAbstractResourceMatcher.WILDCARD_ASTERISK;
pathPolicyResource.setValue(value);
} else {
LOG.warn("No resourceDef found in HDFS service-definition for '" + pathResourceName + "'");
}
} else {
LOG.warn("No '" + pathResourceName + "' found in default policy");
}
}
}
try {
// we need to create one policy for keyadmin user for audit to HDFS
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.filterHierarchies_containsOnlyMandatoryResources(RangerPolicy.POLICY_TYPE_ACCESS)) {
RangerPolicy policy = getPolicyForKMSAudit(aHierarchy);
if (policy != null) {
ret.add(policy);
}
}
} catch (Exception e) {
LOG.error("Error creating policy for keyadmin for audit to HDFS : " + service.getName(), e);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceHdfs.getDefaultRangerPolicies() : " + ret);
}
return ret;
}
Example 20
| Source File: RangerTagEnricher.java From ranger with Apache License 2.0 | 4 votes |
|
private boolean removeOldServiceResource(RangerServiceResource serviceResource, List<RangerServiceResourceMatcher> resourceMatchers, Map<String, RangerResourceTrie<RangerServiceResourceMatcher>> resourceTries) {
boolean ret = true;
if (enrichedServiceTags != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Removing service-resource:[" + serviceResource + "] from trie-map");
}
// Remove existing serviceResource from the copy
RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();
for (Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : serviceResource.getResourceElements().entrySet()) {
accessResource.setValue(entry.getKey(), entry.getValue());
}
if (LOG.isDebugEnabled()) {
LOG.debug("RangerAccessResource:[" + accessResource + "] created to represent service-resource[" + serviceResource + "] to find evaluators from trie-map");
}
List<RangerServiceResourceMatcher> oldMatchers = getEvaluators(accessResource, enrichedServiceTags);
if (LOG.isDebugEnabled()) {
LOG.debug("Found [" + oldMatchers.size() + "] matchers for service-resource[" + serviceResource + "]");
}
for (RangerServiceResourceMatcher matcher : oldMatchers) {
for (String resourceDefName : serviceResource.getResourceElements().keySet()) {
RangerResourceTrie<RangerServiceResourceMatcher> trie = resourceTries.get(resourceDefName);
if (trie != null) {
trie.delete(serviceResource.getResourceElements().get(resourceDefName), matcher);
} else {
LOG.error("Cannot find resourceDef with name:[" + resourceDefName + "]. Should NOT happen!!");
LOG.error("Setting tagVersion to -1 to ensure that in the next download all tags are downloaded");
ret = false;
break;
}
}
}
// Remove old resource matchers
if (ret) {
resourceMatchers.removeAll(oldMatchers);
if (LOG.isDebugEnabled()) {
LOG.debug("Found and removed [" + oldMatchers.size() + "] matchers for service-resource[" + serviceResource + "] from trie-map");
}
}
}
return ret;
}
