Java Code Examples for org.apache.ranger.plugin.model.RangerPolicy#getPolicyType()

The following examples show how to use org.apache.ranger.plugin.model.RangerPolicy#getPolicyType() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RangerPolicyService.java    From ranger with Apache License 2.0 6 votes vote down vote up
public String restrictIsDenyAllElseLogForMaskingAndRowfilterPolicy(String fieldName, RangerPolicy vObj) {
	if (logger.isDebugEnabled()) {
		logger.debug("==> RangerPolicyService( Field Name : (" + fieldName +") RangerPolicy : ("+ vObj + ")");
	}
	String ret = "";
	if (StringUtils.isNotBlank(fieldName)
			&& StringUtils.equalsIgnoreCase(fieldName.trim(), POLICY_IS_DENY_ALL_ELSE_CLASS_FIELD_NAME)
			&& vObj != null) {
		Integer policyType = vObj.getPolicyType();
		if (policyType == null || policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
			return ret;
		} else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER
					|| policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
				ret = null;
		}
	}
	if (logger.isDebugEnabled()) {
		logger.debug("<== RangerPolicyService( Field Name : (" + fieldName +") RangerPolicy : ("+ vObj + ") ret : ( "+ret+" )");
	}
	return ret;
}
 
Example 2
Source File: RangerPolicyRepository.java    From ranger with Apache License 2.0 5 votes vote down vote up
private RangerPolicyEvaluator addPolicy(RangerPolicy policy) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyRepository.addPolicy(" + policy +")");
    }
    RangerPolicyEvaluator ret = null;

    if (StringUtils.equals(this.serviceDef.getName(), this.componentServiceDef.getName()) || !isPolicyNeedsPruning(policy, this.componentServiceDef.getName())) {
        policies.add(policy);

        if (!skipBuildingPolicyEvaluator(policy, options)) {

            ret = buildPolicyEvaluator(policy, serviceDef, options);

            if (ret != null) {
                if (policy.getPolicyType() == null || policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) {
                    policyEvaluators.add(ret);
                } else if (policy.getPolicyType() == RangerPolicy.POLICY_TYPE_DATAMASK) {
                    dataMaskPolicyEvaluators.add(ret);
                } else if (policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ROWFILTER) {
                    rowFilterPolicyEvaluators.add(ret);
                } else {
                    LOG.warn("RangerPolicyEngine: ignoring policy id=" + policy.getId() + " - invalid policyType '" + policy.getPolicyType() + "'");
                }

                policyEvaluatorsMap.put(policy.getId(), ret);
            }
        }
    }

    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyRepository.addPolicy(" + policy +"): " + ret);
    }
    return ret;
}
 
Example 3
Source File: RangerDefaultPolicyEvaluator.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
	}

	StringBuilder perfTagBuffer = new StringBuilder();
	if (policy != null) {
		perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
	}

	perfTag = perfTagBuffer.toString();

	RangerPerfTracer perf = null;

	if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
		perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.init(" + perfTag + ")");
	}

	super.init(policy, serviceDef, options);

	preprocessPolicy(policy, serviceDef);

	resourceMatcher = new RangerDefaultPolicyResourceMatcher();

	resourceMatcher.setServiceDef(serviceDef);
	resourceMatcher.setPolicy(policy);
	resourceMatcher.setServiceDefHelper(options.getServiceDefHelper());
	resourceMatcher.init();

	if(policy != null) {
		validityScheduleEvaluators = createValidityScheduleEvaluators(policy);

		if (!options.disableAccessEvaluationWithPolicyACLSummary) {
			aclSummary = createPolicyACLSummary();
		}

		useAclSummaryForEvaluation = aclSummary != null;

		if (useAclSummaryForEvaluation) {
			allowEvaluators          = Collections.<RangerPolicyItemEvaluator>emptyList();
			denyEvaluators           = Collections.<RangerPolicyItemEvaluator>emptyList();
			allowExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
			denyExceptionEvaluators  = Collections.<RangerPolicyItemEvaluator>emptyList();
		} else {
			allowEvaluators          = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
			denyEvaluators           = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
			allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
			denyExceptionEvaluators  = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
		}

		dataMaskEvaluators  = createDataMaskPolicyItemEvaluators(policy, serviceDef, options, policy.getDataMaskPolicyItems());
		rowFilterEvaluators = createRowFilterPolicyItemEvaluators(policy, serviceDef, options, policy.getRowFilterPolicyItems());
		conditionEvaluators = createRangerPolicyConditionEvaluator(policy, serviceDef, options);
	} else {
		validityScheduleEvaluators = Collections.<RangerValidityScheduleEvaluator>emptyList();
		allowEvaluators            = Collections.<RangerPolicyItemEvaluator>emptyList();
		denyEvaluators             = Collections.<RangerPolicyItemEvaluator>emptyList();
		allowExceptionEvaluators   = Collections.<RangerPolicyItemEvaluator>emptyList();
		denyExceptionEvaluators    = Collections.<RangerPolicyItemEvaluator>emptyList();
		dataMaskEvaluators         = Collections.<RangerDataMaskPolicyItemEvaluator>emptyList();
		rowFilterEvaluators        = Collections.<RangerRowFilterPolicyItemEvaluator>emptyList();
		conditionEvaluators        = Collections.<RangerConditionEvaluator>emptyList();
	}

	RangerPolicyItemEvaluator.EvalOrderComparator comparator = new RangerPolicyItemEvaluator.EvalOrderComparator();
	Collections.sort(allowEvaluators, comparator);
	Collections.sort(denyEvaluators, comparator);
	Collections.sort(allowExceptionEvaluators, comparator);
	Collections.sort(denyExceptionEvaluators, comparator);

	/* dataMask, rowFilter policyItems must be evaulated in the order given in the policy; hence no sort
	Collections.sort(dataMaskEvaluators);
	Collections.sort(rowFilterEvaluators);
	*/

	RangerPerfTracer.log(perf);

	if (useAclSummaryForEvaluation && (policy.getPolicyType() == null || policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
		LOG.info("PolicyEvaluator for policy:[" + policy.getId() + "] is set up to use ACL Summary to evaluate access");
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
	}
}
 
Example 4
Source File: RangerDefaultPolicyResourceMatcher.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) {
    boolean ret = false;

    RangerPerfTracer perf = null;

    if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()");
    }

    Map<String, RangerPolicyResource> resources = policy.getResources();

    if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) {
        List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet());

        if (CollectionUtils.isNotEmpty(hierarchy)) {
            MatchType                matchType      = MatchType.NONE;
            RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();

            accessResource.setServiceDef(serviceDef);

            // Build up accessResource resourceDef by resourceDef.
            // For each resourceDef,
            //         examine policy-values one by one.
            //         The first value that is acceptable, that is,
            //             value matches in any way, is used for that resourceDef, and
            //            next resourceDef is processed.
            //         If none of the values matches, the policy as a whole definitely will not match,
            //        therefore, the match is failed
            // After all resourceDefs are processed, and some match is achieved at every
            // level, the final matchType (which is for the entire policy) is checked against
            // requested scope to determine the match-result.

            // Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java
            // test_defaultpolicyresourcematcher_for_hdfs_policy.json, and
            // test_defaultpolicyresourcematcher_for_hive_policy.json, and
            // test_defaultPolicyResourceMatcher.json

            boolean skipped = false;

            for (RangerResourceDef resourceDef : hierarchy) {
                String               name           = resourceDef.getName();
                RangerPolicyResource policyResource = resources.get(name);

                if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
                    ret       = false;
                    matchType = MatchType.NONE;

                    if (!skipped) {
                        for (String value : policyResource.getValues()) {
                            accessResource.setValue(name, value);

                            matchType = getMatchType(accessResource, evalContext);

                            if (matchType != MatchType.NONE) { // One value for this resourceDef matched
                                ret = true;
                                break;
                            }
                        }
                    } else {
                        break;
                    }
                } else {
                    skipped = true;
                }

                if (!ret) { // None of the values specified for this resourceDef matched, no point in continuing with next resourceDef
                    break;
                }
            }

            ret = ret && isMatch(scope, matchType);
        }
    }

    RangerPerfTracer.log(perf);

    return ret;
}