Java Code Examples for org.apache.ranger.plugin.model.RangerPolicy#getResources()
The following examples show how to use
org.apache.ranger.plugin.model.RangerPolicy#getResources() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: RangerPolicyValidator.java From ranger with Apache License 2.0 | 6 votes |
|
boolean isValidResources(RangerPolicy policy, final List<ValidationFailureDetails> failures, Action action,
boolean isAdmin, final RangerServiceDef serviceDef) {
if(LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidResources(%s, %s, %s, %s, %s)", policy, failures, action, isAdmin, serviceDef));
}
boolean valid = true;
Map<String, RangerPolicyResource> resourceMap = policy.getResources();
if (resourceMap != null) { // following checks can't be done meaningfully otherwise
valid = isPolicyResourceUnique(policy, failures, action) && valid;
if (serviceDef != null) { // following checks can't be done meaningfully otherwise
valid = isValidResourceNames(policy, failures, serviceDef) && valid;
valid = isValidResourceValues(resourceMap, failures, serviceDef) && valid;
valid = isValidResourceFlags(resourceMap, failures, serviceDef.getResources(), serviceDef.getName(), policy.getName(), isAdmin) && valid;
}
}
if(LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValidResources(%s, %s, %s, %s, %s): %s", policy, failures, action, isAdmin, serviceDef, valid));
}
return valid;
}
Example 2
| Source File: RangerPolicyAdminImpl.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public List<RangerPolicy> getExactMatchPolicies(RangerPolicy policy, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyAdminImpl.getExactMatchPolicies(" + policy + ", " + evalContext + ")");
}
List<RangerPolicy> ret = null;
RangerPolicyRepository policyRepository = policyEngine.getRepositoryForMatchedZone(policy);
if (policyRepository != null) {
Map<String, RangerPolicyResource> resources = policy.getResources();
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
if (evaluator.isCompleteMatch(resources, evalContext)) {
if (ret == null) {
ret = new ArrayList<>();
}
ret.add(evaluator.getPolicy());
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyAdminImpl.getExactMatchPolicies(" + policy + ", " + evalContext + "): " + ret);
}
return ret;
}
Example 3
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private boolean scrubPolicy(RangerPolicy policy) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.scrubPolicy(" + policy + ")");
}
boolean altered = false;
Long policyId = policy.getId();
Map<String, RangerPolicy.RangerPolicyResource> resourceMap = policy.getResources();
for (Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : resourceMap.entrySet()) {
String resourceName = entry.getKey();
RangerPolicy.RangerPolicyResource resource = entry.getValue();
Iterator<String> iterator = resource.getValues().iterator();
while (iterator.hasNext()) {
String value = iterator.next();
if (value == null) {
LOG.warn("RangerPolicyRepository.scrubPolicyResource: found null resource value for " + resourceName + " in policy " + policyId + "! Removing...");
iterator.remove();
altered = true;
}
}
}
scrubPolicyItems(policyId, policy.getPolicyItems());
scrubPolicyItems(policyId, policy.getAllowExceptions());
scrubPolicyItems(policyId, policy.getDenyPolicyItems());
scrubPolicyItems(policyId, policy.getDenyExceptions());
scrubPolicyItems(policyId, policy.getRowFilterPolicyItems());
scrubPolicyItems(policyId, policy.getDataMaskPolicyItems());
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.scrubPolicy(" + policy + "): " + altered);
}
return altered;
}
Example 4
| Source File: RangerValidator.java From ranger with Apache License 2.0 | 5 votes |
|
/**
* Converts, in place, the resources defined in the policy to have lower-case resource-def-names
* @param policy
* @return
*/
void convertPolicyResourceNamesToLower(RangerPolicy policy) {
Map<String, RangerPolicyResource> lowerCasePolicyResources = new HashMap<>();
if (policy.getResources() != null) {
for (Map.Entry<String, RangerPolicyResource> entry : policy.getResources().entrySet()) {
String lowerCasekey = entry.getKey().toLowerCase();
lowerCasePolicyResources.put(lowerCasekey, entry.getValue());
}
}
policy.setResources(lowerCasePolicyResources);
}
Example 5
| Source File: PatchForUpdatingPolicyJson_J10019.java From ranger with Apache License 2.0 | 4 votes |
|
private void addResourceDefRef(String serviceType, RangerPolicy policy) throws Exception {
logger.info("==> addResourceDefRef(id=" + policy.getId() + ")");
Map<String, Long> serviceDefResourceNameIDMap = resourceNameIdMap.get(serviceType);
if (serviceDefResourceNameIDMap == null) {
serviceDefResourceNameIDMap = new HashMap<>();
resourceNameIdMap.put(serviceType, serviceDefResourceNameIDMap);
XXServiceDef dbServiceDef = daoMgr.getXXServiceDef().findByName(serviceType);
for (XXResourceDef resourceDef : daoMgr.getXXResourceDef().findByServiceDefId(dbServiceDef.getId())) {
serviceDefResourceNameIDMap.put(resourceDef.getName(), resourceDef.getId());
}
}
Map<String, RangerPolicyResource> policyResources = policy.getResources();
if (MapUtils.isNotEmpty(policyResources)) {
XXPolicyRefResourceDao policyRefResourceDao = daoMgr.getXXPolicyRefResource();
Set<String> resourceNames = policyResources.keySet();
for (String resourceName : resourceNames) {
Long resourceDefId = serviceDefResourceNameIDMap.get(resourceName);
if (resourceDefId == null) {
throw new Exception(resourceName + ": unknown resource in policy [id=" + policy.getId() + "; name=" + policy.getName() + "; serviceType=" + serviceType + "]. Known resources: " + serviceDefResourceNameIDMap.keySet());
}
// insert policy-id, resourceDefId, resourceName into Ref table
XXPolicyRefResource policyRefResource = new XXPolicyRefResource();
policyRefResource.setPolicyId(policy.getId());
policyRefResource.setResourceDefId(resourceDefId);
policyRefResource.setResourceName(resourceName);
policyRefResourceDao.create(policyRefResource);
}
}
logger.info("<== addResourceDefRef(id=" + policy.getId() + ")");
}
Example 6
| Source File: ServiceUtil.java From ranger with Apache License 2.0 | 4 votes |
|
public List<RangerPolicy> getMatchingPoliciesForResource(HttpServletRequest request,
List<RangerPolicy> policyLists) {
List<RangerPolicy> policies = new ArrayList<RangerPolicy>();
final String serviceTypeForTag = EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME;
if (request != null) {
String resource = request.getParameter(SearchFilter.POL_RESOURCE);
String serviceType = request.getParameter(SearchFilter.SERVICE_TYPE);
if (!StringUtil.isEmpty(resource) && !StringUtil.isEmpty(serviceType)) {
List<String> resourceList = null;
Map<String, RangerPolicy.RangerPolicyResource> rangerPolicyResourceMap = null;
RangerPolicy.RangerPolicyResource rangerPolicyResource = null;
for (RangerPolicy rangerPolicy : policyLists) {
if (rangerPolicy != null) {
if(serviceTypeForTag.equals(rangerPolicy.getServiceType())) {
policies.add(rangerPolicy);
}else {
rangerPolicyResourceMap = rangerPolicy.getResources();
if (rangerPolicyResourceMap != null) {
if (rangerPolicyResourceMap.containsKey("path")) {
rangerPolicyResource = rangerPolicyResourceMap.get("path");
if (rangerPolicyResource != null) {
resourceList = rangerPolicyResource.getValues();
if (CollectionUtils.isNotEmpty(resourceList) && resourceList.contains(resource)) {
policies.add(rangerPolicy);
}
}
} else if (rangerPolicyResourceMap.containsKey("database")) {
rangerPolicyResource = rangerPolicyResourceMap.get("database");
if (rangerPolicyResource != null) {
resourceList = rangerPolicyResource.getValues();
if (CollectionUtils.isNotEmpty(resourceList) && resourceList.contains(resource)) {
policies.add(rangerPolicy);
}
}
}
}
}
}
}
policyLists.clear();
if (CollectionUtils.isNotEmpty(policies)) {
policyLists.addAll(policies);
}
}
}
return policyLists;
}
Example 7
| Source File: RangerDefaultPolicyResourceMatcher.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) {
boolean ret = false;
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()");
}
Map<String, RangerPolicyResource> resources = policy.getResources();
if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) {
List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet());
if (CollectionUtils.isNotEmpty(hierarchy)) {
MatchType matchType = MatchType.NONE;
RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();
accessResource.setServiceDef(serviceDef);
// Build up accessResource resourceDef by resourceDef.
// For each resourceDef,
// examine policy-values one by one.
// The first value that is acceptable, that is,
// value matches in any way, is used for that resourceDef, and
// next resourceDef is processed.
// If none of the values matches, the policy as a whole definitely will not match,
// therefore, the match is failed
// After all resourceDefs are processed, and some match is achieved at every
// level, the final matchType (which is for the entire policy) is checked against
// requested scope to determine the match-result.
// Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java
// test_defaultpolicyresourcematcher_for_hdfs_policy.json, and
// test_defaultpolicyresourcematcher_for_hive_policy.json, and
// test_defaultPolicyResourceMatcher.json
boolean skipped = false;
for (RangerResourceDef resourceDef : hierarchy) {
String name = resourceDef.getName();
RangerPolicyResource policyResource = resources.get(name);
if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
ret = false;
matchType = MatchType.NONE;
if (!skipped) {
for (String value : policyResource.getValues()) {
accessResource.setValue(name, value);
matchType = getMatchType(accessResource, evalContext);
if (matchType != MatchType.NONE) { // One value for this resourceDef matched
ret = true;
break;
}
}
} else {
break;
}
} else {
skipped = true;
}
if (!ret) { // None of the values specified for this resourceDef matched, no point in continuing with next resourceDef
break;
}
}
ret = ret && isMatch(scope, matchType);
}
}
RangerPerfTracer.log(perf);
return ret;
}
