Java Code Examples for org.apache.ranger.plugin.policyengine.RangerAccessRequest#isAccessTypeAny()

The following examples show how to use org.apache.ranger.plugin.policyengine.RangerAccessRequest#isAccessTypeAny() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RangerOptimizedPolicyEvaluator.java    From ranger with Apache License 2.0 6 votes vote down vote up 
@Override
protected boolean hasMatchablePolicyItem(RangerAccessRequest request) {
    boolean ret = false;

    if (hasPublicGroup || hasCurrentUser || isOwnerMatch(request) || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups()) || (CollectionUtils.isNotEmpty(roles) && CollectionUtils.containsAny(roles, RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext())))) {
        if(request.isAccessTypeDelegatedAdmin()) {
            ret = delegateAdmin;
        } else if(hasAllPerms) {
            ret = true;
        } else {
            ret = request.isAccessTypeAny() || accessPerms.contains(request.getAccessType());
        }
    }

    return ret;
}
Example 2
Source File: RangerDefaultPolicyEvaluator.java    From ranger with Apache License 2.0 5 votes vote down vote up 
protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
	}
	if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getId() + "]");
		}
		Integer accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(),  request.getAccessType());
		if (accessResult != null) {
			updateAccessResult(result, matchType, accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
		}
	} else {
		if (LOG.isDebugEnabled()) {
			LOG.debug("Using policyItemEvaluators for access evaluation. PolicyId=[" + getId() + "]");
		}

		RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result);

		if (matchedPolicyItem != null) {
			matchedPolicyItem.updateAccessResult(this, result, matchType);
		} else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) && !request.isAccessTypeAny()) {
			updateAccessResult(result, RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else policy");
		}
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
	}
}
Example 3
Source File: RangerDefaultPolicyEvaluator.java    From ranger with Apache License 2.0 4 votes vote down vote up 
@Override
  public void evaluate(RangerAccessRequest request, RangerAccessResult result) {
      if (LOG.isDebugEnabled()) {
          LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicy().getId() + ", " + request + ", " + result + ")");
      }

RangerPerfTracer perf = null;

if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
	perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ","
			+ perfTag + ")");
}

      if (request != null && result != null) {

	if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
		RangerPolicyResourceMatcher.MatchType matchType;

		if (RangerTagAccessRequest.class.isInstance(request)) {
			matchType = ((RangerTagAccessRequest) request).getMatchType();
			if (matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
				matchType = RangerPolicyResourceMatcher.MatchType.SELF;
			}
		} else {
			matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
		}

		final boolean isMatched;

		if (request.isAccessTypeAny()) {
			isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
		} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
			isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
		} else {
			isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
		}

		if (isMatched) {
			//Evaluate Policy Level Custom Conditions, if any and allowed then go ahead for policyItem level evaluation
			if(matchPolicyCustomConditions(request)) {
				if (!result.getIsAuditedDetermined()) {
					if (isAuditEnabled()) {
						result.setIsAudited(true);
						result.setAuditPolicyId(getPolicy().getId());
					}
				}
				if (!result.getIsAccessDetermined()) {
					if (hasMatchablePolicyItem(request)) {
						evaluatePolicyItems(request, matchType, result);
					}
				}
			}
		}
	}
      }

RangerPerfTracer.log(perf);

      if(LOG.isDebugEnabled()) {
          LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicy().getId() + ", " + request + ", " + result + ")");
      }
  }
Example 4
Source File: RangerTagEnricher.java    From ranger with Apache License 2.0 4 votes vote down vote up 
private Set<RangerTagForEval> findMatchingTags(final RangerAccessRequest request, EnrichedServiceTags dataStore) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerTagEnricher.findMatchingTags(" + request + ")");
	}

	// To minimize chance for race condition between Tag-Refresher thread and access-evaluation thread
	final EnrichedServiceTags enrichedServiceTags = dataStore != null ? dataStore : this.enrichedServiceTags;

	Set<RangerTagForEval> ret = null;

	RangerAccessResource resource = request.getResource();

	if ((resource == null || resource.getKeys() == null || resource.getKeys().isEmpty()) && request.isAccessTypeAny()) {
		ret = enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess();
	} else {

		final List<RangerServiceResourceMatcher> serviceResourceMatchers = getEvaluators(resource, enrichedServiceTags);

		if (CollectionUtils.isNotEmpty(serviceResourceMatchers)) {

			for (RangerServiceResourceMatcher resourceMatcher : serviceResourceMatchers) {

				final RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher.getMatchType(resource, request.getContext());

				final boolean isMatched;

				if (request.isAccessTypeAny()) {
					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
				} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
				} else {
					isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
				}

				if (isMatched) {
					if (ret == null) {
						ret = new HashSet<>();
					}
					ret.addAll(getTagsForServiceResource(enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType));
				}

			}
		}
	}

	if (CollectionUtils.isEmpty(ret)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - No tags Found ");
		}
	} else {
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - " + ret.size() + " tags Found ");
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerTagEnricher.findMatchingTags(" + request + ")");
	}

	return ret;
}