Java Code Examples for org.apache.ranger.plugin.model.RangerPolicy#POLICY_TYPE_ACCESS
The following examples show how to use
org.apache.ranger.plugin.model.RangerPolicy#POLICY_TYPE_ACCESS .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: RangerPolicyService.java From ranger with Apache License 2.0 | 6 votes |
|
public String restrictIsDenyAllElseLogForMaskingAndRowfilterPolicy(String fieldName, RangerPolicy vObj) {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerPolicyService( Field Name : (" + fieldName +") RangerPolicy : ("+ vObj + ")");
}
String ret = "";
if (StringUtils.isNotBlank(fieldName)
&& StringUtils.equalsIgnoreCase(fieldName.trim(), POLICY_IS_DENY_ALL_ELSE_CLASS_FIELD_NAME)
&& vObj != null) {
Integer policyType = vObj.getPolicyType();
if (policyType == null || policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
return ret;
} else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER
|| policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
ret = null;
}
}
if (logger.isDebugEnabled()) {
logger.debug("<== RangerPolicyService( Field Name : (" + fieldName +") RangerPolicy : ("+ vObj + ") ret : ( "+ret+" )");
}
return ret;
}
Example 2
| Source File: RangerTagEnricher.java From ranger with Apache License 2.0 | 6 votes |
|
void addHierarchy(int policyType, Collection<String> resourceKeys, Boolean isValid) {
switch (policyType) {
case RangerPolicy.POLICY_TYPE_ACCESS:
accessHierarchies.put(resourceKeys, isValid);
break;
case RangerPolicy.POLICY_TYPE_DATAMASK:
dataMaskHierarchies.put(resourceKeys, isValid);
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
rowFilterHierarchies.put(resourceKeys, isValid);
break;
default:
LOG.error("unknown policy-type " + policyType);
break;
}
}
Example 3
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 6 votes |
|
private void deletePolicyEvaluator(RangerPolicyEvaluator evaluator) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.deletePolicyEvaluator(" + evaluator.getPolicy() + ")");
}
int policyType = evaluator.getPolicy().getPolicyType();
List<RangerPolicyEvaluator> evaluators = null;
if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
evaluators = this.policyEvaluators;
} else if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
evaluators = this.dataMaskPolicyEvaluators;
} else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
evaluators = this.rowFilterPolicyEvaluators;
} else {
LOG.error("Unknown policyType:[" + policyType +"]");
}
if (evaluators != null) {
evaluators.remove(evaluator);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.deletePolicyEvaluator(" + evaluator.getPolicy() + ")");
}
}
Example 4
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 6 votes |
|
Map<String, RangerResourceTrie> getTrie(final int policyType) {
final Map<String, RangerResourceTrie> ret;
switch (policyType) {
case RangerPolicy.POLICY_TYPE_ACCESS:
ret = policyResourceTrie;
break;
case RangerPolicy.POLICY_TYPE_DATAMASK:
ret = dataMaskResourceTrie;
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
ret = rowFilterResourceTrie;
break;
default:
ret = null;
}
return ret;
}
Example 5
| Source File: RangerServiceDefHelper.java From ranger with Apache License 2.0 | 6 votes |
|
List<RangerResourceDef> getResourceDefs(RangerServiceDef serviceDef, Integer policyType) {
final List<RangerResourceDef> resourceDefs;
if(policyType == null || policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
resourceDefs = serviceDef.getResources();
} else if(policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
if(serviceDef.getDataMaskDef() != null) {
resourceDefs = serviceDef.getDataMaskDef().getResources();
} else {
resourceDefs = null;
}
} else if(policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
if(serviceDef.getRowFilterDef() != null) {
resourceDefs = serviceDef.getRowFilterDef().getResources();
} else {
resourceDefs = null;
}
} else { // unknown policyType; use all resources
resourceDefs = serviceDef.getResources();
}
return resourceDefs;
}
Example 6
| Source File: RangerServiceDefHelper.java From ranger with Apache License 2.0 | 5 votes |
|
public Set<List<RangerResourceDef>> getResourceHierarchies(Integer policyType) {
if(policyType == null) {
policyType = RangerPolicy.POLICY_TYPE_ACCESS;
}
Set<List<RangerResourceDef>> ret = _hierarchies.get(policyType);
if(ret == null) {
ret = EMPTY_RESOURCE_HIERARCHY;
}
return ret;
}
Example 7
| Source File: RangerTagEnricher.java From ranger with Apache License 2.0 | 5 votes |
|
Boolean isValidHierarchy(int policyType, Collection<String> resourceKeys) {
switch (policyType) {
case RangerPolicy.POLICY_TYPE_ACCESS:
return accessHierarchies.get(resourceKeys);
case RangerPolicy.POLICY_TYPE_DATAMASK:
return dataMaskHierarchies.get(resourceKeys);
case RangerPolicy.POLICY_TYPE_ROWFILTER:
return rowFilterHierarchies.get(resourceKeys);
default:
return null;
}
}
Example 8
| Source File: RangerDefaultPolicyEvaluator.java From ranger with Apache License 2.0 | 5 votes |
|
protected RangerPolicyItemEvaluator getMatchingPolicyItem(RangerAccessRequest request, RangerAccessResult result) {
RangerPolicyItemEvaluator ret = null;
Integer policyType = getPolicy().getPolicyType();
if (policyType == null) {
policyType = RangerPolicy.POLICY_TYPE_ACCESS;
}
switch (policyType) {
case RangerPolicy.POLICY_TYPE_ACCESS: {
ret = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators);
if(ret == null && !result.getIsAccessDetermined()) { // a deny policy could have set isAllowed=true, but in such case it wouldn't set isAccessDetermined=true
ret = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators);
}
break;
}
case RangerPolicy.POLICY_TYPE_DATAMASK: {
ret = getMatchingPolicyItem(request, dataMaskEvaluators);
break;
}
case RangerPolicy.POLICY_TYPE_ROWFILTER: {
ret = getMatchingPolicyItem(request, rowFilterEvaluators);
break;
}
default:
break;
}
return ret;
}
Example 9
| Source File: RangerDefaultPolicyEvaluator.java From ranger with Apache License 2.0 | 5 votes |
|
protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
}
if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getId() + "]");
}
Integer accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), request.getAccessType());
if (accessResult != null) {
updateAccessResult(result, matchType, accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Using policyItemEvaluators for access evaluation. PolicyId=[" + getId() + "]");
}
RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result);
if (matchedPolicyItem != null) {
matchedPolicyItem.updateAccessResult(this, result, matchType);
} else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) && !request.isAccessTypeAny()) {
updateAccessResult(result, RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else policy");
}
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
}
}
Example 10
| Source File: RangerHiveAuditHandler.java From ranger with Apache License 2.0 | 5 votes |
|
AuthzAuditEvent createAuditEvent(RangerAccessResult result) {
AuthzAuditEvent ret = null;
RangerAccessRequest request = result.getAccessRequest();
RangerAccessResource resource = request.getResource();
String resourcePath = resource != null ? resource.getAsString() : null;
int policyType = result.getPolicyType();
if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK && result.isMaskEnabled()) {
ret = createAuditEvent(result, result.getMaskType(), resourcePath);
} else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath);
} else if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
String accessType = null;
if (request instanceof RangerHiveAccessRequest) {
RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request;
accessType = hiveRequest.getHiveAccessType().toString();
String action = request.getAction();
if (ACTION_TYPE_METADATA_OPERATION.equals(action)) {
accessType = ACTION_TYPE_METADATA_OPERATION;
}
}
if (StringUtils.isEmpty(accessType)) {
accessType = request.getAccessType();
}
ret = createAuditEvent(result, accessType, resourcePath);
}
return ret;
}
Example 11
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private RangerPolicyEvaluator addPolicy(RangerPolicy policy) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.addPolicy(" + policy +")");
}
RangerPolicyEvaluator ret = null;
if (StringUtils.equals(this.serviceDef.getName(), this.componentServiceDef.getName()) || !isPolicyNeedsPruning(policy, this.componentServiceDef.getName())) {
policies.add(policy);
if (!skipBuildingPolicyEvaluator(policy, options)) {
ret = buildPolicyEvaluator(policy, serviceDef, options);
if (ret != null) {
if (policy.getPolicyType() == null || policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) {
policyEvaluators.add(ret);
} else if (policy.getPolicyType() == RangerPolicy.POLICY_TYPE_DATAMASK) {
dataMaskPolicyEvaluators.add(ret);
} else if (policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ROWFILTER) {
rowFilterPolicyEvaluators.add(ret);
} else {
LOG.warn("RangerPolicyEngine: ignoring policy id=" + policy.getId() + " - invalid policyType '" + policy.getPolicyType() + "'");
}
policyEvaluatorsMap.put(policy.getId(), ret);
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.addPolicy(" + policy +"): " + ret);
}
return ret;
}
Example 12
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
public List<RangerPolicyEvaluator> getLikelyMatchPolicyEvaluators(RangerAccessResource resource, int policyType) {
switch (policyType) {
case RangerPolicy.POLICY_TYPE_ACCESS:
return getLikelyMatchAccessPolicyEvaluators(resource);
case RangerPolicy.POLICY_TYPE_DATAMASK:
return getLikelyMatchDataMaskPolicyEvaluators(resource);
case RangerPolicy.POLICY_TYPE_ROWFILTER:
return getLikelyMatchRowFilterPolicyEvaluators(resource);
default:
return Collections.EMPTY_LIST;
}
}
Example 13
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
List<RangerPolicyEvaluator> getPolicyEvaluators(int policyType) {
switch (policyType) {
case RangerPolicy.POLICY_TYPE_ACCESS:
return getPolicyEvaluators();
case RangerPolicy.POLICY_TYPE_DATAMASK:
return getDataMaskPolicyEvaluators();
case RangerPolicy.POLICY_TYPE_ROWFILTER:
return getRowFilterPolicyEvaluators();
default:
return getPolicyEvaluators();
}
}
Example 14
| Source File: RangerDefaultPolicyEvaluator.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
}
StringBuilder perfTagBuffer = new StringBuilder();
if (policy != null) {
perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
}
perfTag = perfTagBuffer.toString();
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.init(" + perfTag + ")");
}
super.init(policy, serviceDef, options);
preprocessPolicy(policy, serviceDef);
resourceMatcher = new RangerDefaultPolicyResourceMatcher();
resourceMatcher.setServiceDef(serviceDef);
resourceMatcher.setPolicy(policy);
resourceMatcher.setServiceDefHelper(options.getServiceDefHelper());
resourceMatcher.init();
if(policy != null) {
validityScheduleEvaluators = createValidityScheduleEvaluators(policy);
if (!options.disableAccessEvaluationWithPolicyACLSummary) {
aclSummary = createPolicyACLSummary();
}
useAclSummaryForEvaluation = aclSummary != null;
if (useAclSummaryForEvaluation) {
allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
allowExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
} else {
allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
}
dataMaskEvaluators = createDataMaskPolicyItemEvaluators(policy, serviceDef, options, policy.getDataMaskPolicyItems());
rowFilterEvaluators = createRowFilterPolicyItemEvaluators(policy, serviceDef, options, policy.getRowFilterPolicyItems());
conditionEvaluators = createRangerPolicyConditionEvaluator(policy, serviceDef, options);
} else {
validityScheduleEvaluators = Collections.<RangerValidityScheduleEvaluator>emptyList();
allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
allowExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
dataMaskEvaluators = Collections.<RangerDataMaskPolicyItemEvaluator>emptyList();
rowFilterEvaluators = Collections.<RangerRowFilterPolicyItemEvaluator>emptyList();
conditionEvaluators = Collections.<RangerConditionEvaluator>emptyList();
}
RangerPolicyItemEvaluator.EvalOrderComparator comparator = new RangerPolicyItemEvaluator.EvalOrderComparator();
Collections.sort(allowEvaluators, comparator);
Collections.sort(denyEvaluators, comparator);
Collections.sort(allowExceptionEvaluators, comparator);
Collections.sort(denyExceptionEvaluators, comparator);
/* dataMask, rowFilter policyItems must be evaulated in the order given in the policy; hence no sort
Collections.sort(dataMaskEvaluators);
Collections.sort(rowFilterEvaluators);
*/
RangerPerfTracer.log(perf);
if (useAclSummaryForEvaluation && (policy.getPolicyType() == null || policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
LOG.info("PolicyEvaluator for policy:[" + policy.getId() + "] is set up to use ACL Summary to evaluate access");
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
}
}
Example 15
| Source File: RangerDefaultPolicyEvaluator.java From ranger with Apache License 2.0 | 4 votes |
|
protected boolean isAccessAllowed(String user, Set<String> userGroups, Set<String> roles, String owner, String accessType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isAccessAllowed(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + "," + perfTag + ")");
}
if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getId() +"]");
}
Integer accessResult = lookupPolicyACLSummary(user, userGroups, roles, accessType);
if (accessResult != null && accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) {
ret = true;
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Using policyItemEvaluators for checking if access is allowed. PolicyId=[" + getId() +"]");
}
RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, roles, owner, accessType);
if (item != null && item.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
ret = true;
}
}
RangerPerfTracer.log(perf);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + "): " + ret);
}
return ret;
}
Example 16
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 4 votes |
|
List<PolicyEvaluatorForTag> getLikelyMatchPolicyEvaluators(Set<RangerTagForEval> tags, int policyType, Date accessTime) {
List<PolicyEvaluatorForTag> ret = Collections.EMPTY_LIST;
if (CollectionUtils.isNotEmpty(tags) && getServiceDef() != null) {
ret = new ArrayList<PolicyEvaluatorForTag>();
for (RangerTagForEval tag : tags) {
if (tag.isApplicable(accessTime)) {
RangerAccessResource resource = new RangerTagResource(tag.getType(), getServiceDef());
List<RangerPolicyEvaluator> evaluators = getLikelyMatchPolicyEvaluators(resource, policyType);
if (CollectionUtils.isNotEmpty(evaluators)) {
for (RangerPolicyEvaluator evaluator : evaluators) {
if (evaluator.isApplicable(accessTime)) {
ret.add(new PolicyEvaluatorForTag(evaluator, tag));
}
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag:[" + tag.getType() + "] is not applicable at accessTime:[" + accessTime +"]");
}
}
}
if (CollectionUtils.isNotEmpty(ret)) {
switch (policyType) {
case RangerPolicy.POLICY_TYPE_ACCESS:
Collections.sort(ret, PolicyEvaluatorForTag.EVAL_ORDER_COMPARATOR);
break;
case RangerPolicy.POLICY_TYPE_DATAMASK:
Collections.sort(ret, PolicyEvaluatorForTag.NAME_COMPARATOR);
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
Collections.sort(ret, PolicyEvaluatorForTag.NAME_COMPARATOR);
break;
default:
LOG.warn("Unknown policy-type:[" + policyType + "]. Ignoring..");
break;
}
}
}
return ret;
}
Example 17
| Source File: RangerPolicyDeltaUtil.java From ranger with Apache License 2.0 | 4 votes |
|
public static boolean isValidDeltas(List<RangerPolicyDelta> deltas, String componentServiceType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> isValidDeltas(deltas=" + Arrays.toString(deltas.toArray()) + ", componentServiceType=" + componentServiceType +")");
}
boolean isValid = true;
for (RangerPolicyDelta delta : deltas) {
final Integer changeType = delta.getChangeType();
final Long policyId = delta.getPolicyId();
if (changeType == null) {
isValid = false;
break;
}
if (changeType != RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE
&& changeType != RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE
&& changeType != RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) {
isValid = false;
} else if (policyId == null) {
isValid = false;
} else {
final String serviceType = delta.getServiceType();
final Integer policyType = delta.getPolicyType();
if (serviceType == null || (!serviceType.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME) &&
!serviceType.equals(componentServiceType))) {
isValid = false;
} else if (policyType == null || (policyType != RangerPolicy.POLICY_TYPE_ACCESS
&& policyType != RangerPolicy.POLICY_TYPE_DATAMASK
&& policyType != RangerPolicy.POLICY_TYPE_ROWFILTER)) {
isValid = false;
}
}
if (!isValid) {
break;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== isValidDeltas(deltas=" + Arrays.toString(deltas.toArray()) + ", componentServiceType=" + componentServiceType +"): " + isValid);
}
return isValid;
}
