RANGER-2652: refactor policy-engine - #2 (renames and whitespace updates)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index b24d37c..f7ca5e8 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -50,39 +50,46 @@
import org.apache.ranger.plugin.util.ServicePolicies;
public class PolicyEngine {
-
private static final Log LOG = LogFactory.getLog(PolicyEngine.class);
private static final Log PERF_POLICYENGINE_INIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.init");
private static final Log PERF_POLICYENGINE_REBALANCE_LOG = RangerPerfTracer.getPerfLogger("policyengine.rebalance");
- private boolean useForwardedIPAddress;
- private String[] trustedProxyAddresses;
-
- private final RangerPolicyRepository policyRepository;
- private final RangerPolicyRepository tagPolicyRepository;
-
+ private final RangerPolicyRepository policyRepository;
+ private final RangerPolicyRepository tagPolicyRepository;
+ private final List<RangerContextEnricher> allContextEnrichers;
+ private final RangerPluginContext pluginContext;
private final Map<String, RangerPolicyRepository> zonePolicyRepositories = new HashMap<>();
+ private final Map<String, RangerResourceTrie> resourceZoneTrie = new HashMap<>();
+ private final Map<String, String> zoneTagServiceMap = new HashMap<>();
+ private boolean useForwardedIPAddress;
+ private String[] trustedProxyAddresses;
+ private boolean isPreCleaned = false;
- private final List<RangerContextEnricher> allContextEnrichers;
-
- private final Map<String, RangerResourceTrie> resourceZoneTrie = new HashMap<>();
- private final Map<String, String> zoneTagServiceMap = new HashMap<>();
- private final RangerPluginContext pluginContext;
-
- private boolean isPreCleaned = false;
public boolean getUseForwardedIPAddress() {
return useForwardedIPAddress;
}
+ public void setUseForwardedIPAddress(boolean useForwardedIPAddress) {
+ this.useForwardedIPAddress = useForwardedIPAddress;
+ }
+
public String[] getTrustedProxyAddresses() {
return trustedProxyAddresses;
}
- public long getRoleVersion() { return this.pluginContext.getAuthContext().getRoleVersion(); }
+ public void setTrustedProxyAddresses(String[] trustedProxyAddresses) {
+ this.trustedProxyAddresses = trustedProxyAddresses;
+ }
- public void setRangerRoles(RangerRoles rangerRoles) { this.pluginContext.getAuthContext().setRangerRoles(rangerRoles); }
+ public long getRoleVersion() { return this.pluginContext.getAuthContext().getRoleVersion(); }
+
+ public void setRangerRoles(RangerRoles rangerRoles) { this.pluginContext.getAuthContext().setRangerRoles(rangerRoles); }
+
+ public String getServiceName() {
+ return policyRepository.getServiceName();
+ }
public RangerServiceDef getServiceDef() {
return policyRepository.getServiceDef();
@@ -100,34 +107,52 @@
return tagPolicyRepository;
}
+ public Map<String, RangerPolicyRepository> getZonePolicyRepositories() { return zonePolicyRepositories; }
+
public List<RangerContextEnricher> getAllContextEnrichers() { return allContextEnrichers; }
public RangerPluginContext getPluginContext() { return pluginContext; }
@Override
- public String toString( ) {
- StringBuilder sb = new StringBuilder();
-
- sb.append("PolicyEngine={");
-
- sb.append("serviceName={").append(this.getServiceName()).append("} ");
- sb.append(policyRepository);
-
- sb.append("}");
-
- return sb.toString();
+ public String toString() {
+ return toString(new StringBuilder()).toString();
}
@Override
protected void finalize() throws Throwable {
try {
cleanup();
- }
- finally {
+ } finally {
super.finalize();
}
}
+ public StringBuilder toString(StringBuilder sb) {
+ if (sb == null) {
+ sb = new StringBuilder();
+ }
+
+ sb.append("PolicyEngine={");
+
+ sb.append("serviceName={").append(this.getServiceName()).append("} ");
+
+ sb.append("policyRepository={");
+ if (policyRepository != null) {
+ policyRepository.toString(sb);
+ }
+ sb.append("} ");
+
+ sb.append("tagPolicyRepository={");
+ if (tagPolicyRepository != null) {
+ tagPolicyRepository.toString(sb);
+ }
+ sb.append("} ");
+
+ sb.append("}");
+
+ return sb;
+ }
+
public boolean compare(PolicyEngine other) {
boolean ret;
@@ -147,9 +172,11 @@
if (ret) {
ret = Objects.equals(resourceZoneTrie.keySet(), other.resourceZoneTrie.keySet());
+
if (ret) {
for (Map.Entry<String, RangerResourceTrie> entry : resourceZoneTrie.entrySet()) {
ret = entry.getValue().compareSubtree(other.resourceZoneTrie.get(entry.getKey()));
+
if (!ret) {
break;
}
@@ -163,6 +190,7 @@
if (ret) {
for (Map.Entry<String, RangerPolicyRepository> entry : zonePolicyRepositories.entrySet()) {
ret = entry.getValue().compare(other.zonePolicyRepositories.get(entry.getKey()));
+
if (!ret) {
break;
}
@@ -173,49 +201,47 @@
return ret;
}
- public void setUseForwardedIPAddress(boolean useForwardedIPAddress) {
- this.useForwardedIPAddress = useForwardedIPAddress;
- }
-
- public void setTrustedProxyAddresses(String[] trustedProxyAddresses) {
- this.trustedProxyAddresses = trustedProxyAddresses;
- }
-
public List<RangerPolicy> getResourcePolicies(String zoneName) {
RangerPolicyRepository zoneResourceRepository = zonePolicyRepositories.get(zoneName);
+
return zoneResourceRepository == null ? ListUtils.EMPTY_LIST : zoneResourceRepository.getPolicies();
}
public RangerAccessResult createAccessResult(RangerAccessRequest request, int policyType) {
RangerAccessResult ret = new RangerAccessResult(policyType, getServiceName(), getPolicyRepository().getServiceDef(), request);
+
switch (getPolicyRepository().getAuditModeEnum()) {
case AUDIT_ALL:
ret.setIsAudited(true);
break;
+
case AUDIT_NONE:
ret.setIsAudited(false);
break;
+
default:
if (CollectionUtils.isEmpty(getPolicyRepository().getPolicies()) && getTagPolicyRepository() == null) {
ret.setIsAudited(true);
}
+
break;
}
return ret;
}
- public PolicyEngine(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext rangerPluginContext, RangerRoles rangerRoles) {
-
+ public PolicyEngine(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext pluginContext, RangerRoles roles) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> PolicyEngine(" + appId + ", " + servicePolicies + ", " + options + ", " + rangerPluginContext + ")");
+ LOG.debug("==> PolicyEngine(" + appId + ", " + servicePolicies + ", " + options + ", " + pluginContext + ")");
}
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.init(appId=" + appId + ",hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
- long freeMemory = Runtime.getRuntime().freeMemory();
+
+ long freeMemory = Runtime.getRuntime().freeMemory();
long totalMemory = Runtime.getRuntime().totalMemory();
+
PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory);
}
@@ -223,11 +249,9 @@
options = new RangerPolicyEngineOptions();
}
- this.pluginContext = rangerPluginContext;
+ this.pluginContext = pluginContext;
- RangerAuthContext authContext = new RangerAuthContext(null);
- authContext.setRangerRoles(rangerRoles);
- this.pluginContext.setAuthContext(authContext);
+ this.pluginContext.setAuthContext(new RangerAuthContext(null, roles));
if(StringUtils.isBlank(options.evaluatorType) || StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
@@ -242,21 +266,21 @@
&& !StringUtils.isEmpty(tagPolicies.getServiceName())
&& tagPolicies.getServiceDef() != null
&& !CollectionUtils.isEmpty(tagPolicies.getPolicies())) {
-
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyEngine : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName());
}
+
tagPolicyRepository = new RangerPolicyRepository(appId, tagPolicies, options, this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName());
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyEngine : No tag-policy-repository for service " + servicePolicies.getServiceName());
}
+
tagPolicyRepository = null;
}
List<RangerContextEnricher> tmpList;
-
- List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
+ List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
List<RangerContextEnricher> resourceContextEnrichers = policyRepository.getContextEnrichers();
if (CollectionUtils.isEmpty(tagContextEnrichers)) {
@@ -265,6 +289,7 @@
tmpList = tagContextEnrichers;
} else {
tmpList = new ArrayList<>(tagContextEnrichers);
+
tmpList.addAll(resourceContextEnrichers);
}
@@ -272,8 +297,10 @@
if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
buildZoneTrie(servicePolicies);
+
for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone : servicePolicies.getSecurityZones().entrySet()) {
RangerPolicyRepository policyRepository = new RangerPolicyRepository(appId, servicePolicies, options, this.pluginContext, zone.getKey());
+
zonePolicyRepositories.put(zone.getKey(), policyRepository);
}
}
@@ -281,8 +308,9 @@
RangerPerfTracer.log(perf);
if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) {
- long freeMemory = Runtime.getRuntime().freeMemory();
+ long freeMemory = Runtime.getRuntime().freeMemory();
long totalMemory = Runtime.getRuntime().totalMemory();
+
PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory);
}
@@ -295,18 +323,17 @@
if (LOG.isDebugEnabled()) {
LOG.debug("==> cloneWithDelta(" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + ", " + servicePolicies.getPolicyVersion() + ")");
}
- final PolicyEngine ret;
- RangerPerfTracer perf = null;
+ final PolicyEngine ret;
+ RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cloneWithDelta()");
}
- RangerServiceDef serviceDef = this.getServiceDef();
- String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
-
- boolean isValidDeltas = false;
+ RangerServiceDef serviceDef = this.getServiceDef();
+ String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
+ boolean isValidDeltas = false;
if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) || MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
isValidDeltas = CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas()) || RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(), serviceType);
@@ -318,6 +345,7 @@
if (LOG.isDebugEnabled()) {
LOG.debug("Invalid policy-deltas for security zone:[" + entry.getKey() + "]");
}
+
isValidDeltas = false;
break;
}
@@ -340,20 +368,13 @@
return ret;
}
- public String getServiceName() {
- return policyRepository.getServiceName();
- }
-
- public Map<String, RangerPolicyRepository> getZonePolicyRepositories() { return zonePolicyRepositories; }
-
public RangerPolicyRepository getRepositoryForMatchedZone(RangerAccessResource resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.getRepositoryForMatchedZone(" + resource + ")");
}
- String zoneName = getMatchedZoneName(resource);
-
- final RangerPolicyRepository ret = getRepositoryForZone(zoneName);
+ String zoneName = getMatchedZoneName(resource);
+ final RangerPolicyRepository ret = getRepositoryForZone(zoneName);
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyEngine.getRepositoryForMatchedZone(" + resource + ")");
@@ -367,9 +388,8 @@
LOG.debug("==> PolicyEngine.getRepositoryForMatchedZone(" + policy + ")");
}
- String zoneName = policy.getZoneName();
-
- final RangerPolicyRepository ret = getRepositoryForZone(zoneName);
+ String zoneName = policy.getZoneName();
+ final RangerPolicyRepository ret = getRepositoryForZone(zoneName);
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyEngine.getRepositoryForMatchedZone(" + policy + ")");
@@ -410,28 +430,30 @@
public boolean isResourceZoneAssociatedWithTagService(String resourceZoneName) {
final boolean ret;
+
if (StringUtils.isNotEmpty(resourceZoneName) && tagPolicyRepository != null && zoneTagServiceMap.get(resourceZoneName) != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Accessed resource is in a zone:[" + resourceZoneName + "] which is associated with the tag-service:[" + tagPolicyRepository.getServiceName() + "]");
}
+
ret = true;
} else {
ret = false;
}
+
return ret;
}
public void preCleanup() {
-
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.preCleanup()");
}
if (!isPreCleaned) {
-
if (policyRepository != null) {
policyRepository.preCleanup();
}
+
if (tagPolicyRepository != null) {
tagPolicyRepository.preCleanup();
}
@@ -441,6 +463,7 @@
entry.getValue().preCleanup();
}
}
+
isPreCleaned = true;
} else {
if (LOG.isDebugEnabled()) {
@@ -453,10 +476,6 @@
}
}
- List<RangerPolicy> getResourcePolicies() { return policyRepository == null ? ListUtils.EMPTY_LIST : policyRepository.getPolicies(); }
-
- List<RangerPolicy> getTagPolicies() { return tagPolicyRepository == null ? ListUtils.EMPTY_LIST : tagPolicyRepository.getPolicies(); }
-
private String getMatchedZoneName(Map<String, ?> resource, RangerAccessResource accessResource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.getMatchedZoneName(" + resource + ", " + accessResource + ")");
@@ -465,28 +484,28 @@
String ret = null;
if (MapUtils.isNotEmpty(this.resourceZoneTrie)) {
-
List<List<RangerZoneResourceMatcher>> zoneMatchersList = null;
List<RangerZoneResourceMatcher> smallestList = null;
for (Map.Entry<String, ?> entry : resource.entrySet()) {
- String resourceDefName = entry.getKey();
- Object resourceValues = entry.getValue();
-
- RangerResourceTrie<RangerZoneResourceMatcher> trie = resourceZoneTrie.get(resourceDefName);
+ String resourceDefName = entry.getKey();
+ Object resourceValues = entry.getValue();
+ RangerResourceTrie<RangerZoneResourceMatcher> trie = resourceZoneTrie.get(resourceDefName);
if (trie == null) {
continue;
}
- List<RangerZoneResourceMatcher> matchedZones = trie.getEvaluatorsForResource(resourceValues);
+ List<RangerZoneResourceMatcher> matchedZones = trie.getEvaluatorsForResource(resourceValues);
if (LOG.isDebugEnabled()) {
LOG.debug("ResourceDefName:[" + resourceDefName + "], values:[" + resourceValues + "], matched-zones:[" + matchedZones + "]");
}
+
if (CollectionUtils.isEmpty(matchedZones)) { // no policies for this resource, bail out
zoneMatchersList = null;
smallestList = null;
+
break;
}
@@ -495,8 +514,10 @@
} else {
if (zoneMatchersList == null) {
zoneMatchersList = new ArrayList<>();
+
zoneMatchersList.add(smallestList);
}
+
zoneMatchersList.add(matchedZones);
if (smallestList.size() > matchedZones.size()) {
@@ -505,15 +526,16 @@
}
}
if (smallestList != null) {
-
final List<RangerZoneResourceMatcher> intersection;
if (zoneMatchersList != null) {
intersection = new ArrayList<>(smallestList);
+
for (List<RangerZoneResourceMatcher> zoneMatchers : zoneMatchersList) {
if (zoneMatchers != smallestList) {
// remove zones from intersection that are not in zoneMatchers
intersection.retainAll(zoneMatchers);
+
if (CollectionUtils.isEmpty(intersection)) { // if no zoneMatcher exists, bail out and return empty list
break;
}
@@ -534,11 +556,13 @@
if (LOG.isDebugEnabled()) {
LOG.debug("Trying to match resource:[" + accessResource + "] using zoneMatcher:[" + zoneMatcher + "]");
}
+
// These are potential matches. Try to really match them
if (zoneMatcher.getPolicyResourceMatcher().isMatch(accessResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Matched resource:[" + accessResource + "] using zoneMatcher:[" + zoneMatcher + "]");
}
+
// Actual match happened
matchedZoneNames.add(zoneMatcher.getSecurityZoneName());
} else {
@@ -547,11 +571,16 @@
}
}
}
- LOG.info("The following zone-names matched resource:[" + accessResource + "]: " + matchedZoneNames);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("The following zone-names matched resource:[" + accessResource + "]: " + matchedZoneNames);
+ }
if (matchedZoneNames.size() == 1) {
String[] zones = new String[1];
+
matchedZoneNames.toArray(zones);
+
ret = zones[0];
} else {
LOG.error("Internal error, multiple zone-names are matched. The following zone-names matched resource:[" + resource + "]: " + matchedZoneNames);
@@ -559,14 +588,15 @@
}
}
}
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyEngine.getMatchedZoneName(" + resource + ", " + accessResource + ") : " + ret);
}
+
return ret;
}
private RangerAccessResource convertToAccessResource(Map<String, ?> resource) {
-
RangerAccessResourceImpl ret = new RangerAccessResourceImpl();
ret.setServiceDef(getServiceDef());
@@ -579,7 +609,6 @@
}
private RangerPolicyRepository getRepositoryForZone(String zoneName) {
-
final RangerPolicyRepository ret;
if (LOG.isDebugEnabled()) {
@@ -595,29 +624,25 @@
if (ret == null) {
LOG.error("policyRepository for zoneName:[" + zoneName + "], serviceName:[" + getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!");
}
+
return ret;
}
private PolicyEngine(final PolicyEngine other, ServicePolicies servicePolicies) {
-
- long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L;
-
this.useForwardedIPAddress = other.useForwardedIPAddress;
this.trustedProxyAddresses = other.trustedProxyAddresses;
+ this.pluginContext = other.pluginContext;
- this.pluginContext = other.pluginContext;
-
- List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>();
+ long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L;
+ List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>();
List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new ArrayList<>();
if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
-
buildZoneTrie(servicePolicies);
Map<String, List<RangerPolicyDelta>> zoneDeltasMap = new HashMap<>();
for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> zone : servicePolicies.getSecurityZones().entrySet()) {
-
List<RangerPolicyDelta> deltas = zone.getValue().getPolicyDeltas();
for (RangerPolicyDelta delta : deltas) {
@@ -625,10 +650,12 @@
if (StringUtils.isNotEmpty(zoneName)) {
List<RangerPolicyDelta> zoneDeltas = zoneDeltasMap.get(zoneName);
+
if (zoneDeltas == null) {
zoneDeltas = new ArrayList<>();
zoneDeltasMap.put(zoneName, zoneDeltas);
}
+
zoneDeltas.add(delta);
} else {
LOG.warn("policyDelta : [" + delta + "] does not belong to any zone. Should not have come here.");
@@ -637,15 +664,15 @@
}
for (Map.Entry<String, List<RangerPolicyDelta>> entry : zoneDeltasMap.entrySet()) {
- final String zoneName = entry.getKey();
- List<RangerPolicyDelta> zoneDeltas = entry.getValue();
-
- RangerPolicyRepository otherRepository = other.zonePolicyRepositories.get(zoneName);
- final RangerPolicyRepository policyRepository;
+ final String zoneName = entry.getKey();
+ final List<RangerPolicyDelta> zoneDeltas = entry.getValue();
+ final RangerPolicyRepository otherRepository = other.zonePolicyRepositories.get(zoneName);
+ final RangerPolicyRepository policyRepository;
if (CollectionUtils.isNotEmpty(zoneDeltas)) {
if (otherRepository == null) {
List<RangerPolicy> policies = new ArrayList<>();
+
for (RangerPolicyDelta delta : zoneDeltas) {
if (delta.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
policies.add(delta.getPolicy());
@@ -653,6 +680,7 @@
LOG.warn("Expected changeType:[" + RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found policy-change-delta:[" + delta +"]");
}
}
+
servicePolicies.getSecurityZones().get(zoneName).setPolicies(policies);
policyRepository = new RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies, other.policyRepository.getOptions(), this.pluginContext, zoneName);
@@ -687,6 +715,7 @@
if (other.tagPolicyRepository == null) {
// Only creates are expected
List<RangerPolicy> tagPolicies = new ArrayList<>();
+
for (RangerPolicyDelta delta : defaultZoneDeltasForTagPolicies) {
if (delta.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
tagPolicies.add(delta.getPolicy());
@@ -694,7 +723,9 @@
LOG.warn("Expected changeType:[" + RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found policy-change-delta:[" + delta + "]");
}
}
+
servicePolicies.getTagPolicies().setPolicies(tagPolicies);
+
this.tagPolicyRepository = new RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies.getTagPolicies(), other.policyRepository.getOptions(), this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName());
} else {
this.tagPolicyRepository = new RangerPolicyRepository(other.tagPolicyRepository, defaultZoneDeltasForTagPolicies, policyVersion);
@@ -704,8 +735,7 @@
}
List<RangerContextEnricher> tmpList;
-
- List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
+ List<RangerContextEnricher> tagContextEnrichers = tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
List<RangerContextEnricher> resourceContextEnrichers = policyRepository.getContextEnrichers();
if (CollectionUtils.isEmpty(tagContextEnrichers)) {
@@ -714,12 +744,13 @@
tmpList = tagContextEnrichers;
} else {
tmpList = new ArrayList<>(tagContextEnrichers);
+
tmpList.addAll(resourceContextEnrichers);
}
+
this.allContextEnrichers = tmpList;
reorderPolicyEvaluators();
-
}
private void buildZoneTrie(ServicePolicies servicePolicies) {
@@ -742,7 +773,6 @@
}
for (Map<String, List<String>> resource : zoneDetails.getResources()) {
-
if (LOG.isDebugEnabled()) {
LOG.debug("Building matcher for resource:[" + resource + "] in zone:[" + zoneName +"]");
}
@@ -750,10 +780,9 @@
Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();
for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
- String resourceDefName = entry.getKey();
- List<String> resourceValues = entry.getValue();
-
- RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource();
+ String resourceDefName = entry.getKey();
+ List<String> resourceValues = entry.getValue();
+ RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource();
policyResource.setIsExcludes(false);
policyResource.setIsRecursive(StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME));
@@ -784,7 +813,6 @@
for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers));
}
-
}
if (LOG.isDebugEnabled()) {
@@ -796,12 +824,14 @@
if (other != null) {
other.setShared();
}
+
return other;
}
private void reorderPolicyEvaluators() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> reorderEvaluators()");
}
+
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) {
@@ -823,7 +853,6 @@
}
private void cleanup() {
-
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine.cleanup()");
}
@@ -833,11 +862,13 @@
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cleanUp(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
}
+
preCleanup();
if (policyRepository != null) {
policyRepository.cleanup();
}
+
if (tagPolicyRepository != null) {
tagPolicyRepository.cleanup();
}
@@ -854,6 +885,5 @@
LOG.debug("<== PolicyEngine.cleanup()");
}
}
-
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java
index a683699..a213b36 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestProcessor.java
@@ -20,9 +20,7 @@
package org.apache.ranger.plugin.policyengine;
public interface RangerAccessRequestProcessor {
-
void preProcess(RangerAccessRequest request);
default void enrich(RangerAccessRequest request) {}
-
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index afe6683..5709fd8 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.policyengine;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.ListUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -57,22 +58,27 @@
private final PolicyEngine policyEngine;
private final RangerAccessRequestProcessor requestProcessor;
+
static public RangerPolicyEngine getPolicyEngine(final RangerPolicyEngineImpl other, final ServicePolicies servicePolicies) {
RangerPolicyEngine ret = null;
if (other != null && servicePolicies != null) {
PolicyEngine policyEngine = other.policyEngine.cloneWithDelta(servicePolicies);
+
if (policyEngine != null) {
ret = new RangerPolicyEngineImpl(policyEngine);
}
}
+
return ret;
}
- public RangerPolicyEngineImpl(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext rangerPluginContext, RangerRoles rangerRoles) {
- policyEngine = new PolicyEngine(appId, servicePolicies, options, rangerPluginContext, rangerRoles);
- policyEngine.getPluginContext().getAuthContext().setRangerRoles(rangerRoles);
- this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine);
+ public RangerPolicyEngineImpl(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext pluginContext, RangerRoles roles) {
+ policyEngine = new PolicyEngine(appId, servicePolicies, options, pluginContext, roles);
+
+ policyEngine.getPluginContext().getAuthContext().setRangerRoles(roles);
+
+ requestProcessor = new RangerDefaultRequestProcessor(policyEngine);
}
@Override
@@ -85,22 +91,27 @@
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.evaluatePolicies(" + request + ", policyType=" + policyType + ")");
}
+
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
String requestHashCode = Integer.toHexString(System.identityHashCode(request)) + "_" + policyType;
+
perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.evaluatePolicies(requestHashCode=" + requestHashCode + ")");
+
LOG.info("RangerPolicyEngineImpl.evaluatePolicies(" + requestHashCode + ", " + request + ")");
}
+
requestProcessor.preProcess(request);
RangerAccessResult ret = zoneAwareAccessEvaluationWithNoAudit(request, policyType);
if (resultProcessor != null) {
-
RangerPerfTracer perfAuditTracer = null;
+
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) {
String requestHashCode = Integer.toHexString(System.identityHashCode(request)) + "_" + policyType;
+
perfAuditTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG, "RangerPolicyEngine.processAudit(requestHashCode=" + requestHashCode + ")");
}
@@ -154,7 +165,6 @@
}
RangerResourceACLs ret = new RangerResourceACLs();
-
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_GET_ACLS_LOG)) {
@@ -180,13 +190,11 @@
if (matchedRepository == null) {
LOG.error("policyRepository for zoneName:[" + zoneName + "], serviceName:[" + policyEngine.getPolicyRepository().getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!");
} else {
-
- List<RangerPolicyEvaluator> allEvaluators = new ArrayList<>();
- Map<Long, RangerPolicyResourceMatcher.MatchType> tagMatchTypeMap = null;
- Set<Long> policyIdForTemporalTags = null;
-
- Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
- List<PolicyEvaluatorForTag> tagPolicyEvaluators = policyEngine.getTagPolicyRepository() == null ? null : policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tags, RangerPolicy.POLICY_TYPE_ACCESS, null);
+ List<RangerPolicyEvaluator> allEvaluators = new ArrayList<>();
+ Map<Long, RangerPolicyResourceMatcher.MatchType> tagMatchTypeMap = null;
+ Set<Long> policyIdForTemporalTags = null;
+ Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
+ List<PolicyEvaluatorForTag> tagPolicyEvaluators = policyEngine.getTagPolicyRepository() == null ? null : policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tags, RangerPolicy.POLICY_TYPE_ACCESS, null);
if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) {
tagMatchTypeMap = new HashMap<>();
@@ -194,13 +202,15 @@
final boolean useTagPoliciesFromDefaultZone = !policyEngine.isResourceZoneAssociatedWithTagService(zoneName);
for (PolicyEvaluatorForTag tagEvaluator : tagPolicyEvaluators) {
- RangerPolicyEvaluator evaluator = tagEvaluator.getEvaluator();
- String policyZoneName = evaluator.getPolicy().getZoneName();
+ RangerPolicyEvaluator evaluator = tagEvaluator.getEvaluator();
+ String policyZoneName = evaluator.getPolicy().getZoneName();
+
if (useTagPoliciesFromDefaultZone) {
if (StringUtils.isNotEmpty(policyZoneName)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to default zone. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
} else {
@@ -208,9 +218,11 @@
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
}
+
RangerTagForEval tag = tagEvaluator.getTag();
allEvaluators.add(evaluator);
@@ -267,10 +279,9 @@
PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
if (aclSummary != null) {
-
boolean isConditional = (policyIdForTemporalTags != null && policyIdForTemporalTags.contains(evaluator.getId())) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
-
Integer accessResult;
+
for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> userAccessInfo : aclSummary.getUsersAccessInfo().entrySet()) {
final String userName = userAccessInfo.getKey();
@@ -279,11 +290,14 @@
accessResult = ACCESS_CONDITIONAL;
} else {
accessResult = accessInfo.getValue().getResult();
+
if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
+
RangerPolicy policy = evaluator.getPolicy();
+
ret.setUserAccessInfo(userName, accessInfo.getKey(), accessResult, policy);
}
}
@@ -296,11 +310,14 @@
accessResult = ACCESS_CONDITIONAL;
} else {
accessResult = accessInfo.getValue().getResult();
+
if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
+
RangerPolicy policy = evaluator.getPolicy();
+
ret.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult, policy);
}
}
@@ -313,11 +330,14 @@
accessResult = ACCESS_CONDITIONAL;
} else {
accessResult = accessInfo.getValue().getResult();
+
if (accessResult.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
+
RangerPolicy policy = evaluator.getPolicy();
+
ret.setRoleAccessInfo(roleName, accessInfo.getKey(), accessResult, policy);
}
}
@@ -346,9 +366,8 @@
requestProcessor.preProcess(request);
- RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request);
-
- String zoneName = policyEngine.getMatchedZoneName(request.getResource());
+ RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request);
+ String zoneName = policyEngine.getMatchedZoneName(request.getResource());
if (LOG.isDebugEnabled()) {
LOG.debug("zoneName:[" + zoneName + "]");
@@ -365,29 +384,27 @@
if (matchedRepository == null) {
LOG.error("policyRepository for zoneName:[" + zoneName + "], serviceName:[" + policyEngine.getPolicyRepository().getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!");
} else {
-
List<RangerPolicyEvaluator> tagPolicyEvaluators = policyEngine.getTagPolicyRepository() == null ? null : policyEngine.getTagPolicyRepository().getPolicyEvaluators();
if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) {
-
Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
if (CollectionUtils.isNotEmpty(tags)) {
-
final boolean useTagPoliciesFromDefaultZone = !policyEngine.isResourceZoneAssociatedWithTagService(zoneName);
for (RangerTagForEval tag : tags) {
- RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, policyEngine.getTagPolicyRepository().getServiceDef(), request);
-
- List<RangerPolicyEvaluator> evaluators = policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource(), RangerPolicy.POLICY_TYPE_ACCESS);
+ RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, policyEngine.getTagPolicyRepository().getServiceDef(), request);
+ List<RangerPolicyEvaluator> evaluators = policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource(), RangerPolicy.POLICY_TYPE_ACCESS);
for (RangerPolicyEvaluator evaluator : evaluators) {
String policyZoneName = evaluator.getPolicy().getZoneName();
+
if (useTagPoliciesFromDefaultZone) {
if (StringUtils.isNotEmpty(policyZoneName)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to default zone. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
} else {
@@ -395,9 +412,11 @@
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
}
+
evaluator.getResourceAccessInfo(tagEvalRequest, ret);
}
}
@@ -478,19 +497,25 @@
@Override
public List<RangerPolicy> getResourcePolicies() {
- return policyEngine.getResourcePolicies();
+ RangerPolicyRepository policyRepository = policyEngine.getPolicyRepository();
+
+ return policyRepository == null ? ListUtils.EMPTY_LIST : policyRepository.getPolicies();
}
@Override
public List<RangerPolicy> getTagPolicies() {
- return policyEngine.getTagPolicies();
+ RangerPolicyRepository tagPolicyRepository = policyEngine.getTagPolicyRepository();
+
+ return tagPolicyRepository == null ? ListUtils.EMPTY_LIST : tagPolicyRepository.getPolicies();
}
public void releaseResources() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.releaseResources()");
}
+
PolicyEngine policyEngine = this.policyEngine;
+
if (policyEngine != null) {
policyEngine.preCleanup();
} else {
@@ -498,6 +523,7 @@
LOG.debug("Cannot preCleanup policy-engine as it is null!");
}
}
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.releaseResources()");
}
@@ -508,7 +534,7 @@
}
private RangerPolicyEngineImpl(final PolicyEngine policyEngine) {
- this.policyEngine = policyEngine;
+ this.policyEngine = policyEngine;
this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine);
}
@@ -517,13 +543,10 @@
LOG.debug("==> RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + request + ", policyType =" + policyType + ")");
}
- RangerAccessResult ret = null;
-
- RangerPolicyRepository policyRepository = policyEngine.getPolicyRepository();
+ RangerAccessResult ret = null;
+ RangerPolicyRepository policyRepository = policyEngine.getPolicyRepository();
RangerPolicyRepository tagPolicyRepository = policyEngine.getTagPolicyRepository();
-
- // Evaluate zone-name from request
- String zoneName = policyEngine.getMatchedZoneName(request.getResource());
+ String zoneName = policyEngine.getMatchedZoneName(request.getResource()); // Evaluate zone-name from request
if (LOG.isDebugEnabled()) {
LOG.debug("zoneName:[" + zoneName + "]");
@@ -536,15 +559,17 @@
LOG.error("policyRepository for zoneName:[" + zoneName + "], serviceName:[" + policyEngine.getPolicyRepository().getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!");
}
}
+
if (policyRepository != null) {
ret = evaluatePoliciesNoAudit(request, policyType, zoneName, policyRepository, tagPolicyRepository);
+
ret.setZoneName(zoneName);
}
-
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + request + ", policyType =" + policyType + "): " + ret);
}
+
return ret;
}
@@ -553,9 +578,8 @@
LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ")");
}
- Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date();
- RangerAccessResult ret = policyEngine.createAccessResult(request, policyType);
-
+ Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date();
+ RangerAccessResult ret = policyEngine.createAccessResult(request, policyType);
evaluateTagPolicies(request, policyType, zoneName, tagPolicyRepository, ret);
@@ -575,7 +599,7 @@
if (evaluateResourcePolicies) {
boolean findAuditByResource = !ret.getIsAuditedDetermined();
- boolean foundInCache = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret);
+ boolean foundInCache = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret);
ret.setIsAccessDetermined(false); // discard result by tag-policies, to evaluate resource policies for possible override
@@ -640,24 +664,23 @@
LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
- Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date();
-
- Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
-
+ Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date();
+ Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
List<PolicyEvaluatorForTag> policyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getLikelyMatchPolicyEvaluators(tags, policyType, accessTime);
if (CollectionUtils.isNotEmpty(policyEvaluators)) {
final boolean useTagPoliciesFromDefaultZone = !policyEngine.isResourceZoneAssociatedWithTagService(zoneName);
for (PolicyEvaluatorForTag policyEvaluator : policyEvaluators) {
- RangerPolicyEvaluator evaluator = policyEvaluator.getEvaluator();
+ RangerPolicyEvaluator evaluator = policyEvaluator.getEvaluator();
+ String policyZoneName = evaluator.getPolicy().getZoneName();
- String policyZoneName = evaluator.getPolicy().getZoneName();
if (useTagPoliciesFromDefaultZone) {
if (StringUtils.isNotEmpty(policyZoneName)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to default zone. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
} else {
@@ -665,14 +688,14 @@
if (LOG.isDebugEnabled()) {
LOG.debug("Tag policy [zone:" + policyZoneName + "] does not belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
}
+
continue;
}
}
- RangerTagForEval tag = policyEvaluator.getTag();
-
+ RangerTagForEval tag = policyEvaluator.getTag();
RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
- RangerAccessResult tagEvalResult = policyEngine.createAccessResult(tagEvalRequest, policyType);
+ RangerAccessResult tagEvalResult = policyEngine.createAccessResult(tagEvalRequest, policyType);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl.evaluateTagPolicies: Evaluating policies for tag (" + tag.getType() + ")");
@@ -710,6 +733,7 @@
}
}
}
+
if (result.getIsAllowed()) {
result.setIsAccessDetermined(true);
}
@@ -718,5 +742,4 @@
LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
}
-
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 28b441a..e583fa1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -56,7 +56,7 @@
private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class);
private static final Log PERF_CONTEXTENRICHER_INIT_LOG = RangerPerfTracer.getPerfLogger("contextenricher.init");
- private static final Log PERF_TRIE_OP_LOG = RangerPerfTracer.getPerfLogger("resourcetrie.retrieval");
+ private static final Log PERF_TRIE_OP_LOG = RangerPerfTracer.getPerfLogger("resourcetrie.retrieval");
enum AuditModeEnum {
AUDIT_ALL, AUDIT_NONE, AUDIT_DEFAULT
@@ -78,50 +78,48 @@
}
}
- private final String serviceName;
- private final String zoneName;
- private final String appId;
- private final RangerPolicyEngineOptions options;
- private final RangerPluginContext pluginContext;
- private final RangerServiceDef serviceDef;
- private final List<RangerPolicy> policies;
- private final long policyVersion;
- private final List<RangerContextEnricher> contextEnrichers;
- private List<RangerPolicyEvaluator> policyEvaluators;
- private List<RangerPolicyEvaluator> dataMaskPolicyEvaluators;
- private List<RangerPolicyEvaluator> rowFilterPolicyEvaluators;
- private Map<Long, RangerPolicyEvaluator> policyEvaluatorsMap;
- private final AuditModeEnum auditModeEnum;
- private final Map<String, AuditInfo> accessAuditCache;
-
- private final String componentServiceName;
- private final RangerServiceDef componentServiceDef;
+ private final String serviceName;
+ private final String zoneName;
+ private final String appId;
+ private final RangerPolicyEngineOptions options;
+ private final RangerPluginContext pluginContext;
+ private final RangerServiceDef serviceDef;
+ private final List<RangerPolicy> policies;
+ private final long policyVersion;
+ private final List<RangerContextEnricher> contextEnrichers;
+ private final AuditModeEnum auditModeEnum;
+ private final Map<String, AuditInfo> accessAuditCache;
+ private final String componentServiceName;
+ private final RangerServiceDef componentServiceDef;
private final Map<String, RangerResourceTrie> policyResourceTrie;
private final Map<String, RangerResourceTrie> dataMaskResourceTrie;
private final Map<String, RangerResourceTrie> rowFilterResourceTrie;
-
- private boolean isContextEnrichersShared = false;
- private boolean isPreCleaned = false;
+ private List<RangerPolicyEvaluator> policyEvaluators;
+ private List<RangerPolicyEvaluator> dataMaskPolicyEvaluators;
+ private List<RangerPolicyEvaluator> rowFilterPolicyEvaluators;
+ private Map<Long, RangerPolicyEvaluator> policyEvaluatorsMap;
+ private boolean isContextEnrichersShared = false;
+ private boolean isPreCleaned = false;
RangerPolicyRepository(final RangerPolicyRepository other, final List<RangerPolicyDelta> deltas, long policyVersion) {
-
- this.serviceName = other.serviceName;
- this.zoneName = other.zoneName;
- this.appId = other.appId;
- this.options = other.options;
- this.pluginContext = other.pluginContext;
- this.serviceDef = other.serviceDef;
- this.policies = new ArrayList<>(other.policies);
- this.policyEvaluators = new ArrayList<>(other.policyEvaluators);
- this.dataMaskPolicyEvaluators = new ArrayList<>(other.dataMaskPolicyEvaluators);
+ this.serviceName = other.serviceName;
+ this.zoneName = other.zoneName;
+ this.appId = other.appId;
+ this.options = other.options;
+ this.pluginContext = other.pluginContext;
+ this.serviceDef = other.serviceDef;
+ this.policies = new ArrayList<>(other.policies);
+ this.policyEvaluators = new ArrayList<>(other.policyEvaluators);
+ this.dataMaskPolicyEvaluators = new ArrayList<>(other.dataMaskPolicyEvaluators);
this.rowFilterPolicyEvaluators = new ArrayList<>(other.rowFilterPolicyEvaluators);
- this.auditModeEnum = other.auditModeEnum;
- this.componentServiceName = other.componentServiceName;
- this.componentServiceDef = other.componentServiceDef;
- this.policyEvaluatorsMap = new HashMap<>(other.policyEvaluatorsMap);
+ this.auditModeEnum = other.auditModeEnum;
+ this.componentServiceName = other.componentServiceName;
+ this.componentServiceDef = other.componentServiceDef;
+ this.policyEvaluatorsMap = new HashMap<>(other.policyEvaluatorsMap);
if (other.policyResourceTrie != null) {
this.policyResourceTrie = new HashMap<>();
+
for (Map.Entry<String, RangerResourceTrie> entry : other.policyResourceTrie.entrySet()) {
policyResourceTrie.put(entry.getKey(), new RangerResourceTrie(entry.getValue()));
}
@@ -131,6 +129,7 @@
if (other.dataMaskResourceTrie != null) {
this.dataMaskResourceTrie = new HashMap<>();
+
for (Map.Entry<String, RangerResourceTrie> entry : other.dataMaskResourceTrie.entrySet()) {
dataMaskResourceTrie.put(entry.getKey(), new RangerResourceTrie(entry.getValue()));
}
@@ -140,6 +139,7 @@
if (other.rowFilterResourceTrie != null) {
this.rowFilterResourceTrie = new HashMap<>();
+
for (Map.Entry<String, RangerResourceTrie> entry : other.rowFilterResourceTrie.entrySet()) {
rowFilterResourceTrie.put(entry.getKey(), new RangerResourceTrie(entry.getValue()));
}
@@ -149,6 +149,7 @@
if (other.accessAuditCache != null) {
int auditResultCacheSize = other.accessAuditCache.size();
+
this.accessAuditCache = Collections.synchronizedMap(new CacheMap<String, AuditInfo>(auditResultCacheSize));
} else {
this.accessAuditCache = null;
@@ -157,7 +158,6 @@
boolean[] flags = new boolean[RangerPolicy.POLICY_TYPES.length];
for (RangerPolicyDelta delta : deltas) {
-
final Integer changeType = delta.getChangeType();
final String serviceType = delta.getServiceType();
final Long policyId = delta.getPolicyId();
@@ -175,17 +175,21 @@
if (LOG.isDebugEnabled()) {
LOG.debug("Could not find policy for policy-id:[" + policyId + "]");
}
+
continue;
}
break;
+
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
evaluator = getPolicyEvaluator(policyId);
+
if (evaluator == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Could not find evaluator for policy-id:[" + policyId + "]");
}
}
break;
+
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
evaluator = getPolicyEvaluator(policyId);
if (evaluator == null) {
@@ -194,6 +198,7 @@
}
}
break;
+
default:
LOG.error("Unknown changeType:[" + changeType + "], Ignoring");
break;
@@ -206,12 +211,15 @@
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
policyEvaluatorsMap.put(policyId, evaluator);
break;
+
case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE:
policyEvaluatorsMap.put(policyId, evaluator);
break;
+
case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE:
policyEvaluatorsMap.remove(policyId);
break;
+
default:
break;
}
@@ -221,7 +229,6 @@
}
for (int policyType = 0; policyType < flags.length; policyType++) {
-
if (flags[policyType]) {
Map<String, RangerResourceTrie> trie = getTrie(policyType);
@@ -392,6 +399,63 @@
return sb.toString();
}
+ public StringBuilder toString(StringBuilder sb) {
+ if (sb == null) {
+ sb = new StringBuilder();
+ }
+
+ sb.append("RangerPolicyRepository={");
+
+ sb.append("serviceName={").append(serviceName).append("} ");
+ sb.append("zoneName={").append(zoneName).append("} ");
+ sb.append("serviceDef={").append(serviceDef).append("} ");
+ sb.append("appId={").append(appId).append("} ");
+
+ sb.append("policyEvaluators={");
+ if (policyEvaluators != null) {
+ for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
+ if (policyEvaluator != null) {
+ sb.append(policyEvaluator).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("dataMaskPolicyEvaluators={");
+ if (this.dataMaskPolicyEvaluators != null) {
+ for (RangerPolicyEvaluator policyEvaluator : dataMaskPolicyEvaluators) {
+ if (policyEvaluator != null) {
+ sb.append(policyEvaluator).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("rowFilterPolicyEvaluators={");
+ if (this.rowFilterPolicyEvaluators != null) {
+ for (RangerPolicyEvaluator policyEvaluator : rowFilterPolicyEvaluators) {
+ if (policyEvaluator != null) {
+ sb.append(policyEvaluator).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("contextEnrichers={");
+ if (contextEnrichers != null) {
+ for (RangerContextEnricher contextEnricher : contextEnrichers) {
+ if (contextEnricher != null) {
+ sb.append(contextEnricher).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("} ");
+
+ return sb;
+ }
+
List<RangerContextEnricher> shareWith(RangerPolicyRepository other) {
if (other != null && other.contextEnrichers != null) {
other.setShared();
@@ -1383,62 +1447,4 @@
return ret;
}
-
- private StringBuilder toString(StringBuilder sb) {
-
- sb.append("RangerPolicyRepository={");
-
- sb.append("serviceName={").append(serviceName).append("} ");
- sb.append("zoneName={").append(zoneName).append("} ");
- sb.append("serviceDef={").append(serviceDef).append("} ");
- sb.append("appId={").append(appId).append("} ");
-
- sb.append("policyEvaluators={");
- if (policyEvaluators != null) {
- for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
- if (policyEvaluator != null) {
- sb.append(policyEvaluator).append(" ");
- }
- }
- }
- sb.append("} ");
-
- sb.append("dataMaskPolicyEvaluators={");
-
- if (this.dataMaskPolicyEvaluators != null) {
- for (RangerPolicyEvaluator policyEvaluator : dataMaskPolicyEvaluators) {
- if (policyEvaluator != null) {
- sb.append(policyEvaluator).append(" ");
- }
- }
- }
- sb.append("} ");
-
- sb.append("rowFilterPolicyEvaluators={");
-
- if (this.rowFilterPolicyEvaluators != null) {
- for (RangerPolicyEvaluator policyEvaluator : rowFilterPolicyEvaluators) {
- if (policyEvaluator != null) {
- sb.append(policyEvaluator).append(" ");
- }
- }
- }
- sb.append("} ");
-
- sb.append("contextEnrichers={");
-
- if (contextEnrichers != null) {
- for (RangerContextEnricher contextEnricher : contextEnrichers) {
- if (contextEnricher != null) {
- sb.append(contextEnricher).append(" ");
- }
- }
- }
- sb.append("} ");
-
- sb.append("} ");
-
- return sb;
- }
-
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 11c1eeb..99ae598 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -26,6 +26,7 @@
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
@@ -36,10 +37,10 @@
public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class);
- private RangerPolicy policy;
- private RangerServiceDef serviceDef;
- private RangerServiceDef.RangerResourceDef leafResourceDef;
- private int evalOrder;
+ private RangerPolicy policy;
+ private RangerServiceDef serviceDef;
+ private RangerResourceDef leafResourceDef;
+ private int evalOrder;
protected RangerPluginContext pluginContext = null;
@@ -53,9 +54,9 @@
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")");
}
- this.policy = policy;
- this.serviceDef = serviceDef;
- this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
+ this.policy = policy;
+ this.serviceDef = serviceDef;
+ this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")");
@@ -88,7 +89,7 @@
}
@Override
- public boolean isAncestorOf(RangerServiceDef.RangerResourceDef resourceDef) {
+ public boolean isAncestorOf(RangerResourceDef resourceDef) {
return ServiceDefUtil.isAncestorOf(serviceDef, leafResourceDef, resourceDef);
}
@@ -132,8 +133,11 @@
public StringBuilder toString(StringBuilder sb) {
sb.append("RangerAbstractPolicyEvaluator={");
- sb.append("policy={").append(policy).append("} ");
- sb.append("serviceDef={").append(serviceDef).append("} ");
+ sb.append("policy={");
+ if (policy != null) {
+ policy.toString(sb);
+ }
+ sb.append("} ");
sb.append("}");
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index b9dff76..eed6432 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -36,7 +36,6 @@
import java.util.concurrent.ConcurrentHashMap;
public class RangerAuthContext {
-
private final Map<RangerContextEnricher, Object> requestContextEnrichers;
private RangerRolesUtil rangerRolesUtil;
@@ -44,6 +43,12 @@
this.requestContextEnrichers = requestContextEnrichers != null ? requestContextEnrichers : new ConcurrentHashMap<>();
}
+ public RangerAuthContext(Map<RangerContextEnricher, Object> requestContextEnrichers, RangerRoles roles) {
+ this.requestContextEnrichers = requestContextEnrichers != null ? requestContextEnrichers : new ConcurrentHashMap<>();
+
+ setRangerRoles(roles);
+ }
+
public Map<RangerContextEnricher, Object> getRequestContextEnrichers() {
return requestContextEnrichers;
}
@@ -63,15 +68,14 @@
}
public Set<String> getRolesForUserAndGroups(String user, Set<String> groups) {
- RangerRolesUtil rangerRolesUtil = this.rangerRolesUtil;
-
+ RangerRolesUtil rangerRolesUtil = this.rangerRolesUtil;
Map<String, Set<String>> userRoleMapping = rangerRolesUtil.getUserRoleMapping();
Map<String, Set<String>> groupRoleMapping = rangerRolesUtil.getGroupRoleMapping();
-
- Set<String> allRoles = new HashSet<>();
+ Set<String> allRoles = new HashSet<>();
if (MapUtils.isNotEmpty(userRoleMapping) && StringUtils.isNotEmpty(user)) {
Set<String> userRoles = userRoleMapping.get(user);
+
if (CollectionUtils.isNotEmpty(userRoles)) {
allRoles.addAll(userRoles);
}
@@ -81,12 +85,15 @@
if (CollectionUtils.isNotEmpty(groups)) {
for (String group : groups) {
Set<String> groupRoles = groupRoleMapping.get(group);
+
if (CollectionUtils.isNotEmpty(groupRoles)) {
allRoles.addAll(groupRoles);
}
}
}
+
Set<String> publicGroupRoles = groupRoleMapping.get(RangerPolicyEngine.GROUP_PUBLIC);
+
if (CollectionUtils.isNotEmpty(publicGroupRoles)) {
allRoles.addAll(publicGroupRoles);
}
@@ -101,8 +108,10 @@
public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
// Invoke getResourceACLs on the first service in this plugin
Collection<RangerBasePlugin> plugins = RangerBasePlugin.getServicePluginMap().values();
+
if (plugins.size() > 0) {
RangerBasePlugin[] array = plugins.toArray(new RangerBasePlugin[0]);
+
return array[0].getResourceACLs(request);
} else {
return null;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index a0808f9..186cf19 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -65,30 +65,28 @@
private static Map<String, RangerBasePlugin> servicePluginMap = new ConcurrentHashMap<>();
- private final String serviceType;
- private final String appId;
- private final RangerPluginConfig config;
- private String serviceName;
- private String clusterName;
- private PolicyRefresher refresher;
- private RangerPolicyEngine policyEngine;
- private RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
- private RangerPluginContext rangerPluginContext;
- private RangerAuthContext currentAuthContext;
- private RangerAccessResultProcessor resultProcessor;
- private boolean useForwardedIPAddress;
- private String[] trustedProxyAddresses;
- private Timer policyDownloadTimer;
- private Timer policyEngineRefreshTimer;
- private RangerAuthContextListener authContextListener;
- private AuditProviderFactory auditProviderFactory;
- private RangerRoles rangerRoles;
-
+ private final String serviceType;
+ private final String appId;
+ private final RangerPluginConfig config;
+ private final RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
private final BlockingQueue<DownloadTrigger> policyDownloadQueue = new LinkedBlockingQueue<>();
private final DownloadTrigger accessTrigger = new DownloadTrigger();
-
- Map<String, LogHistory> logHistoryList = new Hashtable<String, RangerBasePlugin.LogHistory>();
- int logInterval = 30000; // 30 seconds
+ private final Map<String, LogHistory> logHistoryList = new Hashtable<String, RangerBasePlugin.LogHistory>();
+ private final int logInterval = 30000; // 30 seconds
+ private String serviceName;
+ private String clusterName;
+ private PolicyRefresher refresher;
+ private RangerPolicyEngine policyEngine;
+ private RangerPluginContext rangerPluginContext;
+ private RangerAuthContext currentAuthContext;
+ private RangerAccessResultProcessor resultProcessor;
+ private boolean useForwardedIPAddress;
+ private String[] trustedProxyAddresses;
+ private Timer policyDownloadTimer;
+ private Timer policyEngineRefreshTimer;
+ private RangerAuthContextListener authContextListener;
+ private AuditProviderFactory auditProviderFactory;
+ private RangerRoles rangerRoles;
public static Map<String, RangerBasePlugin> getServicePluginMap() {
return servicePluginMap;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
index 81c278a..aa2cda6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
@@ -30,26 +30,18 @@
import java.util.Set;
public class RangerRolesUtil {
-
- private final long roleVersion;
- private Map<String, Set<String>> userRoleMapping = new HashMap<>();
- private Map<String, Set<String>> groupRoleMapping = new HashMap<>();
-
- public long getRoleVersion() { return roleVersion; }
- public Map<String, Set<String>> getUserRoleMapping() {
- return this.userRoleMapping;
- }
-
- public Map<String, Set<String>> getGroupRoleMapping() {
- return this.groupRoleMapping;
- }
+ private final long roleVersion;
+ private final Map<String, Set<String>> userRoleMapping = new HashMap<>();
+ private final Map<String, Set<String>> groupRoleMapping = new HashMap<>();
public RangerRolesUtil(RangerRoles rangerRoles) {
if (rangerRoles != null) {
roleVersion = rangerRoles.getRoleVersion();
+
if (CollectionUtils.isNotEmpty(rangerRoles.getRangerRoles())) {
for (RangerRole role : rangerRoles.getRangerRoles()) {
Set<RangerRole> containedRoles = getAllContainedRoles(rangerRoles.getRangerRoles(), role);
+
buildMap(userRoleMapping, role, containedRoles, true);
buildMap(groupRoleMapping, role, containedRoles, false);
}
@@ -59,17 +51,31 @@
}
}
+ public long getRoleVersion() { return roleVersion; }
+
+ public Map<String, Set<String>> getUserRoleMapping() {
+ return this.userRoleMapping;
+ }
+
+ public Map<String, Set<String>> getGroupRoleMapping() {
+ return this.groupRoleMapping;
+ }
+
private Set<RangerRole> getAllContainedRoles(Set<RangerRole> rangerRoles, RangerRole role) {
Set<RangerRole> allRoles = new HashSet<>();
+
allRoles.add(role);
addContainedRoles(allRoles, rangerRoles, role);
+
return allRoles;
}
private void addContainedRoles(Set<RangerRole> allRoles, Set<RangerRole> rangerRoles, RangerRole role) {
List<RangerRole.RoleMember> roleMembers = role.getRoles();
+
for (RangerRole.RoleMember roleMember : roleMembers) {
RangerRole containedRole = getContainedRole(rangerRoles, roleMember.getName());
+
if (containedRole!= null && !allRoles.contains(containedRole)) {
allRoles.add(containedRole);
addContainedRoles(allRoles, rangerRoles, containedRole);
@@ -79,6 +85,7 @@
private void buildMap(Map<String, Set<String>> map, RangerRole role, Set<RangerRole> containedRoles, boolean isUser) {
buildMap(map, role, role.getName(), isUser);
+
for (RangerRole containedRole : containedRoles) {
buildMap(map, containedRole, role.getName(), isUser);
}
@@ -88,10 +95,13 @@
for (RangerRole.RoleMember userOrGroup : isUser ? role.getUsers() : role.getGroups()) {
if (StringUtils.isNotEmpty(userOrGroup.getName())) {
Set<String> roleNames = map.get(userOrGroup.getName());
+
if (roleNames == null) {
roleNames = new HashSet<>();
+
map.put(userOrGroup.getName(), roleNames);
}
+
roleNames.add(roleName);
}
}
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
index bfe767e..1109bdd 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -91,8 +91,8 @@
for(PolicyACLsTests.TestCase testCase : testCases.testCases) {
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
- RangerPluginContext pluginContext = new RangerPluginContext("hive", "cl1", "on-prem");
- RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext, null);
+ RangerPluginContext pluginContext = new RangerPluginContext("hive", "cl1", "on-prem");
+ RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions, pluginContext, null);
for(PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
if(oneTest == null) {
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
similarity index 74%
rename from security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java
rename to security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index a86f003..5cbb1b2 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCache.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -42,31 +42,32 @@
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
-public class RangerPolicyEngineCache {
- private static final Log LOG = LogFactory.getLog(RangerPolicyEngineCache.class);
+public class RangerPolicyAdminCache {
+ private static final Log LOG = LogFactory.getLog(RangerPolicyAdminCache.class);
- private final Map<String, RangerPolicyAdmin> policyEngineCache = Collections.synchronizedMap(new HashMap<>());
+ private final Map<String, RangerPolicyAdmin> policyAdminCache = Collections.synchronizedMap(new HashMap<>());
final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions options) {
RangerPolicyAdmin ret = null;
if (serviceName == null || svcStore == null || roleStore == null || zoneStore == null) {
- LOG.warn("Cannot get policy-engine for null serviceName or serviceStore or roleStore or zoneStore");
+ LOG.warn("Cannot get policy-admin for null serviceName or serviceStore or roleStore or zoneStore");
+
return ret;
}
- ret = policyEngineCache.get(serviceName);
+ ret = policyAdminCache.get(serviceName);
- long policyVersion;
- long roleVersion;
+ long policyVersion;
+ long roleVersion;
RangerRoles rangerRoles;
- boolean isRolesUpdated = true;
+ boolean isRolesUpdated = true;
try {
if (ret == null) {
policyVersion = -1L;
- roleVersion = -1L;
- rangerRoles = roleStore.getRangerRoles(serviceName, roleVersion);
+ roleVersion = -1L;
+ rangerRoles = roleStore.getRangerRoles(serviceName, roleVersion);
if (rangerRoles == null) {
if (LOG.isDebugEnabled()) {
@@ -75,102 +76,105 @@
}
} else {
policyVersion = ret.getPolicyVersion();
- roleVersion = ret.getRoleVersion();
- rangerRoles = roleStore.getRangerRoles(serviceName, roleVersion);
+ roleVersion = ret.getRoleVersion();
+ rangerRoles = roleStore.getRangerRoles(serviceName, roleVersion);
if (rangerRoles == null) { // No changes to roles
- rangerRoles = roleStore.getRangerRoles(serviceName, -1L);
+ rangerRoles = roleStore.getRangerRoles(serviceName, -1L);
isRolesUpdated = false;
}
}
+
ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion, false);
if (policies != null) {
if (policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) {
ServicePolicies updatedServicePolicies = getUpdatedServicePolicies(serviceName, policies, svcStore, zoneStore);
- ret = addOrUpdatePolicyEngine(ret, updatedServicePolicies, rangerRoles, options);
+ ret = addOrUpdatePolicyAdmin(ret, updatedServicePolicies, rangerRoles, options);
} else {
- LOG.error("policies object is null or its version is null for getPolicyEngine(" + serviceName + ") !!");
- LOG.error("Returning old policy engine");
+ LOG.error("policies object is null or its version is null for getPolicyAdmin(" + serviceName + ") !!");
+ LOG.error("Returning old policy admin");
}
} else {
if (ret == null) {
- LOG.error("getPolicyEngine(" + serviceName + "): failed to get any policies from service-store");
+ LOG.error("getPolicyAdmin(" + serviceName + "): failed to get any policies from service-store");
} else {
if (isRolesUpdated) {
ret.setRangerRoles(rangerRoles);
}
}
}
-
} catch (Exception excp) {
- LOG.error("getPolicyEngine(" + serviceName + "): failed to get latest policies from service-store", excp);
+ LOG.error("getPolicyAdmin(" + serviceName + "): failed to get latest policies from service-store", excp);
}
return ret;
}
- private RangerPolicyAdmin addOrUpdatePolicyEngine(RangerPolicyAdmin policyEngine, ServicePolicies policies, RangerRoles rangerRoles, RangerPolicyEngineOptions options) {
+ private RangerPolicyAdmin addOrUpdatePolicyAdmin(RangerPolicyAdmin policyAdmin, ServicePolicies policies, RangerRoles rangerRoles, RangerPolicyEngineOptions options) {
final RangerPolicyAdmin ret;
-
- RangerPolicyAdminImpl oldPolicyEngine = (RangerPolicyAdminImpl) policyEngine;
+ RangerPolicyAdminImpl oldPolicyAdmin = (RangerPolicyAdminImpl) policyAdmin;
synchronized(this) {
- if (oldPolicyEngine == null || CollectionUtils.isEmpty(policies.getPolicyDeltas())) {
- ret = addPolicyEngine(policies, rangerRoles, options);
+ if (oldPolicyAdmin == null || CollectionUtils.isEmpty(policies.getPolicyDeltas())) {
+ ret = addPolicyAdmin(policies, rangerRoles, options);
} else {
- RangerPolicyAdmin updatedEngine = RangerPolicyAdminImpl.getPolicyEngine(oldPolicyEngine, policies);
+ RangerPolicyAdmin updatedPolicyAdmin = RangerPolicyAdminImpl.getPolicyAdmin(oldPolicyAdmin, policies);
- if (updatedEngine != null) {
- updatedEngine.setRangerRoles(rangerRoles);
- policyEngineCache.put(policies.getServiceName(), updatedEngine);
+ if (updatedPolicyAdmin != null) {
+ updatedPolicyAdmin.setRangerRoles(rangerRoles);
+ policyAdminCache.put(policies.getServiceName(), updatedPolicyAdmin);
- ret = updatedEngine;
+ ret = updatedPolicyAdmin;
} else {
- ret = addPolicyEngine(policies, rangerRoles, options);
+ ret = addPolicyAdmin(policies, rangerRoles, options);
}
}
- if (oldPolicyEngine != null) {
- oldPolicyEngine.releaseResources();
+
+ if (oldPolicyAdmin != null) {
+ oldPolicyAdmin.releaseResources();
}
}
return ret;
}
- private RangerPolicyAdmin addPolicyEngine(ServicePolicies policies, RangerRoles rangerRoles, RangerPolicyEngineOptions options) {
- RangerServiceDef serviceDef = policies.getServiceDef();
- String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
-
+ private RangerPolicyAdmin addPolicyAdmin(ServicePolicies policies, RangerRoles rangerRoles, RangerPolicyEngineOptions options) {
+ RangerServiceDef serviceDef = policies.getServiceDef();
+ String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
RangerPluginContext rangerPluginContext = new RangerPluginContext(serviceType);
- RangerPolicyAdmin ret = new RangerPolicyAdminImpl("ranger-admin", policies, options, rangerPluginContext, rangerRoles);
+ RangerPolicyAdmin ret = new RangerPolicyAdminImpl("ranger-admin", policies, options, rangerPluginContext, rangerRoles);
- policyEngineCache.put(policies.getServiceName(), ret);
+ policyAdminCache.put(policies.getServiceName(), ret);
return ret;
}
private ServicePolicies getUpdatedServicePolicies(String serviceName, ServicePolicies policies, ServiceStore svcStore, SecurityZoneStore zoneStore) throws Exception{
ServicePolicies ret = policies;
+
if (ret == null) {
ret = svcStore.getServicePoliciesIfUpdated(serviceName, -1L, false);
}
+
if (zoneStore != null) {
Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName);
+
if (MapUtils.isNotEmpty(securityZones)) {
ret = getUpdatedServicePoliciesForZones(ret, securityZones);
}
}
+
return ret;
}
public static ServicePolicies getUpdatedServicePoliciesForZones(ServicePolicies servicePolicies, Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones) {
-
final ServicePolicies ret;
if (MapUtils.isNotEmpty(securityZones)) {
ret = new ServicePolicies();
+
ret.setServiceDef(servicePolicies.getServiceDef());
ret.setServiceId(servicePolicies.getServiceId());
ret.setServiceName(servicePolicies.getServiceName());
@@ -181,11 +185,9 @@
Map<String, ServicePolicies.SecurityZoneInfo> securityZonesInfo = new HashMap<>();
if (CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) {
-
List<RangerPolicy> allPolicies = new ArrayList<>(servicePolicies.getPolicies());
for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
-
List<RangerPolicy> zonePolicies = extractZonePolicies(allPolicies, entry.getKey());
if (CollectionUtils.isNotEmpty(zonePolicies)) {
@@ -193,12 +195,11 @@
}
ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
+
securityZoneInfo.setZoneName(entry.getKey());
securityZoneInfo.setPolicies(zonePolicies);
securityZoneInfo.setResources(entry.getValue().getResources());
-
securityZoneInfo.setContainsAssociatedTagService(false);
-
securityZonesInfo.put(entry.getKey(), securityZoneInfo);
}
@@ -208,7 +209,6 @@
List<RangerPolicyDelta> allPolicyDeltas = new ArrayList<>(servicePolicies.getPolicyDeltas());
for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
-
List<RangerPolicyDelta> zonePolicyDeltas = extractZonePolicyDeltas(allPolicyDeltas, entry.getKey());
if (CollectionUtils.isNotEmpty(zonePolicyDeltas)) {
@@ -216,17 +216,17 @@
}
ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
+
securityZoneInfo.setZoneName(entry.getKey());
securityZoneInfo.setPolicyDeltas(zonePolicyDeltas);
securityZoneInfo.setResources(entry.getValue().getResources());
-
securityZoneInfo.setContainsAssociatedTagService(false);
-
securityZonesInfo.put(entry.getKey(), securityZoneInfo);
}
ret.setPolicyDeltas(allPolicyDeltas);
}
+
ret.setSecurityZones(securityZonesInfo);
} else {
ret = servicePolicies;
@@ -236,7 +236,6 @@
}
private static List<RangerPolicy> extractZonePolicies(final List<RangerPolicy> allPolicies, final String zoneName) {
-
final List<RangerPolicy> ret = new ArrayList<>();
for (RangerPolicy policy : allPolicies) {
@@ -249,7 +248,6 @@
}
private static List<RangerPolicyDelta> extractZonePolicyDeltas(final List<RangerPolicyDelta> allPolicyDeltas, final String zoneName) {
-
final List<RangerPolicyDelta> ret = new ArrayList<>();
for (RangerPolicyDelta delta : allPolicyDeltas) {
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java
similarity index 63%
rename from security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java
rename to security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java
index 151143a..b6a1862 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyEngineCacheForEngineOptions.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCacheForEngineOptions.java
@@ -28,23 +28,25 @@
import java.util.HashMap;
import java.util.Map;
-public class RangerPolicyEngineCacheForEngineOptions {
+public class RangerPolicyAdminCacheForEngineOptions {
+ private static volatile RangerPolicyAdminCacheForEngineOptions sInstance = null;
- private static volatile RangerPolicyEngineCacheForEngineOptions sInstance = null;
+ private final Map<RangerPolicyEngineOptions, RangerPolicyAdminCache> policyAdminCacheForEngineOptions = Collections.synchronizedMap(new HashMap<>());
- private final Map<RangerPolicyEngineOptions, RangerPolicyEngineCache> policyEngineCacheForEngineOptions = Collections.synchronizedMap(new HashMap<>());
+ public static RangerPolicyAdminCacheForEngineOptions getInstance() {
+ RangerPolicyAdminCacheForEngineOptions ret = sInstance;
- public static RangerPolicyEngineCacheForEngineOptions getInstance() {
- RangerPolicyEngineCacheForEngineOptions ret = sInstance;
if (ret == null) {
- synchronized (RangerPolicyEngineCacheForEngineOptions.class) {
+ synchronized (RangerPolicyAdminCacheForEngineOptions.class) {
ret = sInstance;
+
if (ret == null) {
- sInstance = new RangerPolicyEngineCacheForEngineOptions();
- ret = sInstance;
+ sInstance = new RangerPolicyAdminCacheForEngineOptions();
+ ret = sInstance;
}
}
}
+
return ret;
}
@@ -53,16 +55,19 @@
}
public final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions options) {
- RangerPolicyEngineCache policyEngineCache;
+ RangerPolicyAdminCache policyAdminCache;
synchronized (this) {
- policyEngineCache = policyEngineCacheForEngineOptions.get(options);
- if (policyEngineCache == null) {
- policyEngineCache = new RangerPolicyEngineCache();
- policyEngineCacheForEngineOptions.put(options, policyEngineCache);
+ policyAdminCache = policyAdminCacheForEngineOptions.get(options);
+
+ if (policyAdminCache == null) {
+ policyAdminCache = new RangerPolicyAdminCache();
+
+ policyAdminCacheForEngineOptions.put(options, policyAdminCache);
}
}
- return policyEngineCache.getServicePoliciesAdmin(serviceName, svcStore, roleStore, zoneStore, options);
+
+ return policyAdminCache.getServicePoliciesAdmin(serviceName, svcStore, roleStore, zoneStore, options);
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index ac1d961..390187b 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -56,7 +56,7 @@
private final PolicyEngine policyEngine;
private final RangerAccessRequestProcessor requestProcessor;
- static public RangerPolicyAdmin getPolicyEngine(final RangerPolicyAdminImpl other, final ServicePolicies servicePolicies) {
+ static public RangerPolicyAdmin getPolicyAdmin(final RangerPolicyAdminImpl other, final ServicePolicies servicePolicies) {
RangerPolicyAdmin ret = null;
if (other != null && servicePolicies != null) {
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 43c109d..2a2aa22 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -108,8 +108,8 @@
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.biz.RangerPolicyEngineCache;
-import org.apache.ranger.biz.RangerPolicyEngineCacheForEngineOptions;
+import org.apache.ranger.biz.RangerPolicyAdminCache;
+import org.apache.ranger.biz.RangerPolicyAdminCacheForEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
@@ -593,18 +593,18 @@
LOG.debug("getServicePolicies with service-name=" + service.getName());
}
- RangerPolicyAdmin engine = null;
+ RangerPolicyAdmin policyAdmin = null;
try {
- engine = getPolicySearchPolicyEngine(service.getName());
+ policyAdmin = getPolicyAdminForSearch(service.getName());
} catch (Exception e) {
LOG.error("Cannot initialize Policy-Engine", e);
throw restErrorUtil.createRESTException("Cannot initialize Policy Engine",
MessageEnums.ERROR_SYSTEM);
}
- if (engine != null) {
- ret = engine.getMatchingPolicies(new RangerAccessResourceImpl(resource));
+ if (policyAdmin != null) {
+ ret = policyAdmin.getMatchingPolicies(new RangerAccessResourceImpl(resource));
}
}
@@ -3086,7 +3086,7 @@
Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName);
ServicePolicies updatedServicePolicies = servicePolicies;
if (MapUtils.isNotEmpty(securityZones)) {
- updatedServicePolicies = RangerPolicyEngineCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones);
+ updatedServicePolicies = RangerPolicyAdminCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones);
patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
}
downloadedVersion = updatedServicePolicies.getPolicyVersion();
@@ -3208,7 +3208,7 @@
Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName);
ServicePolicies updatedServicePolicies = servicePolicies;
if (MapUtils.isNotEmpty(securityZones)) {
- updatedServicePolicies = RangerPolicyEngineCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones);
+ updatedServicePolicies = RangerPolicyAdminCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones);
patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
}
downloadedVersion = updatedServicePolicies.getPolicyVersion();
@@ -3290,10 +3290,9 @@
LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + user + ")");
}
- RangerPolicy ret = null;
- RangerPolicyAdmin policyEngine = getPolicyEngine(serviceName);
-
- List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource, null) : null;
+ RangerPolicy ret = null;
+ RangerPolicyAdmin policyAdmin = getPolicyAdmin(serviceName);
+ List<RangerPolicy> policies = policyAdmin != null ? policyAdmin.getExactMatchPolicies(resource, null) : null;
if(CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
@@ -3312,10 +3311,9 @@
LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + policy + ", " + user + ")");
}
- RangerPolicy ret = null;
- RangerPolicyAdmin policyEngine = getPolicyEngine(policy.getService());
-
- List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(policy, null) : null;
+ RangerPolicy ret = null;
+ RangerPolicyAdmin policyAdmin = getPolicyAdmin(policy.getService());
+ List<RangerPolicy> policies = policyAdmin != null ? policyAdmin.getExactMatchPolicies(policy, null) : null;
if(CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
@@ -3599,16 +3597,16 @@
continue;
}
- RangerPolicyAdmin policyEngine = getDelegatedAdminPolicyEngine(serviceName);
+ RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(serviceName);
- if (policyEngine != null) {
+ if (policyAdmin != null) {
if(userGroups == null) {
userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
}
- Set<String> roles = policyEngine.getRolesFromUserAndGroups(userName, userGroups);
+ Set<String> roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups);
for (RangerPolicy policy : listToFilter) {
- if (policyEngine.isAccessAllowed(policy, userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS)
+ if (policyAdmin.isAccessAllowed(policy, userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS)
|| (!StringUtils.isEmpty(policy.getZoneName()) && (serviceMgr.isZoneAdmin(policy.getZoneName()) || serviceMgr.isZoneAuditor(policy.getZoneName())))
|| isServiceAdminUser) {
ret.add(policy);
@@ -3699,13 +3697,13 @@
}
private boolean hasAdminAccess(RangerPolicy policy, String userName, Set<String> userGroups) {
- boolean isAllowed = false;
+ boolean isAllowed = false;
+ RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(policy.getService());
- RangerPolicyAdmin policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
+ if(policyAdmin != null) {
+ Set<String> roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups);
- if(policyEngine != null) {
- Set<String> roles = policyEngine.getRolesFromUserAndGroups(userName, userGroups);
- isAllowed = policyEngine.isAccessAllowed(policy, userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS);
+ isAllowed = policyAdmin.isAccessAllowed(policy, userName, userGroups, roles, RangerPolicyEngine.ADMIN_ACCESS);
}
return isAllowed;
@@ -3713,25 +3711,25 @@
private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, RangerAccessResource resource) {
boolean isAllowed = false;
- RangerPolicyAdmin policyEngine = getDelegatedAdminPolicyEngine(serviceName);
+ RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(serviceName);
- if(policyEngine != null) {
- isAllowed = policyEngine.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
+ if(policyAdmin != null) {
+ isAllowed = policyAdmin.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
}
return isAllowed;
}
- public RangerPolicyAdmin getDelegatedAdminPolicyEngine(String serviceName) {
- return RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, delegateAdminOptions);
+ public RangerPolicyAdmin getPolicyAdminForDelegatedAdmin(String serviceName) {
+ return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, delegateAdminOptions);
}
- private RangerPolicyAdmin getPolicySearchPolicyEngine(String serviceName) throws Exception {
- return RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, policySearchAdminOptions);
+ private RangerPolicyAdmin getPolicyAdminForSearch(String serviceName) {
+ return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, policySearchAdminOptions);
}
- private RangerPolicyAdmin getPolicyEngine(String serviceName) throws Exception {
- return RangerPolicyEngineCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, defaultAdminOptions);
+ private RangerPolicyAdmin getPolicyAdmin(String serviceName) {
+ return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, roleDBStore, defaultAdminOptions);
}
@GET
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
index 5118322..9ac7f24 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
@@ -117,14 +117,15 @@
policyEngineOptions.cacheAuditResults = false;
policyEngineOptions.disableContextEnrichers = true;
policyEngineOptions.disableCustomConditions = true;
+
RangerPluginContext pluginContext = new RangerPluginContext("hive", "cl1", "on-prem");
- RangerPolicyAdmin policyEngine = new RangerPolicyAdminImpl("test-policydb", testCase.servicePolicies, policyEngineOptions, pluginContext, null);
+ RangerPolicyAdmin policyAdmin = new RangerPolicyAdminImpl("test-policydb", testCase.servicePolicies, policyEngineOptions, pluginContext, null);
for(TestData test : testCase.tests) {
boolean expected = test.result;
if(test.allowedPolicies != null) {
- List<RangerPolicy> allowedPolicies = policyEngine.getAllowedUnzonedPolicies(test.user, test.userGroups, test.accessType);
+ List<RangerPolicy> allowedPolicies = policyAdmin.getAllowedUnzonedPolicies(test.user, test.userGroups, test.accessType);
assertEquals("allowed-policy count mismatch!", test.allowedPolicies.size(), allowedPolicies.size());
@@ -134,7 +135,7 @@
}
assertEquals("allowed-policy list mismatch!", test.allowedPolicies, allowedPolicyIds);
} else {
- boolean result = policyEngine.isAccessAllowedByUnzonedPolicies(test.resources, test.user, test.userGroups, test.accessType);
+ boolean result = policyAdmin.isAccessAllowedByUnzonedPolicies(test.resources, test.user, test.userGroups, test.accessType);
assertEquals("isAccessAllowed mismatched! - " + test.name, expected, result);
}
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 75e93d9..b67656e 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -230,7 +230,7 @@
RangerPolicyEngineImpl rpImpl;
@Mock
- RangerPolicyAdmin policyEngine;
+ RangerPolicyAdmin policyAdmin;
@Mock
RangerTransactionService rangerTransactionService;
@@ -1093,7 +1093,7 @@
/*here we are setting serviceAdminRole, so we will get the required policy with serviceAdmi role*/
Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGroupDao);
Mockito.when(svcStore.isServiceAdminUser(rPol.getService(), null)).thenReturn(true);
- Mockito.doReturn(policyEngine).when(spySVCRest).getDelegatedAdminPolicyEngine("HDFS_1-1-20150316062453");
+ Mockito.doReturn(policyAdmin).when(spySVCRest).getPolicyAdminForDelegatedAdmin("HDFS_1-1-20150316062453");
RangerPolicyList dbRangerPolicy = spySVCRest.getPolicies(request);
Assert.assertNotNull(dbRangerPolicy);
Assert.assertEquals(dbRangerPolicy.getListSize(), 1);
