RANGER-2712 : Revisit privileges for rangerlookup user in default policies
Signed-off-by: Pradeep <pradeep@apache.org>
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
index 23f5a22..336911a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
@@ -65,11 +65,16 @@
protected Map<String, String> configs;
protected String serviceName;
protected String serviceType;
+ protected String lookUpUser;
- private final RangerAdminConfig config;
+ protected final RangerAdminConfig config;
public RangerBaseService() {
this.config = RangerAdminConfig.getInstance();
+ String authType = config.get(RANGER_AUTH_TYPE,"simple");
+ String lookupPrincipal = config.get(LOOKUP_PRINCIPAL);
+ String lookupKeytab = config.get(LOOKUP_KEYTAB);
+ lookUpUser = getLookupUser(authType, lookupPrincipal, lookupKeytab);
}
public void init(RangerServiceDef serviceDef, RangerService service) {
@@ -433,15 +438,7 @@
}
}
}
- String authType = config.get(RANGER_AUTH_TYPE,"simple");
- String lookupPrincipal = config.get(LOOKUP_PRINCIPAL);
- String lookupKeytab = config.get(LOOKUP_KEYTAB);
- String lookUpUser = getLookupUser(authType, lookupPrincipal, lookupKeytab);
-
- if (StringUtils.isNotBlank(lookUpUser)) {
- uniqueUsers.add(lookUpUser);
- }
ret.addAll(uniqueUsers);
return ret;
}
diff --git a/hbase-agent/src/main/java/org/apache/ranger/services/hbase/RangerServiceHBase.java b/hbase-agent/src/main/java/org/apache/ranger/services/hbase/RangerServiceHBase.java
index 01b97ea..74188d2 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/services/hbase/RangerServiceHBase.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/services/hbase/RangerServiceHBase.java
@@ -19,22 +19,29 @@
package org.apache.ranger.services.hbase;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.hbase.client.HBaseResourceMgr;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class RangerServiceHBase extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceHBase.class);
+ public static final String ACCESS_TYPE_READ = "read";
+ public static final String ACCESS_TYPE_CREATE = "create";
public RangerServiceHBase() {
super();
@@ -46,6 +53,33 @@
}
@Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceHbase.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ List<RangerPolicy.RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_CREATE));
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(accessListForLookupUser);
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceHbase.getDefaultRangerPolicies()");
+ }
+ return ret;
+ }
+
+
+ @Override
public Map<String,Object> validateConfig() throws Exception {
Map<String, Object> ret = new HashMap<String, Object>();
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
index f89d14b..5354636 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
@@ -19,6 +19,7 @@
package org.apache.ranger.services.hdfs;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -27,6 +28,8 @@
import org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer;
import org.apache.ranger.plugin.client.HadoopException;
import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -43,6 +46,7 @@
private static final Log LOG = LogFactory.getLog(RangerServiceHdfs.class);
private static final String AUDITTOHDFS_KMS_PATH = "/ranger/audit/kms";
private static final String AUDITTOHDFS_POLICY_NAME = "kms-audit-path";
+ public static final String ACCESS_TYPE_READ = "read";
public RangerServiceHdfs() {
super();
@@ -116,6 +120,14 @@
for (RangerPolicy defaultPolicy : ret) {
if(defaultPolicy.getName().contains("all")){
+ if (StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_READ)));
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+
RangerPolicy.RangerPolicyResource pathPolicyResource = defaultPolicy.getResources().get(pathResourceName);
if (pathPolicyResource != null) {
List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
diff --git a/hive-agent/src/main/java/org/apache/ranger/services/hive/RangerServiceHive.java b/hive-agent/src/main/java/org/apache/ranger/services/hive/RangerServiceHive.java
index dc6ba63..dbec221 100644
--- a/hive-agent/src/main/java/org/apache/ranger/services/hive/RangerServiceHive.java
+++ b/hive-agent/src/main/java/org/apache/ranger/services/hive/RangerServiceHive.java
@@ -36,6 +36,7 @@
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.hive.client.HiveResourceMgr;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -49,6 +50,7 @@
public static final String RESOURCE_COLUMN = "column";
public static final String ACCESS_TYPE_CREATE = "create";
public static final String ACCESS_TYPE_SELECT = "select";
+ public static final String ACCESS_TYPE_READ = "read";
public static final String ACCESS_TYPE_ALL = "all";
public static final String WILDCARD_ASTERISK = "*";
@@ -124,6 +126,14 @@
for (RangerPolicy defaultPolicy : ret) {
final Map<String, RangerPolicyResource> policyResources = defaultPolicy.getResources();
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_READ)));
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+
if (policyResources.size() == 1 && hasWildcardAsteriskResource(policyResources, RESOURCE_DATABASE)) { // policy for all databases
RangerPolicyItem policyItemPublic = new RangerPolicyItem();
diff --git a/knox-agent/src/main/java/org/apache/ranger/services/knox/RangerServiceKnox.java b/knox-agent/src/main/java/org/apache/ranger/services/knox/RangerServiceKnox.java
index b72e776..5ca7fcd 100644
--- a/knox-agent/src/main/java/org/apache/ranger/services/knox/RangerServiceKnox.java
+++ b/knox-agent/src/main/java/org/apache/ranger/services/knox/RangerServiceKnox.java
@@ -19,21 +19,27 @@
package org.apache.ranger.services.knox;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.knox.client.KnoxResourceMgr;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class RangerServiceKnox extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceKnox.class);
+ public static final String ACCESS_TYPE_ALLOW = "allow";
public RangerServiceKnox() {
super();
@@ -66,6 +72,29 @@
}
@Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceKnox.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_ALLOW)));
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceKnox.getDefaultRangerPolicies()");
+ }
+ return ret;
+ }
+
+ @Override
public List<String> lookupResource(ResourceLookupContext context) throws Exception {
List<String> ret = new ArrayList<String>();
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index 77a626e..e6b8456 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -155,8 +155,10 @@
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
String adminUser = getStringConfig("atlas.admin.user", ADMIN_USERNAME_DEFAULT);
String tagSyncUser = getStringConfig("atlas.rangertagsync.user", TAGSYNC_USERNAME_DEFAULT);
+
boolean relationshipTypeAllowPublic = getBooleanConfig("atlas.default-policy.relationship-type.allow.public", true);
+
for (RangerPolicy defaultPolicy : ret) {
final Map<String, RangerPolicyResource> policyResources = defaultPolicy.getResources();
@@ -185,6 +187,15 @@
}
}
+ if (defaultPolicy.getName().contains("all")
+ && policyResources.containsKey(RangerServiceAtlas.RESOURCE_ENTITY_TYPE)
+ && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_ENTITY_READ)));
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
}
//4.add new policy for public group with entity-read, entity-create, entity-update, entity-delete for __AtlasUserProfile, __AtlasUserSavedSearch entity type
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
index cf5da97..4e7163a 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
@@ -19,12 +19,15 @@
package org.apache.ranger.services.kafka;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
@@ -38,6 +41,7 @@
public class RangerServiceKafka extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceKafka.class);
+ public static final String ACCESS_TYPE_CONSUME = "consume";
public RangerServiceKafka() {
super();
@@ -120,6 +124,16 @@
}
}
}
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(Collections.singletonList(
+ new RangerPolicyItemAccess(ACCESS_TYPE_CONSUME)));
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceKafka.getDefaultRangerPolicies() ");
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
index 96ab449..d33d608 100644
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
@@ -18,6 +18,7 @@
package org.apache.ranger.services.kms;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -25,6 +26,8 @@
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.kms.client.KMSResourceMgr;
@@ -39,6 +42,7 @@
public static final String ACCESS_TYPE_DECRYPT_EEK = "decrypteek";
public static final String ACCESS_TYPE_GENERATE_EEK = "generateeek";
public static final String ACCESS_TYPE_GET_METADATA = "getmetadata";
+ public static final String ACCESS_TYPE_GET = "get";
public RangerServiceKMS() {
super();
@@ -124,6 +128,13 @@
}
for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_GET)));
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
List<RangerPolicy.RangerPolicyItem> policyItems = defaultPolicy.getPolicyItems();
for (RangerPolicy.RangerPolicyItem item : policyItems) {
diff --git a/plugin-nifi-registry/src/main/java/org/apache/ranger/services/nifi/registry/RangerServiceNiFiRegistry.java b/plugin-nifi-registry/src/main/java/org/apache/ranger/services/nifi/registry/RangerServiceNiFiRegistry.java
index 21587c7..7bcfb7b 100644
--- a/plugin-nifi-registry/src/main/java/org/apache/ranger/services/nifi/registry/RangerServiceNiFiRegistry.java
+++ b/plugin-nifi-registry/src/main/java/org/apache/ranger/services/nifi/registry/RangerServiceNiFiRegistry.java
@@ -18,13 +18,19 @@
*/
package org.apache.ranger.services.nifi.registry;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.nifi.registry.client.NiFiRegistryClient;
import org.apache.ranger.services.nifi.registry.client.NiFiRegistryConnectionMgr;
+import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -34,6 +40,35 @@
public class RangerServiceNiFiRegistry extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceNiFiRegistry.class);
+ public static final String ACCESS_TYPE_READ = "read";
+ public static final String ACCESS_TYPE_WRITE = "write";
+ public static final String ACCESS_TYPE_DELETE = "delete";
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceNiFiRegistry.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ List<RangerPolicy.RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_WRITE));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_DELETE));
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(accessListForLookupUser);
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceNiFiRegistry.getDefaultRangerPolicies()");
+ }
+ return ret;
+ }
@Override
public HashMap<String, Object> validateConfig() throws Exception {
diff --git a/plugin-nifi/src/main/java/org/apache/ranger/services/nifi/RangerServiceNiFi.java b/plugin-nifi/src/main/java/org/apache/ranger/services/nifi/RangerServiceNiFi.java
index 4f38f42..376530d 100644
--- a/plugin-nifi/src/main/java/org/apache/ranger/services/nifi/RangerServiceNiFi.java
+++ b/plugin-nifi/src/main/java/org/apache/ranger/services/nifi/RangerServiceNiFi.java
@@ -18,13 +18,19 @@
*/
package org.apache.ranger.services.nifi;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.nifi.client.NiFiClient;
import org.apache.ranger.services.nifi.client.NiFiConnectionMgr;
+import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -34,6 +40,37 @@
public class RangerServiceNiFi extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceNiFi.class);
+ public static final String ACCESS_TYPE_READ = "read";
+ public static final String ACCESS_TYPE_WRITE = "write";
+ public static final String ACCESS_TYPE_DELETE = "delete";
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceNiFi.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ List<RangerPolicy.RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_WRITE));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_DELETE));
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(accessListForLookupUser);
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceNiFi.getDefaultRangerPolicies()");
+ }
+
+ return ret;
+ }
@Override
public HashMap<String, Object> validateConfig() throws Exception {
diff --git a/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/RangerServiceOzone.java b/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/RangerServiceOzone.java
index 25bffc4..e16b5db 100644
--- a/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/RangerServiceOzone.java
+++ b/plugin-ozone/src/main/java/org/apache/ranger/services/ozone/RangerServiceOzone.java
@@ -19,17 +19,21 @@
package org.apache.ranger.services.ozone;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.client.HadoopException;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.ozone.client.OzoneResourceMgr;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -37,6 +41,13 @@
public class RangerServiceOzone extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceOzone.class);
+ public static final String ACCESS_TYPE_READ = "read";
+ public static final String ACCESS_TYPE_WRITE = "write";
+ public static final String ACCESS_TYPE_CREATE = "create";
+ public static final String ACCESS_TYPE_LIST = "list";
+ public static final String ACCESS_TYPE_DELETE = "delete";
+ public static final String ACCESS_TYPE_ALL = "all";
+
public RangerServiceOzone() {
super();
@@ -102,6 +113,23 @@
List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ List<RangerPolicy.RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_READ));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_WRITE));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_CREATE));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_LIST));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_DELETE));
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_ALL));
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(accessListForLookupUser);
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceOzone.getDefaultRangerPolicies() : " + ret);
}
diff --git a/plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java b/plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java
index 6477af7..eb567b1 100644
--- a/plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java
+++ b/plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java
@@ -19,22 +19,28 @@
package org.apache.ranger.services.solr;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.solr.client.ServiceSolrClient;
import org.apache.ranger.services.solr.client.ServiceSolrConnectionMgr;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class RangerServiceSolr extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceSolr.class);
+ public static final String ACCESS_TYPE_QUERY = "query";
public RangerServiceSolr() {
super();
@@ -46,6 +52,29 @@
}
@Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceSolr.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_QUERY)));
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceSolr.getDefaultRangerPolicies()");
+ }
+ return ret;
+ }
+
+ @Override
public Map<String, Object> validateConfig() throws Exception {
Map<String, Object> ret = new HashMap<String, Object>();
String serviceName = getServiceName();
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
index 3e9dfbc..c1b60c0 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
@@ -18,6 +18,7 @@
package org.apache.ranger.services.yarn;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -26,16 +27,20 @@
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.yarn.client.YarnResourceMgr;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class RangerServiceYarn extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceYarn.class);
+ public static final String ACCESS_TYPE_SUBMIT_APP = "submit-app";
public RangerServiceYarn() {
super();
@@ -102,6 +107,15 @@
for (RangerPolicy defaultPolicy : ret) {
if(defaultPolicy.getName().contains("all")){
RangerPolicy.RangerPolicyResource queuePolicyResource = defaultPolicy.getResources().get(queueResourceName);
+
+ if (StringUtils.isNotBlank(lookUpUser)) {
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_SUBMIT_APP)));
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+
if (queuePolicyResource != null) {
List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
RangerServiceDef.RangerResourceDef queueResourceDef = null;