Google Git
Sign in
apache / ranger / b4c32849245b40d100a583b0b214a69f9b678a44 / . / security-admin / src / main / java / org / apache / ranger / biz / PolicyRefUpdater.java
blob: 318f9f5053980d0667e7d8b3ea146aaf49575286 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ranger.biz;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXAccessTypeDef;
import org.apache.ranger.entity.XXDataMaskTypeDef;
import org.apache.ranger.entity.XXGroup;
import org.apache.ranger.entity.XXPolicy;
import org.apache.ranger.entity.XXPolicyConditionDef;
import org.apache.ranger.entity.XXPolicyRefAccessType;
import org.apache.ranger.entity.XXPolicyRefCondition;
import org.apache.ranger.entity.XXPolicyRefDataMaskType;
import org.apache.ranger.entity.XXPolicyRefGroup;
import org.apache.ranger.entity.XXPolicyRefResource;
import org.apache.ranger.entity.XXPolicyRefRole;
import org.apache.ranger.entity.XXPolicyRefUser;
import org.apache.ranger.entity.XXResourceDef;
import org.apache.ranger.entity.XXRole;
import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.VXGroup;
import org.apache.ranger.view.VXUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component
public class PolicyRefUpdater {
private static final Log LOG = LogFactory.getLog(PolicyRefUpdater.class);
@Autowired
RangerDaoManager daoMgr;
@Autowired
XUserMgr xUserMgr;
@Autowired
XUserService xUserService;
@Autowired
RoleDBStore roleStore;
public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception {
if(policy == null) {
return;
}
cleanupRefTables(policy);
final Set<String> resourceNames = policy.getResources().keySet();
final Set<String> roleNames = new HashSet<>();
final Set<String> groupNames = new HashSet<>();
final Set<String> userNames = new HashSet<>();
final Set<String> accessTypes = new HashSet<>();
final Set<String> conditionTypes = new HashSet<>();
final Set<String> dataMaskTypes = new HashSet<>();
boolean oldBulkMode = RangerBizUtil.isBulkMode();
List<RangerPolicy.RangerPolicyItemCondition> rangerPolicyConditions = policy.getConditions();
if (CollectionUtils.isNotEmpty(rangerPolicyConditions)) {
for (RangerPolicy.RangerPolicyItemCondition condition : rangerPolicyConditions) {
conditionTypes.add(condition.getType());
}
}
for (List<? extends RangerPolicyItem> policyItems : getAllPolicyItems(policy)) {
if (CollectionUtils.isEmpty(policyItems)) {
continue;
}
for (RangerPolicyItem policyItem : policyItems) {
roleNames.addAll(policyItem.getRoles());
groupNames.addAll(policyItem.getGroups());
userNames.addAll(policyItem.getUsers());
if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) {
for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
accessTypes.add(access.getType());
}
}
if (CollectionUtils.isNotEmpty(policyItem.getConditions())) {
for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
conditionTypes.add(condition.getType());
}
}
if (policyItem instanceof RangerDataMaskPolicyItem) {
RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerDataMaskPolicyItem) policyItem).getDataMaskInfo();
dataMaskTypes.add(dataMaskInfo.getDataMaskType());
}
}
}
List<XXPolicyRefResource> xPolResources = new ArrayList<>();
for (String resource : resourceNames) {
XXResourceDef xResDef = daoMgr.getXXResourceDef().findByNameAndPolicyId(resource, policy.getId());
if (xResDef == null) {
throw new Exception(resource + ": is not a valid resource-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyRefResource xPolRes = new XXPolicyRefResource();
xPolRes.setPolicyId(policy.getId());
xPolRes.setResourceDefId(xResDef.getId());
xPolRes.setResourceName(resource);
xPolResources.add(xPolRes);
}
daoMgr.getXXPolicyRefResource().batchCreate(xPolResources);
List<XXPolicyRefRole> xPolRoles = new ArrayList<>();
for (String role : roleNames) {
if (StringUtils.isBlank(role)) {
continue;
}
XXRole xRole = daoMgr.getXXRole().findByRoleName(role);
Long roleId = null;
if (xRole != null) {
roleId = xRole.getId();
}
else {
RangerBizUtil.setBulkMode(false);
roleId = createRoleForPolicy(role);
}
XXPolicyRefRole xPolRole = new XXPolicyRefRole();
xPolRole.setPolicyId(policy.getId());
xPolRole.setRoleId(roleId);
xPolRole.setRoleName(role);
xPolRoles.add(xPolRole);
}
RangerBizUtil.setBulkMode(oldBulkMode);
daoMgr.getXXPolicyRefRole().batchCreate(xPolRoles);
List<XXPolicyRefGroup> xPolGroups = new ArrayList<>();
for (String group : groupNames) {
if (StringUtils.isBlank(group)) {
continue;
}
XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(group);
Long groupId = null;
if (xGroup != null) {
groupId = xGroup.getId();
}
else {
RangerBizUtil.setBulkMode(false);
groupId = createGroupForPolicy(group);
}
XXPolicyRefGroup xPolGroup = new XXPolicyRefGroup();
xPolGroup.setPolicyId(policy.getId());
xPolGroup.setGroupId(groupId);
xPolGroup.setGroupName(group);
xPolGroups.add(xPolGroup);
}
RangerBizUtil.setBulkMode(oldBulkMode);
daoMgr.getXXPolicyRefGroup().batchCreate(xPolGroups);
List<XXPolicyRefUser> xPolUsers = new ArrayList<>();
for (String user : userNames) {
if (StringUtils.isBlank(user)) {
continue;
}
XXUser xUser = daoMgr.getXXUser().findByUserName(user);
Long userId = null;
if(xUser != null){
userId = xUser.getId();
}
else {
RangerBizUtil.setBulkMode(false);
userId = createUserForPolicy(user);
}
XXPolicyRefUser xPolUser = new XXPolicyRefUser();
xPolUser.setPolicyId(policy.getId());
xPolUser.setUserId(userId);
xPolUser.setUserName(user);
xPolUsers.add(xPolUser);
}
RangerBizUtil.setBulkMode(oldBulkMode);
daoMgr.getXXPolicyRefUser().batchCreate(xPolUsers);
List<XXPolicyRefAccessType> xPolAccesses = new ArrayList<>();
for (String accessType : accessTypes) {
XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(accessType, xPolicy.getService());
if (xAccTypeDef == null) {
throw new Exception(accessType + ": is not a valid access-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyRefAccessType xPolAccess = new XXPolicyRefAccessType();
xPolAccess.setPolicyId(policy.getId());
xPolAccess.setAccessDefId(xAccTypeDef.getId());
xPolAccess.setAccessTypeName(accessType);
xPolAccesses.add(xPolAccess);
}
daoMgr.getXXPolicyRefAccessType().batchCreate(xPolAccesses);
List<XXPolicyRefCondition> xPolConds = new ArrayList<>();
for (String condition : conditionTypes) {
XXPolicyConditionDef xPolCondDef = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition);
if (xPolCondDef == null) {
throw new Exception(condition + ": is not a valid condition-type. policy='"+ xPolicy.getName() + "' service='"+ xPolicy.getService() + "'");
}
XXPolicyRefCondition xPolCond = new XXPolicyRefCondition();
xPolCond.setPolicyId(policy.getId());
xPolCond.setConditionDefId(xPolCondDef.getId());
xPolCond.setConditionName(condition);
xPolConds.add(xPolCond);
}
daoMgr.getXXPolicyRefCondition().batchCreate(xPolConds);
List<XXPolicyRefDataMaskType> xxDataMaskInfos = new ArrayList<>();
for (String dataMaskType : dataMaskTypes ) {
XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskType, xPolicy.getService());
if (dataMaskDef == null) {
throw new Exception(dataMaskType + ": is not a valid datamask-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyRefDataMaskType xxDataMaskInfo = new XXPolicyRefDataMaskType();
xxDataMaskInfo.setPolicyId(policy.getId());
xxDataMaskInfo.setDataMaskDefId(dataMaskDef.getId());
xxDataMaskInfo.setDataMaskTypeName(dataMaskType);
xxDataMaskInfos.add(xxDataMaskInfo);
}
daoMgr.getXXPolicyRefDataMaskType().batchCreate(xxDataMaskInfos);
}
private Long createUserForPolicy(String user) {
LOG.warn("User specified in policy does not exist in ranger admin, creating new user, User = " + user);
VXUser vxUser = new VXUser();
vxUser.setName(user);
vxUser.setDescription(user);
vxUser.setUserSource(1);
vxUser.setPassword(user+"12345");
vxUser.setUserRoleList(Arrays.asList("ROLE_USER"));
VXUser createdXUser= xUserMgr.createXUser(vxUser);
return createdXUser.getId();
}
private Long createGroupForPolicy(String group) {
LOG.warn("Group specified in policy does not exist in ranger admin, creating new group, Group = " + group);
VXGroup vxGroup = new VXGroup();
vxGroup.setName(group);
VXGroup vxGroupCreated= xUserMgr.createXGroup(vxGroup);
return vxGroupCreated.getId();
}
private Long createRoleForPolicy(String role) throws Exception {
LOG.warn("Role specified in policy does not exist in ranger admin, creating new role = " + role);
RangerRole rRole = new RangerRole(role, null, null, null, null);
xUserMgr.checkAdminAccess();
RangerRole createdRole= roleStore.createRole(rRole);
return createdRole.getId();
}
public Boolean cleanupRefTables(RangerPolicy policy) {
final Long policyId = policy == null ? null : policy.getId();
if (policyId == null) {
return false;
}
daoMgr.getXXPolicyRefResource().deleteByPolicyId(policyId);
daoMgr.getXXPolicyRefRole().deleteByPolicyId(policyId);
daoMgr.getXXPolicyRefGroup().deleteByPolicyId(policyId);
daoMgr.getXXPolicyRefUser().deleteByPolicyId(policyId);
daoMgr.getXXPolicyRefAccessType().deleteByPolicyId(policyId);
daoMgr.getXXPolicyRefCondition().deleteByPolicyId(policyId);
daoMgr.getXXPolicyRefDataMaskType().deleteByPolicyId(policyId);
return true;
}
static List<List<? extends RangerPolicyItem>> getAllPolicyItems(RangerPolicy policy) {
List<List<? extends RangerPolicyItem>> ret = new ArrayList<>();
if (CollectionUtils.isNotEmpty(policy.getPolicyItems())) {
ret.add(policy.getPolicyItems());
}
if (CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())) {
ret.add(policy.getDenyPolicyItems());
}
if (CollectionUtils.isNotEmpty(policy.getAllowExceptions())) {
ret.add(policy.getAllowExceptions());
}
if (CollectionUtils.isNotEmpty(policy.getDenyExceptions())) {
ret.add(policy.getDenyExceptions());
}
if (CollectionUtils.isNotEmpty(policy.getDataMaskPolicyItems())) {
ret.add(policy.getDataMaskPolicyItems());
}
if (CollectionUtils.isNotEmpty(policy.getRowFilterPolicyItems())) {
ret.add(policy.getRowFilterPolicyItems());
}
return ret;
}
}