ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [24/27] incubator-ranger git commit: - RangerAccessResult updated to support Allowed/Denied/PartiallyDenied result
Date Wed, 07 Jan 2015 19:32:23 GMT
- RangerAccessResult updated to support Allowed/Denied/PartiallyDenied
result


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3c52e0ed
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3c52e0ed
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3c52e0ed

Branch: refs/heads/stack
Commit: 3c52e0ed8a29fcdbb9d7c8e145a0a42580e20a29
Parents: 59417d3
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Thu Jan 1 23:58:22 2015 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Wed Jan 7 11:18:37 2015 -0800

----------------------------------------------------------------------
 .../plugin/policyengine/RangerAccessResult.java |  60 +++++--
 .../plugin/policyengine/RangerPolicyEngine.java |   7 +-
 .../policyengine/RangerPolicyEngineImpl.java    | 176 ++++++++++++-------
 .../RangerDefaultPolicyEvaluator.java           |   3 +-
 4 files changed, 159 insertions(+), 87 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index 0735bd2..3c04139 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -21,24 +21,27 @@ package org.apache.ranger.plugin.policyengine;
 
 
 public class RangerAccessResult {
-	private RangerAccessRequest request;
-	private boolean             isAllowed;
-	private boolean             isAudited;
-	private long                policyId;
-	private String              reason;
+	public enum Result { ALLOWED, DENIED, PARTIALLY_DENIED };
+
+	private RangerAccessRequest request        = null;
+	private Result              result         = null;
+	private RangerResource      deniedResource = null;
+	private boolean             isAudited      = false;
+	private long                policyId       = -1;
+	private String              reason         = null;
 
 
 	public RangerAccessResult(RangerAccessRequest request) {
-		this(request, false, false, -1, null);
+		this(request, Result.DENIED, false, -1, null);
 	}
 
-	public RangerAccessResult(RangerAccessRequest request, boolean isAllowed, boolean isAudited)
{
-		this(request, isAllowed, isAudited, -1, null);
+	public RangerAccessResult(RangerAccessRequest request, Result result, boolean isAudited)
{
+		this(request, result, isAudited, -1, null);
 	}
 
-	public RangerAccessResult(RangerAccessRequest request, boolean isAllowed, boolean isAudited,
long policyId, String reason) {
+	public RangerAccessResult(RangerAccessRequest request, Result result, boolean isAudited,
long policyId, String reason) {
 		this.request   = request;
-		this.isAllowed = isAllowed;
+		this.result    = result;
 		this.isAudited = isAudited;
 		this.policyId  = policyId;
 		this.reason    = reason;
@@ -52,17 +55,31 @@ public class RangerAccessResult {
 	}
 
 	/**
-	 * @return the isAllowed
+	 * @return the result
+	 */
+	public Result getResult() {
+		return result;
+	}
+
+	/**
+	 * @param result the result to set
 	 */
-	public boolean isAllowed() {
-		return isAllowed;
+	public void setResult(Result result) {
+		this.result = result;
 	}
 
 	/**
-	 * @param isAllowed the isAllowed to set
+	 * @return the deniedResource
 	 */
-	public void setAllowed(boolean isAllowed) {
-		this.isAllowed = isAllowed;
+	public RangerResource getDeniedResource() {
+		return deniedResource;
+	}
+
+	/**
+	 * @param deniedResource the deniedResource to set
+	 */
+	public void setDeniedResource(RangerResource deniedResource) {
+		this.deniedResource = deniedResource;
 	}
 
 	/**
@@ -107,6 +124,14 @@ public class RangerAccessResult {
 		this.reason = reason;
 	}
 
+	public void addDeniedResource(String resourceType, String resourceValue) {
+		if(deniedResource == null) {
+			deniedResource = new RangerResourceImpl();
+		}
+		
+		((RangerResourceImpl)deniedResource).addElement(resourceType, resourceValue);
+	}
+
 	@Override
 	public String toString( ) {
 		StringBuilder sb = new StringBuilder();
@@ -120,7 +145,8 @@ public class RangerAccessResult {
 		sb.append("RangerAccessResult={");
 
 		sb.append("request={").append(request).append("} ");
-		sb.append("isAllowed={").append(isAllowed).append("} ");
+		sb.append("result={").append(result).append("} ");
+		sb.append("deniedResource={").append(deniedResource).append("} ");
 		sb.append("isAudited={").append(isAudited).append("} ");
 		sb.append("policyId={").append(policyId).append("} ");
 		sb.append("reason={").append(reason).append("} ");

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index cf2a5f3..271e190 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -21,10 +21,15 @@ package org.apache.ranger.plugin.policyengine;
 
 import java.util.List;
 
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+
 public interface RangerPolicyEngine {
+	void setPolicies(RangerServiceDef serviceDef, List<RangerPolicy> policies);
+
 	RangerAccessResult isAccessAllowed(RangerAccessRequest request);
 
-	void isAccessAllowed(List<RangerAccessRequest> requests, List<RangerAccessResult>
results);
+	List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests);
 
 	void auditAccess(RangerAccessResult result);
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index b2324c5..33b2ec7 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,130 +20,118 @@
 package org.apache.ranger.plugin.policyengine;
 
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
-import java.util.Map;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.manager.ServiceDefManager;
 import org.apache.ranger.plugin.manager.ServiceManager;
 import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result;
+import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 
 
 public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
 
-	private String                      svcName          = null;
 	private List<RangerPolicyEvaluator> policyEvaluators = null;
 
 
 	public RangerPolicyEngineImpl() {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngine()");
+			LOG.debug("==> RangerPolicyEngineImpl()");
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngine()");
+			LOG.debug("<== RangerPolicyEngineImpl()");
 		}
 	}
 	
-	public void init(String serviceName) throws Exception {
+	@Override
+	public void setPolicies(RangerServiceDef serviceDef, List<RangerPolicy> policies)
{
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngine.init(" + serviceName + ")");
+			LOG.debug("==> RangerPolicyEngineImpl.setPolicies(" + serviceDef + ", " + policies
+ ")");
 		}
 
-		svcName          = serviceName;
-		policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
-
-		ServiceManager svcMgr  = new ServiceManager();
-		RangerService  service = svcMgr.getByName(svcName);
-
-		if(service == null) {
-			LOG.error(svcName + ": service not found");
-		} else {
-			ServiceDefManager sdMgr = new ServiceDefManager();
-
-			RangerServiceDef serviceDef = sdMgr.getByName(service.getType());
-
-			if(serviceDef == null) {
-				String msg = service.getType() + ": service-def not found";
-
-				LOG.error(msg);
-
-				throw new Exception(msg);
-			}
+		if(serviceDef != null && policies != null) {
+			List<RangerPolicyEvaluator> evaluators = new ArrayList<RangerPolicyEvaluator>();
 
-			List<RangerPolicy> policies = svcMgr.getPolicies(service.getId());
-			
-			if(policies != null) {
-				for(RangerPolicy policy : policies) {
-					RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef);
+			for(RangerPolicy policy : policies) {
+				RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef);
 
-					if(evaluator != null) {
-						policyEvaluators.add(evaluator);
-					}
+				if(evaluator != null) {
+					evaluators.add(evaluator);
 				}
 			}
-
-			if(LOG.isDebugEnabled()) {
-				LOG.debug("found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies
in service '" + svcName + "'");
-			}
+			
+			this.policyEvaluators = evaluators;
+		} else {
+			LOG.error("RangerPolicyEngineImpl.setPolicies(): invalid arguments - null serviceDef/policies");
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngine.init(" + serviceName + ")");
+			LOG.debug("<== RangerPolicyEngineImpl.setPolicies(" + serviceDef + ", " + policies
+ ")");
 		}
 	}
 
-	private RangerPolicyEvaluator getPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef)
{
-		RangerPolicyEvaluator ret = null;
-
-		// TODO: instantiate policy-matcher
-
-		return ret;
-	}
-
 	@Override
 	public RangerAccessResult isAccessAllowed(RangerAccessRequest request) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")");
+		}
+
 		RangerAccessResult ret = null;
 
-		for(RangerPolicyEvaluator evaluator : policyEvaluators) {
-			ret = evaluator.evaluate(request);
-			
-			if(ret != null) {
-				break;
+		List<RangerPolicyEvaluator> evaluators = policyEvaluators;
+
+		if(request != null && evaluators != null) {
+			for(RangerPolicyEvaluator evaluator : evaluators) {
+				ret = evaluator.evaluate(request);
+
+				if(ret != null) {
+					break;
+				}
 			}
 		}
 
 		if(ret == null) {
 			ret = new RangerAccessResult(request);
 
-			ret.setAllowed(Boolean.FALSE);
+			ret.setResult(Result.DENIED);
 			ret.setAudited(Boolean.FALSE);
 		}
 
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret);
+		}
+
 		return ret;
 	}
 
 	@Override
-	public void isAccessAllowed(List<RangerAccessRequest> requests, List<RangerAccessResult>
results) {
-		if(requests != null && results != null) {
-			results.clear();
-
-			for(int i = 0; i < requests.size(); i++) {
-				RangerAccessRequest request = requests.get(i);
-				RangerAccessResult  result  = isAccessAllowed(request);
-				
-				results.add(result);
+	public List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests)
{
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + requests + ")");
+		}
+		
+		List<RangerAccessResult> ret = new ArrayList<RangerAccessResult>();
+
+		if(requests != null) {
+			for(RangerAccessRequest request : requests) {
+				RangerAccessResult result = isAccessAllowed(request);
+
+				ret.add(result);
 			}
 		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + requests + "): " + ret);
+		}
+
+		return ret;
 	}
 
 	@Override
@@ -158,6 +146,60 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		
 	}
 
+	public void init(String svcName) throws Exception {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.init(" + svcName + ")");
+		}
+
+		ServiceManager    svcMgr = new ServiceManager();
+		ServiceDefManager sdMgr  = new ServiceDefManager();
+
+		RangerServiceDef   serviceDef = null;
+		List<RangerPolicy> policies   = null;
+
+		RangerService  service = svcMgr.getByName(svcName);
+
+		if(service == null) {
+			String msg = svcName + ": service not found";
+
+			LOG.error(msg);
+
+			throw new Exception(msg);
+		} else {
+			serviceDef = sdMgr.getByName(service.getType());
+
+			if(serviceDef == null) {
+				String msg = service.getType() + ": service-def not found";
+
+				LOG.error(msg);
+
+				throw new Exception(msg);
+			}
+
+			policies = svcMgr.getPolicies(service.getId());
+
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("RangerPolicyEngineImpl.init(): found " + (policyEvaluators == null ? 0 : policyEvaluators.size())
+ " policies in service '" + svcName + "'");
+			}
+		}
+
+		setPolicies(serviceDef, policies);
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.init(" + svcName + ")");
+		}
+	}
+
+	private RangerPolicyEvaluator getPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef)
{
+		RangerPolicyEvaluator ret = null;
+
+		ret = new RangerDefaultPolicyEvaluator(); // TODO: configurable evaluator class?
+
+		ret.init(policy, serviceDef);
+
+		return ret;
+	}
+
 	@Override
 	public String toString( ) {
 		StringBuilder sb = new StringBuilder();
@@ -170,8 +212,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	public StringBuilder toString(StringBuilder sb) {
 		sb.append("RangerPolicyEngineImpl={");
 
-		sb.append("svcName={").append(svcName).append("} ");
-
 		sb.append("policyEvaluators={");
 		if(policyEvaluators != null) {
 			for(RangerPolicyEvaluator policyEvaluator : policyEvaluators) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3c52e0ed/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2e7d691..28cca2e 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -35,6 +35,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result;
 import org.apache.ranger.plugin.policyengine.RangerResource;
 import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher;
 import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
@@ -95,7 +96,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 							ret = new RangerAccessResult(request);
 
 							ret.setPolicyId(policy.getId());
-							ret.setAllowed(access.getIsAllowed());
+							ret.setResult(access.getIsAllowed() ? Result.ALLOWED : Result.DENIED);
 							ret.setAudited(access.getIsAudited());
 
 							break;


Mime
View raw message