ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: RANGER-203: policy-download implementation updated to: 1) generate audit 2) return 302 when no changes were found. policy-search updated to use wildcards specified in policy.
Date Thu, 05 Feb 2015 23:18:37 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/stack 145fe6d6e -> 1f0dccadf


RANGER-203: policy-download implementation updated to: 1) generate audit
2) return 302 when no changes were found. policy-search updated to use
wildcards specified in policy.

Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1f0dccad
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1f0dccad
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1f0dccad

Branch: refs/heads/stack
Commit: 1f0dccadf28fe86ae075abde8dbdf3426ce6e6d6
Parents: 145fe6d
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Thu Feb 5 15:18:18 2015 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Thu Feb 5 15:18:18 2015 -0800

----------------------------------------------------------------------
 .../RangerDefaultPolicyEvaluator.java           | 22 ++++----
 .../RangerAbstractResourceMatcher.java          |  2 +-
 .../plugin/store/file/ServiceFileStore.java     | 20 +++----
 .../plugin/store/rest/ServiceRESTStore.java     |  2 +
 .../ranger/plugin/util/PolicyRefresher.java     |  8 +--
 .../ranger/plugin/util/ServicePolicies.java     | 26 ++++-----
 .../ranger/plugin/store/TestServiceStore.java   |  3 +-
 .../org/apache/ranger/rest/ServiceREST.java     | 55 +++++++++++++++++---
 8 files changed, 89 insertions(+), 49 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index cc1ee1e..17fcc5e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -312,36 +312,32 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		return ret;
 	}
 
-	protected RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource
resource) {
+	protected static RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef,
RangerPolicyResource resource) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerDefaultPolicyEvaluator.createResourceMatcher(" + resourceDef +
", " + resource + ")");
 		}
 
 		RangerResourceMatcher ret = null;
 
+		String resName = resourceDef != null ? resourceDef.getName() : null;
 		String clsName = resourceDef != null ? resourceDef.getMatcher() : null;
 		String options = resourceDef != null ? resourceDef.getMatcherOptions() : null;
 
-		if(StringUtils.isEmpty(clsName)) {
-			ret = new RangerDefaultResourceMatcher();
-		} else {
+		if(! StringUtils.isEmpty(clsName)) {
 			try {
 				@SuppressWarnings("unchecked")
 				Class<RangerResourceMatcher> matcherClass = (Class<RangerResourceMatcher>)Class.forName(clsName);
 
 				ret = matcherClass.newInstance();
-			} catch(ClassNotFoundException excp) {
-				// TODO: ERROR
-				excp.printStackTrace();
-			} catch (InstantiationException excp) {
-				// TODO: ERROR
-				excp.printStackTrace();
-			} catch (IllegalAccessException excp) {
-				// TODO: ERROR
-				excp.printStackTrace();
+			} catch(Exception excp) {
+				LOG.error("failed to instantiate resource matcher '" + clsName + "' for '" + resName
+ "'. Default resource matcher will be used", excp);
 			}
 		}
 
+		if(ret == null) {
+			ret = new RangerDefaultResourceMatcher();
+		}
+		
 		if(ret != null) {
 			ret.init(resourceDef, resource,  options);
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index 9fb248a..3da7198 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -173,7 +173,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
 		return ret;
 	}
 
-	public String getWildCardPattern(String policyValue) {
+	public static String getWildCardPattern(String policyValue) {
 		if (policyValue != null) {
 			policyValue = policyValue.replaceAll("\\?", "\\.") 
 									 .replaceAll("\\*", ".*") ;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
index b51c160..8ec38f5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
@@ -43,6 +43,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
 import org.apache.ranger.plugin.store.ServiceStore;
 import org.apache.ranger.plugin.util.SearchFilter;
 import org.apache.ranger.plugin.util.ServicePolicies;
@@ -707,6 +708,8 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore
{
 			LOG.debug("==> ServiceFileStore.getServicePoliciesIfUpdated(" + serviceName + ", "
+ lastKnownVersion + ")");
 		}
 
+		ServicePolicies ret = null;
+
 		RangerService service = getServiceByName(serviceName);
 
 		if(service == null) {
@@ -719,20 +722,19 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore
{
 			throw new Exception(service.getType() + ": unknown service-def)");
 		}
 
-		ServicePolicies ret = new ServicePolicies();
-		ret.setServiceId(service.getId());
-		ret.setServiceName(service.getName());
-		ret.setPolicyVersion(service.getPolicyVersion());
-		ret.setPolicyUpdateTime(service.getPolicyUpdateTime());
-		ret.setServiceDef(serviceDef);
-		ret.setPolicies(new ArrayList<RangerPolicy>());
-
 		if(lastKnownVersion == null || service.getPolicyVersion() == null || lastKnownVersion.longValue()
!= service.getPolicyVersion().longValue()) {
 			SearchFilter filter = new SearchFilter(SearchFilter.SERVICE_NAME, serviceName);
 
 			List<RangerPolicy> policies = getPolicies(filter);
 
+			ret = new ServicePolicies();
+
+			ret.setServiceId(service.getId());
+			ret.setServiceName(service.getName());
+			ret.setPolicyVersion(service.getPolicyVersion());
+			ret.setPolicyUpdateTime(service.getPolicyUpdateTime());
 			ret.setPolicies(policies);
+			ret.setServiceDef(serviceDef);
 		}
 
 		if(LOG.isDebugEnabled()) {
@@ -1555,7 +1557,7 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore
{
 									isMatch = true;
 								} else {
 									for(String policyResourceValue : policyResource.getValues()) {
-										if(policyResourceValue.contains(val)) { // TODO: consider match for wildcard in
policyResourceValue?
+										if(val.matches(RangerAbstractResourceMatcher.getWildCardPattern(policyResourceValue)))
{
 											isMatch = true;
 											break;
 										}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
index de2852b..dcdce10 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
@@ -577,6 +577,8 @@ public class ServiceRESTStore implements ServiceStore {
 
 		if(response != null && response.getStatus() == 200) {
 			ret = response.getEntity(ServicePolicies.class);
+		} else if(response != null && response.getStatus() == 304) {
+			// no change
 		} else {
 			RESTResponse resp = RESTResponse.fromClientResponse(response);
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
index 152309d..a814bfb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
@@ -138,11 +138,11 @@ public class PolicyRefresher extends Thread {
 			try {
 				ServicePolicies svcPolicies = serviceStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion);
 
-				long newVersion = (svcPolicies == null || svcPolicies.getPolicyVersion() == null) ? -1
: svcPolicies.getPolicyVersion().longValue();
-
-				boolean isUpdated = newVersion != -1 && lastKnownVersion != newVersion;
+				boolean isUpdated = svcPolicies != null;
 
 				if(isUpdated) {
+					long newVersion = svcPolicies.getPolicyVersion() == null ? -1 : svcPolicies.getPolicyVersion().longValue();
+
 		        	if(!StringUtils.equals(serviceName, svcPolicies.getServiceName())) {
 		        		LOG.warn("PolicyRefresher(serviceName=" + serviceName + "): ignoring unexpected
serviceName '" + svcPolicies.getServiceName() + "' in service-store");
 		        	}
@@ -158,7 +158,7 @@ public class PolicyRefresher extends Thread {
 					policyEngine.setPolicies(serviceName, svcPolicies.getServiceDef(), svcPolicies.getPolicies());
 				} else {
 					if(LOG.isDebugEnabled()) {
-						LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): no update found.
lastKnownVersion=" + lastKnownVersion + "; newVersion=" + newVersion);
+						LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): no update found.
lastKnownVersion=" + lastKnownVersion);
 					}
 				}
 			} catch(Exception excp) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
index f1c8adf..436a91a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
@@ -44,10 +44,10 @@ public class ServicePolicies implements java.io.Serializable {
 
 	private String             serviceName;
 	private Long               serviceId;
-	private RangerServiceDef   serviceDef;
 	private Long               policyVersion;
 	private Date               policyUpdateTime;
 	private List<RangerPolicy> policies;
+	private RangerServiceDef   serviceDef;
 
 
 	/**
@@ -75,18 +75,6 @@ public class ServicePolicies implements java.io.Serializable {
 		this.serviceId = serviceId;
 	}
 	/**
-	 * @return the serviceDef
-	 */
-	public RangerServiceDef getServiceDef() {
-		return serviceDef;
-	}
-	/**
-	 * @param serviceDef the serviceDef to set
-	 */
-	public void setServiceDef(RangerServiceDef serviceDef) {
-		this.serviceDef = serviceDef;
-	}
-	/**
 	 * @return the policyVersion
 	 */
 	public Long getPolicyVersion() {
@@ -122,4 +110,16 @@ public class ServicePolicies implements java.io.Serializable {
 	public void setPolicies(List<RangerPolicy> policies) {
 		this.policies = policies;
 	}
+	/**
+	 * @return the serviceDef
+	 */
+	public RangerServiceDef getServiceDef() {
+		return serviceDef;
+	}
+	/**
+	 * @param serviceDef the serviceDef to set
+	 */
+	public void setServiceDef(RangerServiceDef serviceDef) {
+		this.serviceDef = serviceDef;
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java
b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java
index 4771085..8ce8f5c 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java
@@ -218,8 +218,7 @@ public class TestServiceStore {
 		assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getPolicies().get(0).getName(),
updatedPolicy.getName());
 
 		ServicePolicies updatedPolicies = svcStore.getServicePoliciesIfUpdated(updatedSvc.getName(),
svcPolicies.getPolicyVersion());
-		assertNotNull(updatedPolicies);
-		assertEquals(0, updatedPolicies.getPolicies().size());
+		assertNull(updatedPolicies);
 
 		filter = new SearchFilter();
 		filter.setParam(SearchFilter.POLICY_NAME, policyName);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f0dccad/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index e4ee9d0..33391bc 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -36,6 +36,7 @@ import javax.ws.rs.core.Context;
 
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -52,8 +53,10 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Scope;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Component;
+import org.apache.ranger.biz.AssetMgr;
 import org.apache.ranger.biz.ServiceMgr;
 import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.entity.XXPolicyExportAudit;
 
 
 @Path("plugins")
@@ -64,10 +67,13 @@ public class ServiceREST {
 
 	@Autowired
 	RESTErrorUtil restErrorUtil;
-	
+
 	@Autowired
 	ServiceMgr serviceMgr;
 
+	@Autowired
+	AssetMgr assetMgr;
+
 	private ServiceStore svcStore = null;
 
 	public ServiceREST() {
@@ -647,21 +653,34 @@ public class ServiceREST {
 	@GET
 	@Path("/policies/download/{serviceName}/{lastKnownVersion}")
 	@Produces({ "application/json", "application/xml" })
-	public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName,
@PathParam("lastKnownVersion") Long lastKnownVersion) throws Exception {
+	public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName,
@PathParam("lastKnownVersion") Long lastKnownVersion, @Context HttpServletRequest request)
throws Exception {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion
+ ")");
 		}
 
-		ServicePolicies ret = null;
+		ServicePolicies ret      = null;
+		int             httpCode = HttpServletResponse.SC_OK;
+		String          logMsg   = null;
 
 		try {
 			ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion);
+
+			if(ret == null) {
+				httpCode = HttpServletResponse.SC_NOT_MODIFIED ;
+				logMsg   = "No change since last update";
+			} else {
+				httpCode = HttpServletResponse.SC_OK;
+				logMsg   = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : 0)
+ " policies. Policy version=" + ret.getPolicyVersion();
+			}
 		} catch(Exception excp) {
-			throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(),
true);
+			httpCode = HttpServletResponse.SC_BAD_REQUEST;
+			logMsg   = excp.getMessage();
+		} finally {
+			createPolicyDownloadAudit(serviceName, lastKnownVersion, ret, httpCode, request);
 		}
 
-		if(ret == null) {
-			throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found",
true);
+		if(httpCode != HttpServletResponse.SC_OK) {
+			throw restErrorUtil.createRESTException(httpCode, logMsg, true);
 		}
 
 		if(LOG.isDebugEnabled()) {
@@ -671,7 +690,6 @@ public class ServiceREST {
 		return ret;
 	}
 
-
 	private SearchFilter getSearchFilter(HttpServletRequest request) {
 		if(request == null || MapUtils.isEmpty(request.getParameterMap())) {
 			return null;
@@ -702,4 +720,27 @@ public class ServiceREST {
 
 		return ret;
 	}
+
+	private void createPolicyDownloadAudit(String serviceName, Long lastKnownVersion, ServicePolicies
policies, int httpRespCode, HttpServletRequest request) {
+		try {
+			String  agentId   = request.getParameter("agentId");
+			String  ipAddress = request.getHeader("X-FORWARDED-FOR");  
+
+			if (ipAddress == null) {  
+				ipAddress = request.getRemoteAddr();
+			}
+
+			XXPolicyExportAudit policyExportAudit = new XXPolicyExportAudit();
+
+			policyExportAudit.setRepositoryName(serviceName);
+			policyExportAudit.setAgentId(agentId);
+			policyExportAudit.setClientIP(ipAddress);
+			policyExportAudit.setRequestedEpoch(lastKnownVersion);
+			policyExportAudit.setHttpRetCode(httpRespCode);
+
+			assetMgr.createPolicyAudit(policyExportAudit);
+		} catch(Exception excp) {
+			LOG.error("error while creating policy download audit", excp);
+		}
+	}
 }


Mime
View raw message