ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: RANGER-274: fix excessive log on receiving no-tag-change from Ranger admin; removed @SuppressWarnings; misc log message fixes
Date Wed, 02 Sep 2015 04:27:00 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/tag-policy 92c96502a -> d3ba14925


RANGER-274: fix excessive log on receiving no-tag-change from Ranger admin; removed @SuppressWarnings; misc log message fixes


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d3ba1492
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d3ba1492
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d3ba1492

Branch: refs/heads/tag-policy
Commit: d3ba1492546da44f288bcaa52e7ded7260010fc2
Parents: 92c9650
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Tue Sep 1 19:35:15 2015 -0700
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Tue Sep 1 20:57:28 2015 -0700

----------------------------------------------------------------------
 .../admin/client/RangerAdminRESTClient.java     |   6 +-
 .../plugin/audit/RangerDefaultAuditHandler.java |  26 +--
 .../RangerContextAttributeValueInCondition.java |  76 ++++++++
 ...rHiveResourcesAccessedTogetherCondition.java | 183 +++++++++++++++++++
 ...veResourcesNotAccessedTogetherCondition.java |  11 +-
 .../RangerScriptExecutionContext.java           | 145 +++++++--------
 .../RangerScriptTemplateConditionEvaluator.java |  10 +-
 .../contextenricher/RangerTagProvider.java      |   6 +-
 .../plugin/policyengine/RangerPolicyEngine.java |   5 -
 .../policyengine/RangerPolicyEngineImpl.java    |  51 ++----
 .../RangerDefaultPolicyItemEvaluator.java       |  11 ++
 .../plugin/util/RangerAccessRequestUtil.java    | 104 +++++++++++
 .../plugin/util/RangerRequestedResources.java   |   1 -
 .../plugin/policyengine/TestPolicyEngine.java   |  33 ++--
 .../policyengine/test_policyengine_hdfs.json    |   2 +-
 .../hive/authorizer/RangerHiveAuthorizer.java   |   5 +-
 .../java/org/apache/ranger/rest/TagREST.java    |  20 +-
 17 files changed, 524 insertions(+), 171 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index 7420830..34b9f98 100644
--- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -24,14 +24,12 @@ import com.sun.jersey.api.client.ClientResponse;
 import com.sun.jersey.api.client.GenericType;
 import com.sun.jersey.api.client.WebResource;
 
-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.ranger.admin.client.datatype.RESTResponse;
 
 import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
-import org.apache.ranger.plugin.model.RangerTag;
 import org.apache.ranger.plugin.util.*;
 
 import java.lang.reflect.ParameterizedType;
@@ -202,7 +200,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 			LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + "): ");
 		}
 
-		ServiceTags ret;
+		ServiceTags ret = null;
 
 		WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceName)
 				.queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion))
@@ -212,6 +210,8 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 
 		if(response != null && response.getStatus() == 200) {
 			ret = response.getEntity(ServiceTags.class);
+		} else if(response != null && response.getStatus() == 304) {
+			// no change
 		} else {
 			RESTResponse resp = RESTResponse.fromClientResponse(response);
 			LOG.error("Error getting taggedResources. request=" + webResource.toString()

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
index 35d0731..bfb9126 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
@@ -31,6 +31,7 @@ import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
 import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
 import org.apache.ranger.plugin.model.RangerTag;
 import org.apache.ranger.plugin.policyengine.*;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 
 
 public class RangerDefaultAuditHandler implements RangerAccessResultProcessor {
@@ -207,26 +208,17 @@ public class RangerDefaultAuditHandler implements RangerAccessResultProcessor {
 	}
 
 	protected final Set<String> getTags(RangerAccessRequest request) {
-		Object contextObj = request.getContext().get(RangerPolicyEngine.KEY_CONTEXT_TAGS);
-		Set<String> tags = null;
+		Set<String>     ret  = null;
+		List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
 
-		if (contextObj != null) {
+		if (CollectionUtils.isNotEmpty(tags)) {
+			ret = new HashSet<String>();
 
-			try {
-				@SuppressWarnings("unchecked")
-				List<RangerTag> resourceTags = (List<RangerTag>) contextObj;
-
-				if (CollectionUtils.isNotEmpty(resourceTags)) {
-					tags = new HashSet<String>();
-
-					for (RangerTag resourceTag : resourceTags) {
-						tags.add(resourceTag.getType());
-					}
-				}
-			} catch (Throwable t) {
-				LOG.error("RangerDefaultAuditHandler.getTags(), exception when getting tags from context, exception=" + t);
+			for (RangerTag tag : tags) {
+				ret.add(tag.getType());
 			}
 		}
-		return tags;
+
+		return ret;
 	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueInCondition.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueInCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueInCondition.java
new file mode 100644
index 0000000..316cdb5
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerContextAttributeValueInCondition.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+
+import java.util.Map;
+
+public class RangerContextAttributeValueInCondition extends RangerAbstractConditionEvaluator {
+	private static final Log LOG = LogFactory.getLog(RangerContextAttributeValueInCondition.class);
+
+	protected String attributeName;
+
+	@Override
+	public void init() {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerContextAttributeValueInCondition.init(" + condition + ")");
+		}
+
+		super.init();
+
+		Map<String, String> evalOptions = conditionDef. getEvaluatorOptions();
+
+		if (MapUtils.isNotEmpty(evalOptions)) {
+			attributeName = evalOptions.get("attributeName");
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerContextAttributeValueInCondition.init(" + condition + ")");
+		}
+	}
+
+	@Override
+	public boolean isMatched(RangerAccessRequest request) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerContextAttributeValueInCondition.isMatched(" + condition + ")");
+		}
+
+		boolean ret = true;
+
+		if(attributeName != null && condition != null && CollectionUtils.isNotEmpty(condition.getValues())) {
+			Object val = request.getContext().get(attributeName);
+
+			if(val != null) {
+				ret = condition.getValues().contains(val);
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerContextAttributeValueInCondition.isMatched(" + condition + "): " + ret);
+		}
+
+		return ret;
+	}
+}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java
new file mode 100644
index 0000000..fc9842e
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java
@@ -0,0 +1,183 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.conditionevaluator;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
+import org.apache.ranger.plugin.util.RangerRequestedResources;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class RangerHiveResourcesAccessedTogetherCondition extends RangerAbstractConditionEvaluator {
+	private static final Log LOG = LogFactory.getLog(RangerHiveResourcesAccessedTogetherCondition.class);
+
+	private List<RangerPolicyResourceMatcher> matchers = new ArrayList<>();
+	private boolean isInitialized = false;
+
+	@Override
+	public void init() {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.init(" + condition + ")");
+		}
+
+		super.init();
+
+		if (serviceDef != null) {
+			doInitialize();
+		} else {
+			LOG.error("RangerHiveResourcesAccessedTogetherCondition.init() - ServiceDef not set ... ERROR ..");
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.init(" + condition + ")");
+		}
+	}
+
+	@Override
+	public boolean isMatched(final RangerAccessRequest request) {
+		boolean ret = true;
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.isMatched(" + request + ")");
+		}
+
+		if (isInitialized && CollectionUtils.isNotEmpty(matchers)) {
+			RangerRequestedResources resources = RangerAccessRequestUtil.getRequestedResourcesFromContext(request.getContext());
+
+			ret = resources == null ? false : !resources.isMutuallyExcluded(matchers);
+		} else {
+			LOG.error("RangerHiveResourcesAccessedTogetherCondition.isMatched() - condition is not initialized correctly and will NOT be enforced");
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.isMatched(" + request + ")" + ", result=" + ret);
+		}
+
+		return ret;
+	}
+
+	private void doInitialize() {
+		List<String> mutuallyExclusiveResources = condition.getValues();
+
+		if (CollectionUtils.isNotEmpty(mutuallyExclusiveResources)) {
+			initializeMatchers(mutuallyExclusiveResources);
+
+			if (CollectionUtils.isEmpty(matchers)) {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("RangerHiveResourcesAccessedTogetherCondition.doInitialize() - Cannot create matchers from values in MutualExclustionEnforcer");
+				}
+			} else {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("RangerHiveResourcesAccessedTogetherCondition.doInitialize() - Created " + matchers.size() + " matchers from values in MutualExclustionEnforcer");
+				}
+			}
+		} else {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("RangerHiveResourcesAccessedTogetherCondition.doInitialize() - No values in MutualExclustionEnforcer");
+			}
+		}
+
+		isInitialized = true;
+	}
+
+	private void initializeMatchers(List<String> mutuallyExclusiveResources) {
+
+		for (String s : mutuallyExclusiveResources) {
+
+			String policyResourceSpec = s.trim();
+
+			RangerPolicyResourceMatcher matcher = buildMatcher(policyResourceSpec);
+
+			if (matcher != null) {
+				matchers.add(matcher);
+			}
+		}
+	}
+
+	private RangerPolicyResourceMatcher buildMatcher(String policyResourceSpec) {
+
+		RangerPolicyResourceMatcher matcher = null;
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerHiveResourcesAccessedTogetherCondition.buildMatcher(" + policyResourceSpec + ")");
+		}
+
+		// Works only for Hive serviceDef for now
+		if (serviceDef != null && serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME)) {
+
+			//Parse policyResourceSpec
+			char separator = '.';
+			String any = "*";
+
+			Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();
+
+			String[] elements = StringUtils.split(policyResourceSpec, separator);
+
+			RangerPolicy.RangerPolicyResource policyResource;
+
+			if (elements.length > 0 && elements.length < 4) {
+				if (elements.length == 3) {
+					policyResource = new RangerPolicy.RangerPolicyResource(elements[2]);
+				} else {
+					policyResource = new RangerPolicy.RangerPolicyResource(any);
+				}
+				policyResources.put("column", policyResource);
+
+				if (elements.length >= 2) {
+					policyResource = new RangerPolicy.RangerPolicyResource(elements[1]);
+				} else {
+					policyResource = new RangerPolicy.RangerPolicyResource(any);
+				}
+				policyResources.put("table", policyResource);
+
+				policyResource = new RangerPolicy.RangerPolicyResource(elements[0]);
+				policyResources.put("database", policyResource);
+
+				matcher = new RangerDefaultPolicyResourceMatcher();
+				matcher.setPolicyResources(policyResources);
+				matcher.setServiceDef(serviceDef);
+				matcher.init();
+
+			} else {
+				LOG.error("RangerHiveResourcesAccessedTogetherCondition.buildMatcher() - Incorrect elements in the hierarchy specified ("
+						+ elements.length + ")");
+			}
+		} else {
+			LOG.error("RangerHiveResourcesAccessedTogetherCondition.buildMatcher() - ServiceDef not set or ServiceDef is not for Hive");
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerHiveResourcesAccessedTogetherCondition.buildMatcher(" + policyResourceSpec + ")" + ", matcher=" + matcher);
+		}
+
+		return matcher;
+	}
+}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java
index 0f44bba..3b8e009 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java
@@ -24,12 +24,11 @@ import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-import org.apache.ranger.plugin.policyengine.RangerAccessResource;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 import org.apache.ranger.plugin.util.RangerRequestedResources;
 
 import java.util.ArrayList;
@@ -70,10 +69,10 @@ public class RangerHiveResourcesNotAccessedTogetherCondition extends RangerAbstr
 			LOG.debug("==> RangerHiveResourcesNotAccessedTogetherCondition.isMatched(" + request + ")");
 		}
 
-		if (isInitialized) {
-			@SuppressWarnings("unchecked")
-			RangerRequestedResources requestedResources = (RangerRequestedResources) request.getContext().get(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES);
-			ret = requestedResources == null ? true : requestedResources.isMutuallyExcluded(matchers);
+		if (isInitialized && CollectionUtils.isNotEmpty(matchers)) {
+			RangerRequestedResources resources = RangerAccessRequestUtil.getRequestedResourcesFromContext(request.getContext());
+
+			ret = resources == null ? true : resources.isMutuallyExcluded(matchers);
 		} else {
 			LOG.error("RangerHiveResourcesNotAccessedTogetherCondition.isMatched() - Enforcer is not initialized correctly, Mutual Exclusion will NOT be enforced");
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
index 418021c..449cf55 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
@@ -27,9 +27,8 @@ import org.apache.ranger.authorization.utils.StringUtil;
 import org.apache.ranger.plugin.model.RangerTag;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 
-import java.text.ParsePosition;
 import java.text.SimpleDateFormat;
 import java.util.*;
 
@@ -45,17 +44,38 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final String getResource() {
+		String ret = null;
+		Object val = getRequestContext().get(RangerAccessRequestUtil.KEY_CONTEXT_RESOURCE);
 
-		@SuppressWarnings("unchecked")
-		RangerAccessResource resource  = (RangerAccessResource)getEvaluationContext().get(RangerPolicyEngine.KEY_CONTEXT_RESOURCE);
+		if(val != null) {
+			if(val instanceof RangerAccessResource) {
+				ret = ((RangerAccessResource)val).getAsString();
+			} else {
+				ret = val.toString();
+			}
+		}
 
-		return resource != null ? resource.getAsString() : null;
+		return ret;
 	}
 
-	public final Map<String, Object> getEvaluationContext() {
+	public final Map<String, Object> getRequestContext() {
 		return accessRequest.getContext();
 	}
 
+	public final String getRequestContextAttribute(String attributeName) {
+		String ret = null;
+
+		if (StringUtils.isNotBlank(attributeName)) {
+			Object val = getRequestContext().get(attributeName);
+
+			if(val != null) {
+				ret = val.toString();
+			}
+		}
+
+		return ret;
+	}
+
 	public final boolean isAccessTypeAny() { return accessRequest.isAccessTypeAny(); }
 
 	public final boolean isAccessTypeDelegatedAdmin() { return accessRequest.isAccessTypeDelegatedAdmin(); }
@@ -77,15 +97,17 @@ public final class RangerScriptExecutionContext {
 	public final String getSessionId() { return accessRequest.getSessionId(); }
 
 	public final RangerTag getCurrentTag() {
-		@SuppressWarnings("unchecked")
-		RangerTag tagObject = (RangerTag)getEvaluationContext()
-				.get(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT);
-		if (tagObject == null) {
+		RangerTag ret = null;
+		Object    val = getRequestContext().get(RangerAccessRequestUtil.KEY_CONTEXT_TAG_OBJECT);
+
+		if(val != null && val instanceof RangerTag) {
+			ret = (RangerTag)val;
+		} else {
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("getCurrentTag() - No current TAG object. Script execution must be for resource-based policy.");
 			}
 		}
-		return tagObject;
+		return ret;
 	}
 
 	public final String getCurrentTagType() {
@@ -94,13 +116,10 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final Set<String> getAllTagTypes() {
-
-		Set<String> allTagTypes = null;
-
+		Set<String>     allTagTypes   = null;
 		List<RangerTag> tagObjectList = getAllTags();
 
 		if (CollectionUtils.isNotEmpty(tagObjectList)) {
-
 			for (RangerTag tag : tagObjectList) {
 				String tagType = tag.getType();
 				if (allTagTypes == null) {
@@ -114,16 +133,13 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final Map<String, String> getTagAttributes(final String tagType) {
-
 		Map<String, String> ret = null;
 
 		if (StringUtils.isNotBlank(tagType)) {
-
 			List<RangerTag> tagObjectList = getAllTags();
 
 			// Assumption: There is exactly one tag with given tagType in the list of tags - may not be true ***TODO***
 			// This will get attributes of the first tagType that matches
-
 			if (CollectionUtils.isNotEmpty(tagObjectList)) {
 				for (RangerTag tag : tagObjectList) {
 					if (tag.getType().equals(tagType)) {
@@ -138,9 +154,7 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final Set<String> getAttributeNames(final String tagType) {
-
-		Set<String> ret = null;
-
+		Set<String>         ret        = null;
 		Map<String, String> attributes = getTagAttributes(tagType);
 
 		if (attributes != null) {
@@ -151,12 +165,10 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final String getAttributeValue(final String tagType, final String attributeName) {
-
 		String ret = null;
-		Map<String, String> attributes;
 
 		if (StringUtils.isNotBlank(tagType) || StringUtils.isNotBlank(attributeName)) {
-			attributes = getTagAttributes(tagType);
+			Map<String, String> attributes = getTagAttributes(tagType);
 
 			if (attributes != null) {
 				ret = attributes.get(attributeName);
@@ -166,7 +178,6 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final String getAttributeValue(final String attributeName) {
-
 		String ret = null;
 
 		if (StringUtils.isNotBlank(attributeName)) {
@@ -179,6 +190,7 @@ public final class RangerScriptExecutionContext {
 				ret = attributes.get(attributeName);
 			}
 		}
+
 		return ret;
 	}
 
@@ -194,7 +206,6 @@ public final class RangerScriptExecutionContext {
 	// Utilities - TODO
 
 	public final Date getAsDate(String value) {
-
 		Date ret = null;
 
 		if (StringUtils.isNotBlank(value)) {
@@ -215,30 +226,15 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final Date getTagAttributeAsDate(String tagType, String attributeName) {
-		// sample JavaScript to demonstrate use of this helper method
-
-		/*
-
-		importPackage(java.util);
-		var expiryDate = ctx.getTagAttributeAsDate('PII', 'expiryDate')
-		var now = new Date();
-		now.getTime() < expiryDate.getTime());"
-
-		*/
-
 		String attrValue = getAttributeValue(tagType, attributeName);
 
 		return getAsDate(attrValue);
-
 	}
 
 	public final boolean isAccessedAfter(String tagType, String attributeName) {
-
-		boolean ret = false;
-
-		Date accessDate = getAccessTime();
-
-		Date expiryDate = getTagAttributeAsDate(tagType, attributeName);
+		boolean ret        = false;
+		Date    accessDate = getAccessTime();
+		Date    expiryDate = getTagAttributeAsDate(tagType, attributeName);
 
 		if (expiryDate == null || accessDate.after(expiryDate) || accessDate.equals(expiryDate)) {
 			ret = true;
@@ -248,12 +244,9 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final boolean isAccessedAfter(String attributeName) {
-
-		boolean ret = false;
-
-		Date accessDate = getAccessTime();
-
-		Date expiryDate = getAsDate(getAttributeValue(attributeName));
+		boolean ret        = false;
+		Date    accessDate = getAccessTime();
+		Date    expiryDate = getAsDate(getAttributeValue(attributeName));
 
 		if (expiryDate == null || accessDate.after(expiryDate) || accessDate.equals(expiryDate)) {
 			ret = true;
@@ -263,12 +256,9 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final boolean isAccessedBefore(String tagType, String attributeName) {
-
-		boolean ret = true;
-
-		Date accessDate = getAccessTime();
-
-		Date expiryDate = getTagAttributeAsDate(tagType, attributeName);
+		boolean ret        = true;
+		Date    accessDate = getAccessTime();
+		Date    expiryDate = getTagAttributeAsDate(tagType, attributeName);
 
 		if (expiryDate == null || accessDate.after(expiryDate)) {
 			ret = false;
@@ -278,12 +268,9 @@ public final class RangerScriptExecutionContext {
 	}
 
 	public final boolean isAccessedBefore(String attributeName) {
-
-		boolean ret = true;
-
-		Date accessDate = getAccessTime();
-
-		Date expiryDate = getAsDate(getAttributeValue(attributeName));
+		boolean ret        = true;
+		Date    accessDate = getAccessTime();
+		Date    expiryDate = getAsDate(getAttributeValue(attributeName));
 
 		if (expiryDate == null || accessDate.after(expiryDate)) {
 			ret = false;
@@ -293,26 +280,36 @@ public final class RangerScriptExecutionContext {
 	}
 
 	private List<RangerTag> getAllTags() {
-
-		@SuppressWarnings("unchecked")
-		List<RangerTag> ret = (List<RangerTag>)getEvaluationContext().get(RangerPolicyEngine.KEY_CONTEXT_TAGS);
-
-		if (ret == null) {
+		List<RangerTag> ret = RangerAccessRequestUtil.getRequestTagsFromContext(accessRequest.getContext());
+		
+		if(ret == null) {
 			if (LOG.isDebugEnabled()) {
 				String resource = accessRequest.getResource().getAsString();
 
-				LOG.debug("getAllTags() - No current TAGS. No TAGS for the RangerAccessResource=" + resource);
+				LOG.debug("getAllTags() - No TAGS. No TAGS for the RangerAccessResource=" + resource);
 			}
 		}
+
 		return ret;
 	}
 
-	public final String getGeolocation(String attributeName) {
-		String ret = null;
+	public void logDebug(String msg) {
+		LOG.debug(msg);
+	}
 
-		if (StringUtils.isNotBlank(attributeName)) {
-			ret = (String) getEvaluationContext().get(attributeName);
-		}
-		return ret;
+	public void logInfo(String msg) {
+		LOG.info(msg);
+	}
+
+	public void logWarn(String msg) {
+		LOG.warn(msg);
+	}
+
+	public void logError(String msg) {
+		LOG.error(msg);
+	}
+
+	public void logFatal(String msg) {
+		LOG.fatal(msg);
 	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java
index a4fd129..03f96b8 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptTemplateConditionEvaluator.java
@@ -24,8 +24,6 @@ import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 
 import java.util.List;
 import java.util.Map;
@@ -40,7 +38,7 @@ public class RangerScriptTemplateConditionEvaluator extends RangerScriptConditio
 	public void init() {
 
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerExpiryEnforcer.init(" + condition + ")");
+			LOG.debug("==> RangerScriptTemplateConditionEvaluator.init(" + condition + ")");
 		}
 
 		super.init();
@@ -54,7 +52,7 @@ public class RangerScriptTemplateConditionEvaluator extends RangerScriptConditio
 		script = formatScript();
 
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerExpiryEnforcer.init(" + condition + ")");
+			LOG.debug("<== RangerScriptTemplateConditionEvaluator.init(" + condition + ")");
 		}
 	}
 
@@ -68,7 +66,7 @@ public class RangerScriptTemplateConditionEvaluator extends RangerScriptConditio
 		String ret = null;
 
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerExpiryEnforcer.formatScript()");
+			LOG.debug("==> RangerScriptTemplateConditionEvaluator.formatScript()");
 		}
 		List<String> values = condition.getValues();
 
@@ -89,7 +87,7 @@ public class RangerScriptTemplateConditionEvaluator extends RangerScriptConditio
 		}
 
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerExpiryEnforcer.formatScript(), ret=" + ret);
+			LOG.debug("<== RangerScriptTemplateConditionEvaluator.formatScript(), ret=" + ret);
 		}
 
 		return ret;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java
index ccb78f6..86630d3 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagProvider.java
@@ -27,9 +27,8 @@ import org.apache.ranger.plugin.model.RangerServiceResource;
 import org.apache.ranger.plugin.model.RangerTag;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
-import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 import org.apache.ranger.plugin.util.ServiceTags;
 
 import java.util.ArrayList;
@@ -99,7 +98,8 @@ public class RangerTagProvider extends RangerAbstractContextEnricher implements
 		List<RangerTag> matchedTags = findMatchingTags(request.getResource(), serviceResourceMatchersCopy);
 
 		if (CollectionUtils.isNotEmpty(matchedTags)) {
-			request.getContext().put(RangerPolicyEngine.KEY_CONTEXT_TAGS, matchedTags);
+			RangerAccessRequestUtil.setRequestTagsInContext(request.getContext(), matchedTags);
+
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("RangerTagProvider.enrich(" + request + ") - " + matchedTags.size() + " tags found by enricher.");
 			}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index dfc07db..055a2db 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -33,11 +33,6 @@ public interface RangerPolicyEngine {
 	String ANY_ACCESS     = "_any";
 	String ADMIN_ACCESS   = "_admin";
 
-	String KEY_CONTEXT_TAGS    = "TAGS";
-	String KEY_CONTEXT_TAG_OBJECT    = "TAG_OBJECT";
-
-	String KEY_CONTEXT_RESOURCE = "RESOURCE";
-
 	String getServiceName();
 
 	RangerServiceDef getServiceDef();

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 63ae385..8251878 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -29,6 +29,7 @@ import org.apache.ranger.plugin.model.RangerTag;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 import org.apache.ranger.plugin.util.ServicePolicies;
 
 import java.util.*;
@@ -355,48 +356,35 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	}
 
 	protected RangerAccessResult isAccessAllowedForTagPolicies(final RangerAccessRequest request) {
-
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")");
 		}
 
-		RangerAccessResult result = createAccessResult(request);
-
-		Map<String, Object> context = request.getContext();
-		Object contextObj;
-
-		if (context != null && (contextObj = context.get(KEY_CONTEXT_TAGS)) != null) {
-
-			@SuppressWarnings("unchecked")
-			List<RangerTag> resourceTags = (List<RangerTag>) contextObj;
-
-			List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators();
-
-			if (CollectionUtils.isNotEmpty(evaluators)) {
-
-				boolean someTagAllowedAudit = false;
+		RangerAccessResult          result     = createAccessResult(request);
+		List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators();
 
-				RangerAccessResult savedAccessResult = createAccessResult(request);
+		if (CollectionUtils.isNotEmpty(evaluators)) {
+			List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
 
-				List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>();
-
-				for (RangerTag resourceTag : resourceTags) {
+			if(CollectionUtils.isNotEmpty(tags)) {
+				boolean                   someTagAllowedAudit = false;
+				RangerAccessResult        savedAccessResult   = createAccessResult(request);
+				List<RangerTagAuditEvent> tagAuditEvents      = new ArrayList<RangerTagAuditEvent>();
 
+				for (RangerTag tag : tags) {
 					if (LOG.isDebugEnabled()) {
-						LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + resourceTag.getType() + ")");
+						LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + tag.getType() + ")");
 					}
 
-					RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(resourceTag, tagPolicyRepository.getServiceDef(), request);
-
-					RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest);
+					RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
+					RangerAccessResult  tagEvalResult  = createAccessResult(tagEvalRequest);
 
 					for (RangerPolicyEvaluator evaluator : evaluators) {
-
 						evaluator.evaluate(tagEvalRequest, tagEvalResult);
 
 						if (tagEvalResult.getIsAccessDetermined() && tagEvalResult.getIsAuditedDetermined()) {
 							if (LOG.isDebugEnabled()) {
-								LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + resourceTag.getType() + ") with authorization=" + tagEvalResult.getIsAllowed());
+								LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + tag.getType() + ") with authorization=" + tagEvalResult.getIsAllowed());
 							}
 							break;			// Break out of policy-evaluation loop for this tag
 						}
@@ -406,18 +394,17 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 						someTagAllowedAudit = true;
 						// And generate an audit event
 						if (tagEvalResult.getIsAccessDetermined()) {
-							RangerTagAuditEvent event = new RangerTagAuditEvent(resourceTag.getType(), tagEvalResult);
+							RangerTagAuditEvent event = new RangerTagAuditEvent(tag.getType(), tagEvalResult);
 							tagAuditEvents.add(event);
 						}
 					}
 
 					if (tagEvalResult.getIsAccessDetermined()) {
-
 						savedAccessResult.setAccessResultFrom(tagEvalResult);
 
 						if (!tagEvalResult.getIsAllowed()) {
 							if (LOG.isDebugEnabled()) {
-								LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag-policies as tag (" + resourceTag.getType() + "), tag-policy-id=" + tagEvalResult.getPolicyId() + " denied access.");
+								LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag-policies as tag (" + tag.getType() + "), tag-policy-id=" + tagEvalResult.getPolicyId() + " denied access.");
 							}
 							break;		// Break out of tags evaluation loop altogether
 						}
@@ -438,12 +425,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 					// Set processed list into result
 					// result.setAuxilaryAuditInfo(tagAuditEvents);
 				}
+
 				if (LOG.isDebugEnabled()) {
 					LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : result=" + result);
 					LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : auditEventList=" + tagAuditEvents);
 				}
 			}
 		}
+
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + result + ")" );
 		}
@@ -506,8 +495,8 @@ class RangerTagAccessRequest extends RangerAccessRequestImpl {
 
 		Map<String, Object> requestContext = request.getContext();
 
-		requestContext.put(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT, resourceTag);
-		requestContext.put(RangerPolicyEngine.KEY_CONTEXT_RESOURCE, request.getResource());
+		RangerAccessRequestUtil.setCurrentTagInContext(request.getContext(), resourceTag);
+		RangerAccessRequestUtil.setCurrentResourceInContext(request.getContext(), request.getResource());
 
 		super.setContext(requestContext);
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index a617e70..6f8faff 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -210,8 +210,19 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
 		boolean ret = true;
 
 		if (CollectionUtils.isNotEmpty(conditionEvaluators)) {
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("RangerDefaultPolicyItemEvaluator.matchCustomConditions(): conditionCount=" + conditionEvaluators.size());
+			}
 			for(RangerConditionEvaluator conditionEvaluator : conditionEvaluators) {
+				if(LOG.isDebugEnabled()) {
+					LOG.debug("evaluating condition: " + conditionEvaluator);
+				}
+
 				if(!conditionEvaluator.isMatched(request)) {
+					if(LOG.isDebugEnabled()) {
+						LOG.debug(conditionEvaluator + " returned false");
+					}
+
 					ret = false;
 
 					break;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
new file mode 100644
index 0000000..92a87d0
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -0,0 +1,104 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerTag;
+import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+
+public class RangerAccessRequestUtil {
+	private static final Log LOG = LogFactory.getLog(RangerAccessRequestUtil.class);
+
+	public static final String KEY_CONTEXT_TAGS                = "TAGS";
+	public static final String KEY_CONTEXT_TAG_OBJECT          = "TAG_OBJECT";
+	public static final String KEY_CONTEXT_RESOURCE            = "RESOURCE";
+	public static final String KEY_CONTEXT_REQUESTED_RESOURCES = "REQUESTED_RESOURCES";
+
+	public static void setRequestTagsInContext(Map<String, Object> context, List<RangerTag> tags) {
+		context.put(KEY_CONTEXT_TAGS, tags);
+	}
+
+	public static List<RangerTag> getRequestTagsFromContext(Map<String, Object> context) {
+		List<RangerTag> ret = null;
+		Object          val = context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
+
+		if (val != null && val instanceof List<?>) {
+			try {
+				@SuppressWarnings("unchecked")
+				List<RangerTag> tags = (List<RangerTag>) val;
+
+				ret = tags;
+			} catch (Throwable t) {
+				LOG.error("getRequestTags(): failed to get tags from context", t);
+			}
+		}
+
+		return ret;
+	}
+
+	public static void setCurrentTagInContext(Map<String, Object> context, RangerTag tag) {
+		context.put(KEY_CONTEXT_TAG_OBJECT, tag);
+	}
+
+	public static RangerTag getCurrentTagFromContext(Map<String, Object> context) {
+		RangerTag ret = null;
+		Object    val = context.get(KEY_CONTEXT_TAGS);
+
+		if(val != null && val instanceof RangerTag) {
+			ret = (RangerTag)val;
+		}
+
+		return ret;
+	}
+
+	public static void setRequestedResourcesInContext(Map<String, Object> context, RangerRequestedResources resources) {
+		context.put(KEY_CONTEXT_REQUESTED_RESOURCES, resources);
+	}
+
+	public static RangerRequestedResources getRequestedResourcesFromContext(Map<String, Object> context) {
+		RangerRequestedResources ret = null;
+		Object                   val = context.get(KEY_CONTEXT_REQUESTED_RESOURCES);
+
+		if(val != null && val instanceof RangerRequestedResources) {
+			ret = (RangerRequestedResources)val;
+		}
+
+		return ret;
+	}
+
+	public static void setCurrentResourceInContext(Map<String, Object> context, RangerAccessResource resource) {
+		context.put(KEY_CONTEXT_RESOURCE, resource);
+	}
+
+	public static RangerAccessResource getCurrentResourceFromContext(Map<String, Object> context) {
+		RangerAccessResource ret = null;
+		Object               val = context.get(KEY_CONTEXT_RESOURCE);
+
+		if(val != null && val instanceof RangerAccessResource) {
+			ret = (RangerAccessResource)val;
+		}
+
+		return ret;
+	}
+}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java
index 19456c5..0f10deb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java
@@ -40,7 +40,6 @@ import java.util.List;
 
 public class RangerRequestedResources {
 	private List<RangerAccessResource> requestedResources = new ArrayList<RangerAccessResource>();
-	public static final String KEY_CONTEXT_REQUESTED_RESOURCES = "REQUESTED_RESOURCES";
 
 	public RangerRequestedResources() {
 	}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 969e7d7..a6d0812 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -21,19 +21,16 @@ package org.apache.ranger.plugin.policyengine;
 
 import com.google.gson.*;
 import com.google.gson.reflect.TypeToken;
+
 import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FSDataOutputStream;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
 import org.apache.ranger.audit.provider.AuditHandler;
 import org.apache.ranger.audit.provider.AuditProviderFactory;
-import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
 import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerTag;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 import org.apache.ranger.plugin.util.RangerRequestedResources;
 import org.apache.ranger.plugin.util.ServicePolicies;
 import org.junit.AfterClass;
@@ -42,9 +39,6 @@ import org.junit.Test;
 
 import java.io.*;
 import java.lang.reflect.Type;
-import java.nio.file.Files;
-import java.nio.file.LinkOption;
-import java.nio.file.StandardCopyOption;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@@ -213,11 +207,8 @@ public class TestPolicyEngine {
 			servicePolicies.setTagPolicies(tagPolicies);
 		}
 
-		String componentName = testCase.serviceDef.getName();
-
 		RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
 
-		// Uncomment next line for testing tag-policy evaluation
 		policyEngineOptions.disableTagPolicyEvaluation = false;
 
 		policyEngine = new RangerPolicyEngineImpl(servicePolicies, policyEngineOptions);
@@ -226,8 +217,8 @@ public class TestPolicyEngine {
 
 		for(TestData test : testCase.tests) {
 
-			if (test.request.getContext().containsKey(RangerPolicyEngine.KEY_CONTEXT_TAGS) ||
-					test.request.getContext().containsKey(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES)) {
+			if (test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) ||
+					test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
 				// Create a new AccessRequest
 				RangerAccessRequestImpl newRequest =
 						new RangerAccessRequestImpl(test.request.getResource(), test.request.getAccessType(),
@@ -241,8 +232,8 @@ public class TestPolicyEngine {
 				newRequest.setSessionId(test.request.getSessionId());
 
 				Map<String, Object> context = test.request.getContext();
-				String tagsJsonString = (String) context.get(RangerPolicyEngine.KEY_CONTEXT_TAGS);
-				context.remove(RangerPolicyEngine.KEY_CONTEXT_TAGS);
+				String tagsJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
+				context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
 
 				if(!StringUtils.isEmpty(tagsJsonString)) {
 					try {
@@ -250,14 +241,14 @@ public class TestPolicyEngine {
 						}.getType();
 						List<RangerTag> tagList = gsonBuilder.fromJson(tagsJsonString, listType);
 
-						context.put(RangerPolicyEngine.KEY_CONTEXT_TAGS, tagList);
+						context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tagList);
 					} catch (Exception e) {
 						System.err.println("TestPolicyEngine.runTests(): error parsing TAGS JSON string in file " + testName + ", tagsJsonString=" +
 								tagsJsonString + ", exception=" + e);
 					}
-				} else if (test.request.getContext().containsKey(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES)) {
-					String resourcesJsonString = (String) context.get(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES);
-					context.remove(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES);
+				} else if (test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
+					String resourcesJsonString = (String) context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
+					context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
 					if (!StringUtils.isEmpty(resourcesJsonString)) {
 						try {
 							/*
@@ -269,7 +260,7 @@ public class TestPolicyEngine {
 							}.getType();
 							RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, myType);
 
-							context.put(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
+							context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
 						} catch (Exception e) {
 							System.err.println("TestPolicyEngine.runTests(): error parsing REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" +
 									resourcesJsonString + ", exception=" + e);
@@ -290,7 +281,7 @@ public class TestPolicyEngine {
 				request = newRequest;
 
 			} else
-			if (test.request.getContext().containsKey(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES)) {
+			if (test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) {
 			}
 			else {
 				request = test.request;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index d5df5e2..db92668 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -57,7 +57,7 @@
        {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false,
          "conditions":[{
            "type":"ScriptConditionEvaluator",
-           "values":["var country_code = ctx.getGeolocation('LOCATION_TEST_COUNTRY_CODE'); ctx.result = !!country_code;"]
+           "values":["var country_code = ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result = !!country_code;"]
          }]}
      ]
     }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 47bf2a0..5bbbb16 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -57,7 +57,10 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
+
 import com.google.common.collect.Sets;
+
 import org.apache.ranger.plugin.util.RangerRequestedResources;
 
 public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
@@ -909,7 +912,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 
 		for (RangerHiveAccessRequest request : requests) {
 			// Build list of all things requested and put it in the context of each request
-			request.getContext().put(RangerRequestedResources.KEY_CONTEXT_REQUESTED_RESOURCES, requestedResources);
+			RangerAccessRequestUtil.setRequestedResourcesInContext(request.getContext(), requestedResources);
 
 			RangerHiveResource resource = (RangerHiveResource) request.getResource();
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3ba1492/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
index c0241b2..520c1be 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
@@ -982,16 +982,32 @@ public class TagREST {
             LOG.debug("==> TagREST.getServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + pluginId + ")");
         }
 
-        ServiceTags ret = null;
+		ServiceTags ret      = null;
+		int         httpCode = HttpServletResponse.SC_OK;
+		String      logMsg   = null;
 
         try {
             ret = tagStore.getServiceTagsIfUpdated(serviceName, lastKnownVersion);
+
+			if(ret == null) {
+				httpCode = HttpServletResponse.SC_NOT_MODIFIED;
+				logMsg   = "No change since last update";
+			} else {
+				httpCode = HttpServletResponse.SC_OK;
+				logMsg   = "Returning " + (ret.getTags() != null ? ret.getTags().size() : 0) + " tags. Tag version=" + ret.getTagVersion();
+			}
         } catch(Exception excp) {
             LOG.error("getServiceTagsIfUpdated(" + serviceName + ") failed", excp);
 
-            throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
+			httpCode = HttpServletResponse.SC_BAD_REQUEST;
+			logMsg   = excp.getMessage();
         }
 
+		if(httpCode != HttpServletResponse.SC_OK) {
+			boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED;
+			throw restErrorUtil.createRESTException(httpCode, logMsg, logError);
+		}
+
         if(LOG.isDebugEnabled()) {
             LOG.debug("<==> TagREST.getServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + pluginId + ")");
         }


Mime
View raw message