ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [2/2] incubator-ranger git commit: RANGER-699: updates per review comments and fixes
Date Tue, 08 Mar 2016 01:31:40 GMT
RANGER-699: updates per review comments and fixes


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/dddc4d42
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/dddc4d42
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/dddc4d42

Branch: refs/heads/master
Commit: dddc4d42011adf28062853317908259e894964da
Parents: 5423ee4
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Fri Mar 4 02:22:48 2016 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Mon Mar 7 17:26:30 2016 -0800

----------------------------------------------------------------------
 .../plugin/policyengine/RangerPolicyEngine.java |   4 +-
 .../policyengine/RangerPolicyEngineImpl.java    |  41 +++++-
 .../RangerDefaultPolicyEvaluator.java           |  27 +++-
 .../policyevaluator/RangerPolicyEvaluator.java  |   4 +-
 .../RangerDefaultPolicyResourceMatcher.java     |  20 +--
 .../RangerPolicyResourceMatcher.java            |   4 +-
 .../RangerAbstractResourceMatcher.java          |   6 +-
 .../resourcematcher/RangerResourceMatcher.java  |   2 +-
 .../org/apache/ranger/rest/ServiceREST.java     | 132 +++++++++++--------
 .../org/apache/ranger/rest/ServiceRESTUtil.java | 106 +++++----------
 10 files changed, 189 insertions(+), 157 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 29080b7..02ad9e9 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -54,7 +54,9 @@ public interface RangerPolicyEngine {
 
 	boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user,
Set<String> userGroups, String accessType);
 
-	RangerPolicy getExactMatchPolicy(RangerAccessResource resource);
+	List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource);
+
+	List<RangerPolicy> getExactMatchPolicies(Map<String, RangerPolicyResource> resources);
 
 	List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String
accessType);
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 1dd1e7b..92481f6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -338,23 +338,50 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	}
 
 	@Override
-	public RangerPolicy getExactMatchPolicy(RangerAccessResource resource) {
+	public List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource) {
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + ")");
+			LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + resource + ")");
 		}
 
-		RangerPolicy ret = null;
+		List<RangerPolicy> ret = null;
 
 		for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
-			if (evaluator.isSingleAndExactMatch(resource)) {
-				ret = evaluator.getPolicy();
+			if (evaluator.isCompleteMatch(resource)) {
+				if(ret == null) {
+					ret = new ArrayList<RangerPolicy>();
+				}
 
-				break;
+				ret.add(evaluator.getPolicy());
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + resource + "): " +
ret);
+		}
+
+		return ret;
+	}
+
+	@Override
+	public List<RangerPolicy> getExactMatchPolicies(Map<String, RangerPolicyResource>
resources) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + resources + ")");
+		}
+
+		List<RangerPolicy> ret = null;
+
+		for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+			if (evaluator.isCompleteMatch(resources)) {
+				if(ret == null) {
+					ret = new ArrayList<RangerPolicy>();
+				}
+
+				ret.add(evaluator.getPolicy());
 			}
 		}
 
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicy(" + resource + "): " + ret);
+			LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + resources + "): " +
ret);
 		}
 
 		return ret;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 6171015..9394341 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -283,19 +283,38 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 	}
 
 	@Override
-	public boolean isSingleAndExactMatch(RangerAccessResource resource) {
+	public boolean isCompleteMatch(RangerAccessResource resource) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyEvaluator.isSingleAndExactMatch(" + resource + ")");
+			LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + resource + ")");
 		}
 
 		boolean ret = false;
 
 		if(resourceMatcher != null) {
-			ret = resourceMatcher.isSingleAndExactMatch(resource);
+			ret = resourceMatcher.isCompleteMatch(resource);
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyEvaluator.isSingleAndExactMatch(" + resource + "):
" + ret);
+			LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + resource + "): " +
ret);
+		}
+
+		return ret;
+	}
+
+	@Override
+	public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + resources + ")");
+		}
+
+		boolean ret = false;
+
+		if(resourceMatcher != null) {
+			ret = resourceMatcher.isCompleteMatch(resources);
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + resources + "): " +
ret);
 		}
 
 		return ret;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 9cb90f4..3f76755 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -56,7 +56,9 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator>
 
 	boolean isMatch(RangerAccessResource resource);
 
-	boolean isSingleAndExactMatch(RangerAccessResource resource);
+	boolean isCompleteMatch(RangerAccessResource resource);
+
+	boolean isCompleteMatch(Map<String, RangerPolicyResource> resources);
 
 	boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups,
String accessType);
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 7c547f6..4742850 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -267,9 +267,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
 	}
 
 	@Override
-	public boolean isSingleAndExactMatch(RangerAccessResource resource) {
+	public boolean isCompleteMatch(RangerAccessResource resource) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyResourceMatcher.isSingleAndExactMatch(" + resource
+ ")");
+			LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ")");
 		}
 
 		boolean ret = false;
@@ -291,9 +291,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
 					RangerResourceMatcher matcher       = matchers == null ? null : matchers.get(resourceName);
 
 					if(StringUtils.isEmpty(resourceValue)) {
-						ret = matcher == null || matcher.isSingleAndExactMatch(resourceValue);
+						ret = matcher == null || matcher.isCompleteMatch(resourceValue);
 					} else {
-						ret = matcher != null && matcher.isSingleAndExactMatch(resourceValue);
+						ret = matcher != null && matcher.isCompleteMatch(resourceValue);
 					}
 
 					if(! ret) {
@@ -302,13 +302,13 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
 				}
 			} else {
 				if(LOG.isDebugEnabled()) {
-					LOG.debug("isSingleAndExactMatch(): keysMatch=false. resourceKeys=" + resourceKeys +
"; policyKeys=" + policyKeys);
+					LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys="
+ policyKeys);
 				}
 			}
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyResourceMatcher.isSingleAndExactMatch(" + resource
+ "): " + ret);
+			LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + "):
" + ret);
 		}
 
 		return ret;
@@ -500,9 +500,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
 	}
 
 	@Override
-	public boolean isExactMatch(Map<String, RangerPolicyResource> resources) {
+	public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyResourceMatcher.isExactMatch(" + resources + ")");
+			LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ")");
 		}
 
 		boolean ret = false;
@@ -535,13 +535,13 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
 				}
 			} else {
 				if(LOG.isDebugEnabled()) {
-					LOG.debug("isExactMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys="
+ policyKeys);
+					LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys="
+ policyKeys);
 				}
 			}
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyResourceMatcher.isExactMatch(" + resources + "):
" + ret);
+			LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + "):
" + ret);
 		}
 
 		return ret;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
index bf46748..f743d55 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
@@ -36,13 +36,13 @@ public interface RangerPolicyResourceMatcher {
 
 	boolean isMatch(Map<String, RangerPolicyResource> resources);
 
-	boolean isSingleAndExactMatch(RangerAccessResource resource);
+	boolean isCompleteMatch(RangerAccessResource resource);
 
 	boolean isHeadMatch(RangerAccessResource resource);
 
 	boolean isExactHeadMatch(RangerAccessResource resource);
 
-	boolean isExactMatch(Map<String, RangerPolicyResource> resources);
+	boolean isCompleteMatch(Map<String, RangerPolicyResource> resources);
 
 	StringBuilder toString(StringBuilder sb);
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index b97659f..5063eea 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -101,9 +101,9 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
 	}
 
 	@Override
-	public boolean isSingleAndExactMatch(String resource) {
+	public boolean isCompleteMatch(String resource) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerAbstractResourceMatcher.isSingleAndExactMatch(" + resource + ")");
+			LOG.debug("==> RangerAbstractResourceMatcher.isCompleteMatch(" + resource + ")");
 		}
 
 		boolean ret = false;
@@ -125,7 +125,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerAbstractResourceMatcher.isSingleAndExactMatch(" + resource + "):
" + ret);
+			LOG.debug("<== RangerAbstractResourceMatcher.isCompleteMatch(" + resource + "): " +
ret);
 		}
 
 		return ret;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
index 609d59d..e4d3ce5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
@@ -31,5 +31,5 @@ public interface RangerResourceMatcher {
 
 	boolean isMatch(String resource);
 
-	boolean isSingleAndExactMatch(String resource);
+	boolean isCompleteMatch(String resource);
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 5e5d626..e1aef0b 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -66,18 +66,13 @@ import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
-import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.model.validation.RangerPolicyValidator;
 import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
 import org.apache.ranger.plugin.model.validation.RangerServiceValidator;
 import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
-import org.apache.ranger.plugin.policyengine.RangerAccessResource;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyengine.*;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 import org.apache.ranger.plugin.service.ResourceLookupContext;
 import org.apache.ranger.plugin.store.PList;
@@ -839,15 +834,14 @@ public class ServiceREST {
 				String               userName   = grantRequest.getGrantor();
 				Set<String>          userGroups = userMgr.getGroupsForUser(userName);
 				RangerAccessResource resource   = new RangerAccessResourceImpl(grantRequest.getResource());
-				RangerPolicyEngine   policyEngine = getPolicyEngine(serviceName);
-	
-				boolean isAdmin = hasAdminAccess(policyEngine, userName, userGroups, resource);
+
+				boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
 	
 				if(!isAdmin) {
 					throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
 				}
 	
-				RangerPolicy policy = getExactMatchPolicyForResource(policyEngine, resource);
+				RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
 
 				if(policy != null) {
 					boolean policyUpdated = false;
@@ -932,18 +926,17 @@ public class ServiceREST {
 					perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName="
+ serviceName + ")");
 				}
 
-				String               userName     = revokeRequest.getGrantor();
-				Set<String>          userGroups   =  userMgr.getGroupsForUser(userName);
-				RangerAccessResource resource     = new RangerAccessResourceImpl(revokeRequest.getResource());
-				RangerPolicyEngine   policyEngine = getPolicyEngine(serviceName);
+				String               userName   = revokeRequest.getGrantor();
+				Set<String>          userGroups =  userMgr.getGroupsForUser(userName);
+				RangerAccessResource resource   = new RangerAccessResourceImpl(revokeRequest.getResource());
 
-				boolean isAdmin = hasAdminAccess(policyEngine, userName, userGroups, resource);
+				boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
 				
 				if(!isAdmin) {
 					throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
 				}
 	
-				RangerPolicy policy = getExactMatchPolicyForResource(policyEngine, resource);
+				RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
 				
 				if(policy != null) {
 					boolean policyUpdated = false;
@@ -1048,42 +1041,24 @@ public class ServiceREST {
 		RangerPolicy ret = null;
 
 		if (policy != null && StringUtils.isNotBlank(policy.getService())) {
-
 			try {
-				RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy);
-
-				List<RangerPolicy> existingPolicies = svcStore.getPoliciesByResourceSignature(policy.getService(),
resourceSignature.getSignature(), true);
+				// Check if applied policy contains any conditions
+				if (ServiceRESTUtil.containsRangerCondition(policy)) {
+					LOG.error("Applied policy contains condition(s); not supported:" + policy);
+					throw new Exception("Applied policy contains condition(s); not supported:" + policy);
+				}
 
-				if (CollectionUtils.isEmpty(existingPolicies)) {
+				RangerPolicy existingPolicy = getExactMatchPolicyForResource(policy.getService(), policy.getResources());
 
+				if (existingPolicy == null) {
 					ret = createPolicy(policy);
-
-				} else if (existingPolicies.size() == 1) {
-
-					// Check if applied policy contains any conditions
-					if (ServiceRESTUtil.containsRangerCondition(policy)) {
-						LOG.error("Applied policy contains condition(s); not supported:" + policy);
-						throw new Exception("Applied policy contains condition(s); not supported:" + policy);
-					}
-					RangerPolicy existingPolicy = existingPolicies.get(0);
-
-					// If existing policy-items contains conditions, then we add/remove specified accesses
to
-					// existing policy-items as specified in applied policy, ignoring those conditions.
-					// New policy-items will have no conditions.
-
-					boolean applyResult = ServiceRESTUtil.processApplyPolicy(existingPolicy, policy);
-
-					if (applyResult) {
-						ret = updatePolicy(existingPolicy);
-					} else {
-						LOG.error("applyPolicy processing failed");
-						throw new Exception("applyPolicy processing failed");
-					}
-
 				} else {
-					// there should be only one policy for the given resources
-					throw new Exception("Invalid state: multiple policies exists for resource " + policy.getResources());
+					ServiceRESTUtil.processApplyPolicy(existingPolicy, policy);
+
+					ret = updatePolicy(existingPolicy);
 				}
+			} catch(WebApplicationException excp) {
+				throw excp;
 			} catch (Exception exception) {
 				LOG.error("Failed to apply policy:", exception);
 				throw restErrorUtil.createRESTException(exception.getMessage());
@@ -1544,16 +1519,18 @@ public class ServiceREST {
 		}
 	}
 
-	private RangerPolicy getExactMatchPolicyForResource(RangerPolicyEngine policyEngine, RangerAccessResource
resource) throws Exception {
+	private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource
resource) throws Exception {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ")");
 		}
 
-		RangerPolicy ret = policyEngine != null ? policyEngine.getExactMatchPolicy(resource) :
null;
+		RangerPolicy       ret          = null;
+		RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+		List<RangerPolicy> policies     = policyEngine != null ? policyEngine.getExactMatchPolicies(resource)
: null;
 
-		if(ret != null) {
+		if(CollectionUtils.isNotEmpty(policies)) {
 			// at this point, ret is a policy in policy-engine; the caller might update the policy
(for grant/revoke); so get a copy from the store
-			ret = svcStore.getPolicy(ret.getId());
+			ret = svcStore.getPolicy(policies.get(0).getId());
 		}
 
 		if(LOG.isDebugEnabled()) {
@@ -1563,6 +1540,27 @@ public class ServiceREST {
 		return ret;
 	}
 
+	private RangerPolicy getExactMatchPolicyForResource(String serviceName, Map<String, RangerPolicyResource>
resources) throws Exception {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resources + ")");
+		}
+
+		RangerPolicy       ret          = null;
+		RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+		List<RangerPolicy> policies     = policyEngine != null ? policyEngine.getExactMatchPolicies(resources)
: null;
+
+		if(CollectionUtils.isNotEmpty(policies)) {
+			// at this point, ret is a policy in policy-engine; the caller might update the policy
(for grant/revoke); so get a copy from the store
+			ret = svcStore.getPolicy(policies.get(0).getId());
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resources + "): " + ret);
+		}
+
+		return ret;
+	}
+
 	@GET
 	@Path("/policies/eventTime")
 	@Produces({ "application/json", "application/xml" })
@@ -1683,7 +1681,7 @@ public class ServiceREST {
 						continue;
 					}
 
-					RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+					RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
 
 					if (policyEngine != null) {
 						if(userGroups == null) {
@@ -1714,12 +1712,12 @@ public class ServiceREST {
 		if(!isAdmin && !isKeyAdmin) {
 			boolean isAllowed = false;
 
-			RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+			RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
 
 			if (policyEngine != null) {
 				Set<String> userGroups = userMgr.getGroupsForUser(userName);
 
-				isAllowed = hasAdminAccess(policyEngine, userName, userGroups, resources);
+				isAllowed = hasAdminAccess(serviceName, userName, userGroups, resources);
 			}
 
 			if (!isAllowed) {
@@ -1747,9 +1745,11 @@ public class ServiceREST {
 		}
 	}
 
-	private boolean hasAdminAccess(RangerPolicyEngine policyEngine, String userName, Set<String>
userGroups, Map<String, RangerPolicyResource> resources) {
+	private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups,
Map<String, RangerPolicyResource> resources) {
 		boolean isAllowed = false;
 
+		RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
+
 		if(policyEngine != null) {
 			isAllowed = policyEngine.isAccessAllowed(resources, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
 		}
@@ -1757,9 +1757,11 @@ public class ServiceREST {
 		return isAllowed;
 	}
 
-	private boolean hasAdminAccess(RangerPolicyEngine policyEngine, String userName, Set<String>
userGroups, RangerAccessResource resource) {
+	private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups,
RangerAccessResource resource) {
 		boolean isAllowed = false;
 
+		RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
+
 		if(policyEngine != null) {
 			isAllowed = policyEngine.isAccessAllowed(resource, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS);
 		}
@@ -1767,7 +1769,7 @@ public class ServiceREST {
 		return isAllowed;
 	}
 
-	private RangerPolicyEngine getPolicyEngine(String serviceName) {
+	private RangerPolicyEngine getDelegatedAdminPolicyEngine(String serviceName) {
 		if(RangerPolicyEngineCache.getInstance().getPolicyEngineOptions() == null) {
 			RangerPolicyEngineOptions options = new RangerPolicyEngineOptions();
 
@@ -1787,6 +1789,24 @@ public class ServiceREST {
 		return ret;
 	}
 
+	private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception {
+		RangerPolicyEngineOptions options = new RangerPolicyEngineOptions();
+
+		String propertyPrefix = "ranger.admin";
+
+		options.evaluatorType             = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+		options.cacheAuditResults         = RangerConfiguration.getInstance().getBoolean(propertyPrefix
+ ".policyengine.option.cache.audit.results", false);
+		options.disableContextEnrichers   = RangerConfiguration.getInstance().getBoolean(propertyPrefix
+ ".policyengine.option.disable.context.enrichers", true);
+		options.disableCustomConditions   = RangerConfiguration.getInstance().getBoolean(propertyPrefix
+ ".policyengine.option.disable.custom.conditions", true);
+		options.evaluateDelegateAdminOnly = false;
+
+		ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);
+
+		RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, options);
+
+		return ret;
+	}
+
 	@GET
 	@Path("/checksso")
 	@Produces(MediaType.TEXT_PLAIN)

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dddc4d42/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
index 7518363..dcae9b4 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
@@ -27,7 +27,6 @@ import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
 
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -74,7 +73,9 @@ public class ServiceRESTUtil {
 
 		appliedPolicy.getPolicyItems().add(policyItem);
 
-		policyUpdated = processApplyPolicy(policy, appliedPolicy) || policyUpdated;
+		processApplyPolicy(policy, appliedPolicy);
+
+		policyUpdated = true;
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("<== ServiceRESTUtil.processGrantRequest() : " + policyUpdated);
@@ -114,7 +115,9 @@ public class ServiceRESTUtil {
 
 			appliedPolicy.getDenyPolicyItems().add(policyItem);
 
-			policyUpdated = processApplyPolicy(policy, appliedPolicy);
+			processApplyPolicy(policy, appliedPolicy);
+
+			policyUpdated = true;
 		}
 
 		if (LOG.isDebugEnabled()) {
@@ -124,32 +127,26 @@ public class ServiceRESTUtil {
 		return policyUpdated;
 	}
 
-	static public boolean processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy)
{
+	static public void processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy)
{
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceRESTUtil.processApplyPolicy()");
 		}
 
-		boolean ret = false;
-
-		ret = processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW);
-		ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY);
-		ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
-		ret = ret && processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
+		processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW);
+		processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY);
+		processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS);
+		processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS);
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("<== ServiceRESTUtil.processApplyPolicy()");
 		}
-
-		return ret;
 	}
 
-	static public boolean processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy
appliedPolicy, POLICYITEM_TYPE policyItemType) {
+	static private void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy
appliedPolicy, POLICYITEM_TYPE policyItemType) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()");
 		}
 
-		boolean ret = false;
-
 		List<RangerPolicy.RangerPolicyItem> appliedPolicyItems = null;
 
 		switch (policyItemType) {
@@ -166,8 +163,7 @@ public class ServiceRESTUtil {
 				appliedPolicyItems = appliedPolicy.getDenyExceptions();
 				break;
 			default:
-				LOG.warn("Should not have come here..");
-				return false;
+				LOG.warn("processApplyPolicyForItemType(): invalid policyItemType=" + policyItemType);
 		}
 
 		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
@@ -190,14 +186,12 @@ public class ServiceRESTUtil {
 			// Add modified/new policyItems back to existing policy
 			mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems);
 
-			ret = compactPolicy(existingPolicy);
+			compactPolicy(existingPolicy);
 		}
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("<== ServiceRESTUtil.processApplyPolicyForItemType()");
 		}
-
-		return ret;
 	}
 
 	static private void extractUsersAndGroups(List<RangerPolicy.RangerPolicyItem> policyItems,
Set<String> users, Set<String> groups) {
@@ -281,16 +275,15 @@ public class ServiceRESTUtil {
 		}
 	}
 
-	static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List<RangerPolicy.RangerPolicyItem>
userPolicyItems, String user) {
+	static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List<RangerPolicy.RangerPolicyItem>
policyItems, String user) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()");
 		}
 
 		RangerPolicy.RangerPolicyItem ret = null;
 
-		if (CollectionUtils.isNotEmpty(userPolicyItems)) {
-
-			for (RangerPolicy.RangerPolicyItem policyItem : userPolicyItems) {
+		if (CollectionUtils.isNotEmpty(policyItems)) {
+			for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
 				List<String> users = policyItem.getUsers();
 				if (users.contains(user)) {
 					if (ret == null) {
@@ -302,7 +295,7 @@ public class ServiceRESTUtil {
 					}
 					addAccesses(ret, policyItem.getAccesses());
 
-					// Remove this user/group from existingPolicyItem
+					// Remove this user from existingPolicyItem
 					users.remove(user);
 				}
 			}
@@ -315,16 +308,15 @@ public class ServiceRESTUtil {
 		return ret;
 	}
 
-	static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List<RangerPolicy.RangerPolicyItem>
groupPolicyItems, String group) {
+	static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List<RangerPolicy.RangerPolicyItem>
policyItems, String group) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()");
 		}
 
 		RangerPolicy.RangerPolicyItem ret = null;
 
-		if (CollectionUtils.isNotEmpty(groupPolicyItems)) {
-
-			for (RangerPolicy.RangerPolicyItem policyItem : groupPolicyItems) {
+		if (CollectionUtils.isNotEmpty(policyItems)) {
+			for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
 				List<String> groups = policyItem.getGroups();
 				if (groups.contains(group)) {
 					if (ret == null) {
@@ -336,7 +328,7 @@ public class ServiceRESTUtil {
 					}
 					addAccesses(ret, policyItem.getAccesses());
 
-					// Remove this user/group from existingPolicyItem
+					// Remove this group from existingPolicyItem
 					groups.remove(group);
 				}
 			}
@@ -541,14 +533,14 @@ public class ServiceRESTUtil {
 			for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
 				String accessType = access.getType();
 
-				int numOfItems = policyItem.getAccesses().size();
+				int numOfAccesses = policyItem.getAccesses().size();
 
-				for (int i = 0; i < numOfItems; i++) {
+				for (int i = 0; i < numOfAccesses; i++) {
 					RangerPolicy.RangerPolicyItemAccess itemAccess = policyItem.getAccesses().get(i);
 
 					if (StringUtils.equals(itemAccess.getType(), accessType)) {
 						policyItem.getAccesses().remove(i);
-						numOfItems--;
+						numOfAccesses--;
 						i--;
 
 						ret = true;
@@ -562,42 +554,11 @@ public class ServiceRESTUtil {
 		return ret;
 	}
 
-	static private boolean compactPolicy(RangerPolicy policy) {
-		boolean ret = true;			// Always true for now
-
-		List<?>[] policyItemsList = new List<?>[] { policy.getPolicyItems(),
-				policy.getDenyPolicyItems(),
-				policy.getAllowExceptions(),
-				policy.getDenyExceptions()
-		};
-
-		for(List<?> policyItemsObj : policyItemsList) {
-			@SuppressWarnings("unchecked")
-			List<RangerPolicy.RangerPolicyItem> policyItems = (List<RangerPolicy.RangerPolicyItem>)policyItemsObj;
-
-			int numOfItems = policyItems.size();
-
-			for(int i = 0; i < numOfItems; i++) {
-				RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i);
-
-				// remove the policy item if 1) there are no users and groups OR 2) if there are no accessTypes
and not a delegate-admin
-				if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()))
||
-						(CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin()))
{
-					policyItems.remove(i);
-					numOfItems--;
-					i--;
-
-					ret = true;
-				}
-			}
-		}
-
+	static private void compactPolicy(RangerPolicy policy) {
 		policy.setPolicyItems(mergePolicyItems(policy.getPolicyItems()));
 		policy.setDenyPolicyItems(mergePolicyItems(policy.getDenyPolicyItems()));
 		policy.setAllowExceptions(mergePolicyItems(policy.getAllowExceptions()));
 		policy.setDenyExceptions(mergePolicyItems(policy.getDenyExceptions()));
-
-		return ret;
 	}
 
 	static private List<RangerPolicy.RangerPolicyItem> mergePolicyItems(List<RangerPolicy.RangerPolicyItem>
policyItems) {
@@ -607,6 +568,11 @@ public class ServiceRESTUtil {
 			Map<String, RangerPolicy.RangerPolicyItem> matchedPolicyItems = new HashMap<String,
RangerPolicy.RangerPolicyItem>();
 
 			for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
+				if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()))
||
+				   (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin()))
{
+					continue;
+				}
+
 				if (policyItem.getConditions().size() > 1) {
 					ret.add(policyItem);
 					continue;
@@ -620,19 +586,15 @@ public class ServiceRESTUtil {
 					accesses.add("delegateAdmin");
 				}
 
-				StringBuilder allAccessesString = new StringBuilder();
-
-				for (String access = accesses.first(); access != null; access = accesses.higher(access))
{
-					allAccessesString.append(access);
-				}
+				String allAccessesString = accesses.toString();
 
-				RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString.toString());
+				RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString);
 
 				if (matchingPolicyItem != null) {
 					addDistinctItems(policyItem.getUsers(), matchingPolicyItem.getUsers());
 					addDistinctItems(policyItem.getGroups(), matchingPolicyItem.getGroups());
 				} else {
-					matchedPolicyItems.put(allAccessesString.toString(), policyItem);
+					matchedPolicyItems.put(allAccessesString, policyItem);
 				}
 			}
 



Mime
View raw message