ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject ranger git commit: RANGER-1493: Policy engine updates to support tag-based datamasking and rowfiltering policies
Date Thu, 01 Jun 2017 00:05:54 GMT
Repository: ranger
Updated Branches:
  refs/heads/master bac22f221 -> 9a943f1bf


RANGER-1493: Policy engine updates to support tag-based datamasking and rowfiltering policies

Signed-off-by: Madhan Neethiraj <madhan@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9a943f1b
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9a943f1b
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9a943f1b

Branch: refs/heads/master
Commit: 9a943f1bf915247c01c1ac4322e8e56e63386a04
Parents: bac22f2
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Thu Mar 30 23:07:49 2017 -0700
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Wed May 31 17:05:38 2017 -0700

----------------------------------------------------------------------
 .../policyengine/PolicyEvaluatorForTag.java     |  46 +++
 .../plugin/policyengine/RangerAccessResult.java |   1 -
 .../plugin/policyengine/RangerPolicyEngine.java |   4 +
 .../policyengine/RangerPolicyEngineImpl.java    | 280 ++++++++++++++++---
 .../policyengine/RangerPolicyRepository.java    |  64 ++++-
 5 files changed, 355 insertions(+), 40 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/9a943f1b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java
new file mode 100644
index 0000000..46f8cb0
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+
+public class PolicyEvaluatorForTag implements Comparable<PolicyEvaluatorForTag> {
+    private final RangerPolicyEvaluator evaluator;
+    private final RangerTagForEval      tag;
+
+    PolicyEvaluatorForTag(RangerPolicyEvaluator evaluator, RangerTagForEval tag) {
+        this.evaluator = evaluator;
+        this.tag       = tag;
+    }
+
+    RangerPolicyEvaluator getEvaluator() {
+        return evaluator;
+    }
+
+    RangerTagForEval getTag() {
+        return tag;
+    }
+
+    @Override
+    public int compareTo(PolicyEvaluatorForTag other) {
+        return evaluator.getPolicy().getName().compareTo(other.evaluator.getPolicy().getName());
+    }
+}

http://git-wip-us.apache.org/repos/asf/ranger/blob/9a943f1b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index 904fc86..28319b2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -60,7 +60,6 @@ public class RangerAccessResult {
 		this.isAuditedDetermined = other.getIsAuditedDetermined();
 		this.isAudited = other.getIsAudited();
 		this.auditPolicyId = other.getAuditPolicyId();
-		this.evaluatedPoliciesCount += other.getEvaluatedPoliciesCount();
 	}
 
 	/**

http://git-wip-us.apache.org/repos/asf/ranger/blob/9a943f1b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 06c7d16..b758d69 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -49,6 +49,10 @@ public interface RangerPolicyEngine {
 
 	RangerAccessResult createAccessResult(RangerAccessRequest request);
 
+	RangerDataMaskResult createDataMaskResult(RangerAccessRequest request);
+
+	RangerRowFilterResult createRowFilterResult(RangerAccessRequest request);
+
 	void preProcess(RangerAccessRequest request);
 
 	void preProcess(Collection<RangerAccessRequest> requests);

http://git-wip-us.apache.org/repos/asf/ranger/blob/9a943f1b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 433c5de..a4114eb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -202,6 +202,38 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	}
 
 	@Override
+	public RangerDataMaskResult createDataMaskResult(RangerAccessRequest request) {
+		RangerDataMaskResult ret = new RangerDataMaskResult(this.getServiceName(), policyRepository.getServiceDef(),
request);
+		switch (policyRepository.getAuditModeEnum()) {
+			case AUDIT_ALL:
+				ret.setIsAudited(true);
+				break;
+			case AUDIT_NONE:
+				ret.setIsAudited(false);
+				break;
+			default:
+				break;
+		}
+		return ret;
+	}
+
+	@Override
+	public RangerRowFilterResult createRowFilterResult(RangerAccessRequest request) {
+		RangerRowFilterResult ret = new RangerRowFilterResult(this.getServiceName(), policyRepository.getServiceDef(),
request);
+		switch (policyRepository.getAuditModeEnum()) {
+			case AUDIT_ALL:
+				ret.setIsAudited(true);
+				break;
+			case AUDIT_NONE:
+				ret.setIsAudited(false);
+				break;
+			default:
+				break;
+		}
+		return ret;
+	}
+
+	@Override
 	public void preProcess(RangerAccessRequest request) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + request + ")");
@@ -325,23 +357,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			LOG.debug("==> RangerPolicyEngineImpl.evalDataMaskPolicies(" + request + ")");
 		}
 
-		RangerDataMaskResult ret = new RangerDataMaskResult(getServiceName(), getServiceDef(),
request);
-
-		if(request != null) {
-			List<RangerPolicyEvaluator> evaluators = policyRepository.getDataMaskPolicyEvaluators(request.getResource());
-			for (RangerPolicyEvaluator evaluator : evaluators) {
-				evaluator.evaluate(request, ret);
-
-				if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
-					if(!StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
-						break;
-					} else {
-						ret.setMaskType(null);
-						ret.setIsAccessDetermined(false);
-					}
-				}
-			}
-		}
+		RangerDataMaskResult ret = evalDataMaskPoliciesNoAudit(request);
 
 		// no need to audit if mask is not enabled
 		if(! ret.isMaskEnabled()) {
@@ -367,22 +383,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			LOG.debug("==> RangerPolicyEngineImpl.evalRowFilterPolicies(" + request + ")");
 		}
 
-		RangerRowFilterResult ret = new RangerRowFilterResult(getServiceName(), getServiceDef(),
request);
-
-		if(request != null) {
-			List<RangerPolicyEvaluator> evaluators = policyRepository.getRowFilterPolicyEvaluators(request.getResource());
-			for (RangerPolicyEvaluator evaluator : evaluators) {
-				evaluator.evaluate(request, ret);
-
-				if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
-					if(StringUtils.isNotEmpty(ret.getFilterExpr())) {
-						break;
-					} else {
-						ret.setIsAccessDetermined(false);
-					}
-				}
-			}
-		}
+		RangerRowFilterResult ret = evalRowFilterPoliciesNoAudit(request);
 
 		// no need to audit if filter is not enabled
 		if(! ret.isRowFilterEnabled()) {
@@ -674,7 +675,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 					List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(tagEvalRequest.getResource());
 
 					for (RangerPolicyEvaluator evaluator : evaluators) {
-						tagEvalResult.incrementEvaluatedPoliciesCount();
+						result.incrementEvaluatedPoliciesCount();
 
 						evaluator.evaluate(tagEvalRequest, tagEvalResult);
 
@@ -696,8 +697,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 					}
 
 					if (tagEvalResult.getIsAudited()) {
-						result.setIsAudited(true);
-						result.setAuditPolicyId(tagEvalResult.getAuditPolicyId());
+						result.setAuditResultFrom(tagEvalResult);
 					}
 
 					if (!result.getIsAccessDetermined() && tagEvalResult.getIsAccessDetermined())
{
@@ -727,6 +727,214 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		}
 	}
 
+	RangerDataMaskResult evalDataMaskPoliciesNoAudit(RangerAccessRequest request) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.evalDataMaskPoliciesNoAudit(" + request + ")");
+		}
+
+		RangerDataMaskResult ret = createDataMaskResult(request);
+
+		if (ret != null && request != null) {
+			if (hasTagPolicies()) {
+				evalDataMaskPoliciesForTagPolicies(request, ret);
+
+				if (LOG.isDebugEnabled()) {
+					if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
+						LOG.debug("RangerPolicyEngineImpl.evalDataMaskPoliciesNoAudit() - access and audit
determined by tag policy. No resource policies will be evaluated, request=" + request + ",
result=" + ret);
+					}
+				}
+			}
+			boolean isEvaluatedByTags        = ret.getIsAccessDetermined() && ret.getIsAllowed();
+			boolean evaluateResourcePolicies = hasResourcePolicies() && (!isEvaluatedByTags
|| !ret.getIsAuditedDetermined());
+
+			if (evaluateResourcePolicies) {
+				boolean                     findAuditByResource = !ret.getIsAuditedDetermined();
+				boolean                     foundInCache        = findAuditByResource && policyRepository.setAuditEnabledFromCache(request,
ret);
+				List<RangerPolicyEvaluator> evaluators          = policyRepository.getDataMaskPolicyEvaluators(request.getResource());
+
+				for (RangerPolicyEvaluator evaluator : evaluators) {
+					ret.incrementEvaluatedPoliciesCount();
+					evaluator.evaluate(request, ret);
+
+					if(ret.getIsAccessDetermined()) {
+						if (StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
+							ret.setMaskType(null);
+						}
+
+						if (ret.getIsAuditedDetermined()) {
+							break;
+						}
+					}
+				}
+
+				if (findAuditByResource && !foundInCache) {
+					policyRepository.storeAuditEnabledInCache(request, ret);
+				}
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.evalDataMaskPoliciesNoAudit(" + request + "):
" + ret);
+		}
+		return ret;
+	}
+
+	protected void evalDataMaskPoliciesForTagPolicies(final RangerAccessRequest request, RangerDataMaskResult
result) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.evalDataMaskPoliciesForTagPolicies(" + request
+ ", " + result + ")");
+		}
+
+		List<RangerPolicyEvaluator> tagEvaluators = tagPolicyRepository == null ? null :
tagPolicyRepository.getDataMaskPolicyEvaluators();
+
+		if (CollectionUtils.isNotEmpty(tagEvaluators)) {
+			Set<RangerTagForEval>       tags               = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
+			List<PolicyEvaluatorForTag> dataMaskEvaluators = tagPolicyRepository.getDataMaskPolicyEvaluators(tags);
+
+			if (CollectionUtils.isNotEmpty(dataMaskEvaluators)) {
+				for (PolicyEvaluatorForTag dataMaskEvaluator : dataMaskEvaluators) {
+					RangerPolicyEvaluator evaluator      = dataMaskEvaluator.getEvaluator();
+					RangerTagForEval      tag            = dataMaskEvaluator.getTag();
+					RangerAccessRequest   tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(),
request);
+					RangerDataMaskResult  tagEvalResult  = createDataMaskResult(tagEvalRequest);
+
+					tagEvalResult.setAuditResultFrom(result);
+					tagEvalResult.setAccessResultFrom(result);
+
+					tagEvalResult.setMaskType(result.getMaskType());
+					tagEvalResult.setMaskCondition(result.getMaskCondition());
+					tagEvalResult.setMaskedValue(result.getMaskedValue());
+
+					result.incrementEvaluatedPoliciesCount();
+
+					evaluator.evaluate(tagEvalRequest, tagEvalResult);
+
+					if (tagEvalResult.getIsAudited()) {
+						result.setAuditResultFrom(tagEvalResult);
+					}
+
+					if (tagEvalResult.getIsAccessDetermined()) {
+						result.setAccessResultFrom(tagEvalResult);
+						result.setMaskType(tagEvalResult.getMaskType());
+						result.setMaskCondition(tagEvalResult.getMaskCondition());
+						result.setMaskedValue(tagEvalResult.getMaskedValue());
+
+						if (StringUtils.equalsIgnoreCase(result.getMaskType(), RangerPolicy.MASK_TYPE_NONE))
{
+							result.setMaskType(null);
+						}
+					}
+
+					if (result.getIsAuditedDetermined() && result.getIsAccessDetermined()) {
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("RangerPolicyEngineImpl.evalDataMaskPoliciesForTagPolicies: concluding eval
of dataMask policies for tags: tag=" + tag.getType() + " with authorization=" + tagEvalResult.getIsAllowed());
+						}
+						break;            // Break out of datamask policy-evaluation loop
+					}
+				}
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.evalDataMaskPoliciesForTagPolicies(" + request
+ ", " + result + ")");
+		}
+	}
+
+	RangerRowFilterResult evalRowFilterPoliciesNoAudit(RangerAccessRequest request) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.evalRowFilterPoliciesNoAudit(" + request + ")");
+		}
+
+		RangerRowFilterResult ret = createRowFilterResult(request);
+
+		if (ret != null && request != null) {
+			if (hasTagPolicies()) {
+				evalRowFilterPoliciesForTagPolicies(request, ret);
+
+				if (LOG.isDebugEnabled()) {
+					if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
+						LOG.debug("RangerPolicyEngineImpl.evalRowFilterPoliciesNoAudit() - access and audit
determined by tag policy. No resource policies will be evaluated, request=" + request + ",
result=" + ret);
+					}
+				}
+			}
+			boolean isEvaluatedByTags        = ret.getIsAccessDetermined() && ret.getIsAllowed();
+			boolean evaluateResourcePolicies = hasResourcePolicies() && (!isEvaluatedByTags
|| !ret.getIsAuditedDetermined());
+
+			if (evaluateResourcePolicies) {
+				boolean                     findAuditByResource = !ret.getIsAuditedDetermined();
+				boolean                     foundInCache        = findAuditByResource && policyRepository.setAuditEnabledFromCache(request,
ret);
+				List<RangerPolicyEvaluator> evaluators          = policyRepository.getRowFilterPolicyEvaluators(request.getResource());
+
+				for (RangerPolicyEvaluator evaluator : evaluators) {
+					ret.incrementEvaluatedPoliciesCount();
+					evaluator.evaluate(request, ret);
+
+					if(ret.getIsAuditedDetermined() && ret.getIsAccessDetermined()) {
+						break;
+					}
+				}
+
+				if (findAuditByResource && !foundInCache) {
+					policyRepository.storeAuditEnabledInCache(request, ret);
+				}
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.evalRowFilterPoliciesNoAudit(" + request + "):
" + ret);
+		}
+		return ret;
+	}
+
+	protected void evalRowFilterPoliciesForTagPolicies(final RangerAccessRequest request, RangerRowFilterResult
result) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.evalRowFilterPoliciesForTagPolicies(" + request
+ ", " + result + ")");
+		}
+
+		List<RangerPolicyEvaluator> tagEvaluators = tagPolicyRepository == null ? null :
tagPolicyRepository.getRowFilterPolicyEvaluators();
+
+		if (CollectionUtils.isNotEmpty(tagEvaluators)) {
+			Set<RangerTagForEval>       tags                = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
+			List<PolicyEvaluatorForTag> rowFilterEvaluators = tagPolicyRepository.getRowFilterPolicyEvaluators(tags);
+
+			if (CollectionUtils.isNotEmpty(rowFilterEvaluators)) {
+				for (PolicyEvaluatorForTag rowFilterEvaluator : rowFilterEvaluators) {
+					RangerPolicyEvaluator evaluator      = rowFilterEvaluator.getEvaluator();
+					RangerTagForEval      tag            = rowFilterEvaluator.getTag();
+					RangerAccessRequest   tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(),
request);
+					RangerRowFilterResult tagEvalResult  = createRowFilterResult(tagEvalRequest);
+
+					tagEvalResult.setAuditResultFrom(result);
+					tagEvalResult.setAccessResultFrom(result);
+
+					tagEvalResult.setFilterExpr(result.getFilterExpr());
+
+					result.incrementEvaluatedPoliciesCount();
+
+					evaluator.evaluate(tagEvalRequest, tagEvalResult);
+
+					if (tagEvalResult.getIsAudited()) {
+						result.setAuditResultFrom(tagEvalResult);
+					}
+
+					if (tagEvalResult.getIsAccessDetermined()) {
+						result.setAccessResultFrom(tagEvalResult);
+						result.setFilterExpr(tagEvalResult.getFilterExpr());
+					}
+
+					if (result.getIsAuditedDetermined() && result.getIsAccessDetermined()) {
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("RangerPolicyEngineImpl.evalRowFilterPoliciesForTagPolicies: concluding
eval of rowFilter policies for tags: tag=" + tag.getType() + " with authorization=" + tagEvalResult.getIsAllowed());
+						}
+						break;            // Break out of rowFilter policy-evaluation loop
+					}
+				}
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.evalRowFilterPoliciesForTagPolicies(" + request
+ ", " + result + ")");
+		}
+	}
+
 	@Override
 	public void reorderPolicyEvaluators() {
 		if (LOG.isDebugEnabled()) {

http://git-wip-us.apache.org/repos/asf/ranger/blob/9a943f1b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 0793a6a..fc34da0 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -25,7 +25,9 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
 import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
+import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
 import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator;
 import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
@@ -230,6 +232,10 @@ class RangerPolicyRepository {
         return dataMaskResourceTrie == null || StringUtils.isEmpty(resourceStr)  ? getDataMaskPolicyEvaluators()
: getPolicyEvaluators(dataMaskResourceTrie, resource);
     }
 
+    List<PolicyEvaluatorForTag> getDataMaskPolicyEvaluators(Set<RangerTagForEval>
tags) {
+        return getSortedPolicyEvaluatorsForTags(tags, RangerPolicy.POLICY_TYPE_DATAMASK);
+    }
+
     List<RangerPolicyEvaluator> getRowFilterPolicyEvaluators() {
         return rowFilterPolicyEvaluators;
     }
@@ -239,6 +245,11 @@ class RangerPolicyRepository {
 
         return rowFilterResourceTrie == null || StringUtils.isEmpty(resourceStr)  ? getRowFilterPolicyEvaluators()
: getPolicyEvaluators(rowFilterResourceTrie, resource);
     }
+
+    List<PolicyEvaluatorForTag> getRowFilterPolicyEvaluators(Set<RangerTagForEval>
tags) {
+        return getSortedPolicyEvaluatorsForTags(tags, RangerPolicy.POLICY_TYPE_ROWFILTER);
+    }
+
     AuditModeEnum getAuditModeEnum() { return auditModeEnum; }
 
     private List<RangerPolicyEvaluator> getPolicyEvaluators(Map<String, RangerResourceTrie>
resourceTrie, RangerAccessResource resource) {
@@ -300,6 +311,36 @@ class RangerPolicyRepository {
         return ret;
     }
 
+    private List<PolicyEvaluatorForTag> getSortedPolicyEvaluatorsForTags(Set<RangerTagForEval>
tags, int policyType) {
+        List<PolicyEvaluatorForTag> ret = null;
+
+        if (CollectionUtils.isNotEmpty(tags) && getServiceDef() != null
+                && (policyType == RangerPolicy.POLICY_TYPE_ACCESS || policyType ==
RangerPolicy.POLICY_TYPE_DATAMASK || policyType == RangerPolicy.POLICY_TYPE_ROWFILTER)) {
+            ret = new ArrayList<PolicyEvaluatorForTag>();
+
+            for (RangerTagForEval tag : tags) {
+                RangerAccessResource resource = new RangerTagResource(tag.getType(), getServiceDef());
+                List<RangerPolicyEvaluator> evaluators = null;
+                if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
+                    evaluators = getDataMaskPolicyEvaluators(resource);
+                } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
+                    evaluators = getRowFilterPolicyEvaluators(resource);
+                } else {
+                    evaluators = getPolicyEvaluators(resource);
+                }
+                if (CollectionUtils.isNotEmpty(evaluators)) {
+                    for (RangerPolicyEvaluator evaluator : evaluators) {
+                        ret.add(new PolicyEvaluatorForTag(evaluator, tag));
+                    }
+                }
+            }
+        }
+        if (CollectionUtils.isNotEmpty(ret)) {
+            Collections.sort(ret);
+        }
+        return ret;
+    }
+
     private RangerServiceDef normalizeAccessTypeDefs(RangerServiceDef serviceDef, final String
componentType) {
 
         if (serviceDef != null && StringUtils.isNotBlank(componentType)) {
@@ -391,7 +432,7 @@ class RangerPolicyRepository {
             }
 
             if(policiesToPrune != null) {
-	            rangerPolicies.removeAll(policiesToPrune);
+                rangerPolicies.removeAll(policiesToPrune);
             }
         }
 
@@ -426,7 +467,7 @@ class RangerPolicyRepository {
                     }
 
                     if(accessesToPrune != null) {
-	                    policyItemAccesses.removeAll(accessesToPrune);
+                        policyItemAccesses.removeAll(accessesToPrune);
                     }
 
                     if (policyItemAccesses.isEmpty() && !policyItem.getDelegateAdmin())
{
@@ -435,12 +476,29 @@ class RangerPolicyRepository {
                         }
 
                         itemsToPrune.add(policyItem);
+
+                        continue;
+                    }
+                }
+
+                if (policyItem instanceof RangerPolicy.RangerDataMaskPolicyItem) {
+                    RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerPolicy.RangerDataMaskPolicyItem)
policyItem).getDataMaskInfo();
+                    String                       maskType     = dataMaskInfo.getDataMaskType();
+
+                    if (StringUtils.startsWith(maskType, prefix)) {
+                        dataMaskInfo.setDataMaskType(StringUtils.removeStart(maskType, prefix));
+                    } else if (maskType.contains(AbstractServiceStore.COMPONENT_ACCESSTYPE_SEPARATOR))
{
+                        if (itemsToPrune == null) {
+                            itemsToPrune = new ArrayList<>();
+                        }
+
+                        itemsToPrune.add(policyItem);
                     }
                 }
             }
 
             if(itemsToPrune != null) {
-	            policyItems.removeAll(itemsToPrune);
+                policyItems.removeAll(itemsToPrune);
             }
         }
 


Mime
View raw message