ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From spolavar...@apache.org
Subject [1/2] ranger git commit: RANGER-1647: Allow Ranger policy conditions to use tag attributes and values in Ranger -- ranger-0.7 branch
Date Thu, 14 Sep 2017 16:21:01 GMT
Repository: ranger
Updated Branches:
  refs/heads/ranger-0.7 309abeff4 -> 109f2218d


RANGER-1647: Allow Ranger policy conditions to use tag attributes and values in Ranger --
ranger-0.7 branch


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/dbe1a3a3
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/dbe1a3a3
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/dbe1a3a3

Branch: refs/heads/ranger-0.7
Commit: dbe1a3a3f033f0e423e70d14b9937162ad5d4a66
Parents: 309abef
Author: Sailaja Polavarapu <spolavarapu@hortonworks.com>
Authored: Wed Sep 13 15:57:33 2017 -0700
Committer: Sailaja Polavarapu <spolavarapu@hortonworks.com>
Committed: Wed Sep 13 15:57:33 2017 -0700

----------------------------------------------------------------------
 .../RangerScriptConditionEvaluator.java             |  8 +++++++-
 .../RangerScriptExecutionContext.java               | 10 +++++-----
 .../service-defs/ranger-servicedef-tag.json         |  8 ++++++++
 .../test/resources/policyengine/resourceTags.json   |  2 +-
 .../policyengine/test_policyengine_owner.json       | 10 +++++-----
 .../policyengine/test_policyengine_tag_hive.json    | 14 +++++++-------
 .../test_policyengine_tag_hive_filebased.json       | 16 ++++++++--------
 7 files changed, 41 insertions(+), 27 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
index 48ffc38..5febf95 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
@@ -24,12 +24,14 @@ import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 
 import javax.script.Bindings;
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineManager;
 import javax.script.ScriptException;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
@@ -90,11 +92,15 @@ public class RangerScriptConditionEvaluator extends RangerAbstractConditionEvalu
 
 				RangerAccessRequest readOnlyRequest = request.getReadOnlyCopy();
 
-				RangerScriptExecutionContext context = new RangerScriptExecutionContext(readOnlyRequest);
+				RangerScriptExecutionContext context    = new RangerScriptExecutionContext(readOnlyRequest);
+				RangerTagForEval             currentTag = context.getCurrentTag();
+				Map<String, String>          tagAttribs = currentTag != null ? currentTag.getAttributes()
: Collections.<String, String>emptyMap();
 
 				Bindings bindings = scriptEngine.createBindings();
 
 				bindings.put("ctx", context);
+				bindings.put("tag", currentTag);
+				bindings.put("tagAttr", tagAttribs);
 
 				if (LOG.isDebugEnabled()) {
 					LOG.debug("RangerScriptConditionEvaluator.isMatched(): script={" + script + "}");

http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
index acd96be..415d7fd 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
@@ -368,23 +368,23 @@ public final class RangerScriptExecutionContext {
 		return ret;
 	}
 
-	public void logDebug(String msg) {
+	public void logDebug(Object msg) {
 		LOG.debug(msg);
 	}
 
-	public void logInfo(String msg) {
+	public void logInfo(Object msg) {
 		LOG.info(msg);
 	}
 
-	public void logWarn(String msg) {
+	public void logWarn(Object msg) {
 		LOG.warn(msg);
 	}
 
-	public void logError(String msg) {
+	public void logError(Object msg) {
 		LOG.error(msg);
 	}
 
-	public void logFatal(String msg) {
+	public void logFatal(Object msg) {
 		LOG.fatal(msg);
 	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json
index 3bad222..c17b750 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json
@@ -69,6 +69,14 @@
       "uiHint": "{ \"singleValue\":true }",
       "label":"Accessed after expiry_date (yes/no)?",
       "description": "Accessed after expiry_date? (yes/no)"
+    },
+    {
+      "itemId":2,
+      "name":"expression",
+      "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+      "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+      "label":"Enter boolean expression",
+      "description": "Boolean expression"
     }
   ]
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/test/resources/policyengine/resourceTags.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/resourceTags.json b/agents-common/src/test/resources/policyengine/resourceTags.json
index 9523ca0..c564673 100644
--- a/agents-common/src/test/resources/policyengine/resourceTags.json
+++ b/agents-common/src/test/resources/policyengine/resourceTags.json
@@ -49,7 +49,7 @@
       },
       "3": {
         "type": "RESTRICTED",
-        "attributes": { "activation_date": "2015/08/10" },
+        "attributes": { "activation_date": "2015/08/10", "score": "2" },
         "id": 3,
         "guid": "tag-restricted-3-guid"
       },

http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/test/resources/policyengine/test_policyengine_owner.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_owner.json b/agents-common/src/test/resources/policyengine/test_policyengine_owner.json
index 82a6632..223a0c6 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_owner.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_owner.json
@@ -16,11 +16,11 @@
     "policyConditions": [
       {
         "itemId":1,
-        "name":"ScriptConditionEvaluator",
-        "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
-        "evaluatorOptions" : {"engineName":"JavaScript"},
-        "label":"Script",
-        "description": "Script to execute"
+        "name":"expression",
+      "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+      "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+      "label":"Enter boolean expression",
+      "description": "Boolean expression"
       }
     ]
   },

http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index 04b9afe..11f31e3 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -143,11 +143,11 @@
       "policyConditions": [
         {
           "itemId":1,
-          "name":"ScriptConditionEvaluator",
-          "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
-          "evaluatorOptions" : {"engineName":"JavaScript"},
-          "label":"Script",
-          "description": "Script to execute"
+          "name":"expression",
+      	  "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+      	  "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+      	  "label":"Enter boolean expression",
+      	  "description": "Boolean expression"
         },
         {
           "itemId":2,
@@ -166,7 +166,7 @@
           {
             "accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
             "conditions":[{
-              "type":"ScriptConditionEvaluator",
+              "type":"expression",
               "values":["if ( ctx.isAccessedBefore('expiry') ) ctx.result = true;"]
             }]
           }
@@ -197,7 +197,7 @@
         "denyExceptions":[
           {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
             "conditions":[{
-              "type":"ScriptConditionEvaluator",
+              "type":"expression",
               "values":["if ( ctx.isAccessedBefore('expiry') ) ctx.result = true;"]
             }]
           }

http://git-wip-us.apache.org/repos/asf/ranger/blob/dbe1a3a3/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
index c2cb0b3..6b2863a 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
@@ -149,11 +149,11 @@
       "policyConditions": [
         {
           "itemId":1,
-          "name":"ScriptConditionEvaluator",
-          "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
-          "evaluatorOptions" : {"engineName":"JavaScript"},
-          "label":"Script",
-          "description": "Script to execute"
+          "name":"expression",
+      	  "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+      	  "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+      	  "label":"Enter boolean expression",
+      	  "description": "Boolean expression"
         },
         {
           "itemId":2,
@@ -172,8 +172,8 @@
           {
             "accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
             "conditions":[{
-              "type":"ScriptConditionEvaluator",
-              "values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"]
+              "type":"expression",
+              "values":["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
             }]
           }
         ]
@@ -203,7 +203,7 @@
         "denyExceptions":[
           {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
             "conditions":[{
-              "type":"ScriptConditionEvaluator",
+              "type":"expression",
               "values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"]
             }]
           }


Mime
View raw message