ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From me...@apache.org
Subject ranger git commit: RANGER-2184 - Update RangerAtlas authorization to authorize add/update/remove of relationships
Date Fri, 10 Aug 2018 13:51:54 GMT
Repository: ranger
Updated Branches:
  refs/heads/ranger-1 0a10ea8b3 -> ee10b9fd1


RANGER-2184 - Update RangerAtlas authorization to authorize add/update/remove of relationships

Signed-off-by: Mehul Parikh <mehul@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/ee10b9fd
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/ee10b9fd
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/ee10b9fd

Branch: refs/heads/ranger-1
Commit: ee10b9fd1a78e5614c69c39ce43986dbef5ec798
Parents: 0a10ea8
Author: nixonrodrigues <nixon@apache.org>
Authored: Tue Aug 7 19:27:14 2018 +0530
Committer: Mehul Parikh <mehul@apache.org>
Committed: Fri Aug 10 19:21:38 2018 +0530

----------------------------------------------------------------------
 .../atlas/authorizer/RangerAtlasAuthorizer.java | 83 ++++++++++++++++++--
 .../services/atlas/RangerServiceAtlas.java      | 48 +++++++++++
 .../atlas/authorizer/RangerAtlasAuthorizer.java | 25 ++++++
 3 files changed, 149 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/ee10b9fd/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index aa815b2..29d66b0 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -24,6 +24,8 @@ import org.apache.atlas.authorize.AtlasAdminAccessRequest;
 import org.apache.atlas.authorize.AtlasAuthorizationException;
 import org.apache.atlas.authorize.AtlasEntityAccessRequest;
 import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
+import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
+
 import org.apache.atlas.authorize.AtlasTypeAccessRequest;
 import org.apache.atlas.authorize.AtlasAuthorizer;
 import org.apache.atlas.authorize.AtlasPrivilege;
@@ -44,15 +46,10 @@ import org.apache.ranger.plugin.service.RangerBasePlugin;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
 import org.apache.ranger.services.atlas.RangerServiceAtlas;
 
-import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_CATEGORY;
-import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_TYPE_NAME;
-import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_TYPE;
-import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_CLASSIFICATION;
-import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_ENTITY_ID;
-import static org.apache.ranger.services.atlas.RangerServiceAtlas.RESOURCE_SERVICE;
-
 import java.util.*;
 
+import static org.apache.ranger.services.atlas.RangerServiceAtlas.*;
+
 
 public class RangerAtlasAuthorizer implements AtlasAuthorizer {
     private static final Log LOG      = LogFactory.getLog(RangerAtlasAuthorizer.class);
@@ -203,6 +200,78 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
         return ret;
     }
 
+    public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException
{
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> isAccessAllowed(" + request + ")");
+        }
+
+        boolean ret;
+        RangerPerfTracer perf = null;
+
+        try {
+            if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+                perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerAtlasAuthorizer.isAccessAllowed("
+ request + ")");
+            }
+
+            final String      action                      = request.getAction() != null ?
request.getAction().getType() : null;
+            final Set<String> end1EntityTypeAndSuperTypes = request.getEnd1EntityTypeAndAllSuperTypes();
+            final Set<String> end1Classifications         = new HashSet<>(request.getEnd1EntityClassifications());
+            final String      end1EntityId                = request.getEnd1EntityId();
+
+            final Set<String> end2EntityTypeAndSuperTypes = request.getEnd2EntityTypeAndAllSuperTypes();
+            final Set<String> end2Classifications         = new HashSet<>(request.getEnd2EntityClassifications());
+            final String      end2EntityId                = request.getEnd2EntityId();
+
+
+            String relationShipType = request.getRelationshipType();
+
+            RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
+
+            RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl(rangerResource,
action, request.getUser(), request.getUserGroups());
+            rangerRequest.setClientIPAddress(request.getClientIPAddress());
+            rangerRequest.setAccessTime(request.getAccessTime());
+            rangerRequest.setClusterName(getClusterName());
+            rangerRequest.setAction(action);
+
+
+            rangerResource.setValue(RESOURCE_RELATIONSHIP_TYPE, relationShipType);
+
+
+            Set<String> classificationsWithSuperTypesEnd1 = new HashSet();
+
+            for (String classificationToAuthorize : end1Classifications) {
+                classificationsWithSuperTypesEnd1.addAll(request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
+            }
+
+            rangerResource.setValue(RESOURCE_END_ONE_ENTITY_TYPE, end1EntityTypeAndSuperTypes);
+            rangerResource.setValue(RESOURCE_END_ONE_ENTITY_CLASSIFICATION, classificationsWithSuperTypesEnd1);
+            rangerResource.setValue(RESOURCE_END_ONE_ENTITY_ID, end1EntityId);
+
+
+            Set<String> classificationsWithSuperTypesEnd2 = new HashSet();
+
+            for (String classificationToAuthorize : end2Classifications) {
+                classificationsWithSuperTypesEnd2.addAll(request.getClassificationTypeAndAllSuperTypes(classificationToAuthorize));
+            }
+
+            rangerResource.setValue(RESOURCE_END_TWO_ENTITY_TYPE, end2EntityTypeAndSuperTypes);
+            rangerResource.setValue(RESOURCE_END_TWO_ENTITY_CLASSIFICATION, classificationsWithSuperTypesEnd2);
+            rangerResource.setValue(RESOURCE_END_TWO_ENTITY_ID, end2EntityId);
+
+            ret = checkAccess(rangerRequest);
+
+        } finally {
+            RangerPerfTracer.log(perf);
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("<== isAccessAllowed(" + request + "): " + ret);
+        }
+
+        return ret;
+    }
+
+
     @Override
     public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException
{
         if (LOG.isDebugEnabled()) {

http://git-wip-us.apache.org/repos/asf/ranger/blob/ee10b9fd/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index 0ee2627..c9f77c6 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -60,6 +60,19 @@ public class RangerServiceAtlas extends RangerBaseService {
 	public static final String RESOURCE_ENTITY_TYPE           = "entity-type";
 	public static final String RESOURCE_ENTITY_CLASSIFICATION = "entity-classification";
 	public static final String RESOURCE_ENTITY_ID             = "entity";
+
+	public static final String RESOURCE_RELATIONSHIP_TYPE =  "relationship-type";
+
+	public static final String RESOURCE_END_ONE_ENTITY_TYPE = "end-one-entity-type";
+	public static final String RESOURCE_END_ONE_ENTITY_CLASSIFICATION = "end-one-entity-classification";
+	public static final String RESOURCE_END_ONE_ENTITY_ID = "end-one-entity";
+
+	public static final String RESOURCE_END_TWO_ENTITY_TYPE =  "end-two-entity-type";
+	public static final String RESOURCE_END_TWO_ENTITY_CLASSIFICATION = "end-two-entity-classification";
+	public static final String RESOURCE_END_TWO_ENTITY_ID = "end-two-entity";
+
+
+
 	public static final String CONFIG_REST_ADDRESS            = "atlas.rest.address";
 	public static final String CONFIG_USERNAME                = "username";
 	public static final String CONFIG_PASSWORD                = "password";
@@ -230,6 +243,8 @@ public class RangerServiceAtlas extends RangerBaseService {
 				}
 				break;
 
+				case RESOURCE_END_ONE_ENTITY_TYPE:
+				case RESOURCE_END_TWO_ENTITY_TYPE:
 				case RESOURCE_ENTITY_TYPE: {
 					refreshTypesDefs();
 
@@ -237,6 +252,8 @@ public class RangerServiceAtlas extends RangerBaseService {
 				}
 				break;
 
+				case RESOURCE_END_ONE_ENTITY_CLASSIFICATION:
+				case RESOURCE_END_TWO_ENTITY_CLASSIFICATION:
 				case RESOURCE_ENTITY_CLASSIFICATION: {
 					refreshTypesDefs();
 
@@ -255,6 +272,37 @@ public class RangerServiceAtlas extends RangerBaseService {
 				}
 				break;
 
+				case RESOURCE_RELATIONSHIP_TYPE: {
+					refreshTypesDefs();
+					addIfStartsWithAndNotExcluded(ret, typesDef.get(TYPE_RELATIONSHIP), userInput, currentValues);
+
+				}
+				break;
+
+				case RESOURCE_END_ONE_ENTITY_ID: {
+
+					List<String> searchTypes = lookupContext.getResources().get(RESOURCE_END_ONE_ENTITY_TYPE);
+
+					if (searchTypes != null && searchTypes.size() == 1) {
+						List<String> values = searchEntities(userInput, searchTypes.get(0));
+
+						addIfStartsWithAndNotExcluded(ret, values, userInput, currentValues);
+					}
+
+				}
+				break;
+
+				case RESOURCE_END_TWO_ENTITY_ID: {
+					List<String> searchTypes = lookupContext.getResources().get(RESOURCE_END_TWO_ENTITY_TYPE);
+
+					if (searchTypes != null && searchTypes.size() == 1) {
+						List<String> values = searchEntities(userInput, searchTypes.get(0));
+
+						addIfStartsWithAndNotExcluded(ret, values, userInput, currentValues);
+					}
+				}
+				break;
+
 				default: {
 					ret.add(lookupContext.getResourceName());
 				}

http://git-wip-us.apache.org/repos/asf/ranger/blob/ee10b9fd/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
----------------------------------------------------------------------
diff --git a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index 609dddb..b50fdcf 100644
--- a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -22,6 +22,7 @@ package org.apache.ranger.authorization.atlas.authorizer;
 import org.apache.atlas.authorize.AtlasAdminAccessRequest;
 import org.apache.atlas.authorize.AtlasEntityAccessRequest;
 import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
+import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
 import org.apache.atlas.authorize.AtlasTypeAccessRequest;
 import org.apache.atlas.authorize.AtlasAuthorizationException;
 import org.apache.atlas.authorize.AtlasAuthorizer;
@@ -176,6 +177,30 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
 		return ret;
 	}
 
+
+	@Override
+	public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException
{
+		if (isDebugEnabled) {
+			LOG.debug("==> isAccessAllowed(AtlasTypeAccessRequest)");
+		}
+
+		final boolean ret;
+
+		try {
+			activatePluginClassLoader();
+
+			ret = rangerAtlasAuthorizerImpl.isAccessAllowed(request);
+		} finally {
+			deactivatePluginClassLoader();
+		}
+
+		if (isDebugEnabled) {
+			LOG.debug("<== isAccessAllowed(AtlasTypeAccessRequest): " + ret);
+		}
+
+		return ret;
+	}
+
 	@Override
 	public void scrubSearchResults(AtlasSearchResultScrubRequest request) throws AtlasAuthorizationException
{
 		if (isDebugEnabled) {


Mime
View raw message