Java Code Examples for org.apache.ranger.plugin.model.RangerPolicy#RangerPolicyResource

private RangerPolicy.RangerPolicyItem createDefaultPolicyItem(Map<String, RangerPolicy.RangerPolicyResource> policyResources) throws Exception {

		if (LOG.isDebugEnabled()) {
			LOG.debug("==> RangerBaseService.createDefaultPolicyItem()");
		}

		RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();

		policyItem.setUsers(getUserList());
		policyItem.setGroups(getGroupList());
		List<RangerPolicy.RangerPolicyItemAccess> accesses = getAllowedAccesses(policyResources);
		policyItem.setAccesses(accesses);

		policyItem.setDelegateAdmin(true);

		if (LOG.isDebugEnabled()) {
			LOG.debug("<== RangerBaseService.createDefaultPolicyItem(): " + policyItem );
		}
		return policyItem;
	}
 

@Override
protected V mapEntityToViewBean(V vObj, T xObj) {
	vObj.setGuid(xObj.getGuid());
	vObj.setVersion(xObj.getVersion());
	vObj.setIsEnabled(xObj.getIsEnabled());
	vObj.setResourceSignature(xObj.getResourceSignature());

	XXService xService = daoMgr.getXXService().getById(xObj.getServiceId());

	vObj.setServiceName(xService.getName());

	Map<String, RangerPolicy.RangerPolicyResource> resourceElements = getServiceResourceElements(xObj);

	vObj.setResourceElements(resourceElements);

	return vObj;
}
 

@Test
public void test60getPolicyFromEventTime() throws Exception {
	HttpServletRequest request = Mockito.mock(HttpServletRequest.class);

	String strdt = new Date().toString();
	Set<String> userGroupsList = new HashSet<String>();
	userGroupsList.add("group1");
	userGroupsList.add("group2");
	Mockito.when(request.getParameter("eventTime")).thenReturn(strdt);
	Mockito.when(request.getParameter("policyId")).thenReturn("1");
	Mockito.when(request.getParameter("versionNo")).thenReturn("1");
	RangerPolicy policy = new RangerPolicy();
	Map<String, RangerPolicyResource> resources = new HashMap<String, RangerPolicy.RangerPolicyResource>();
	policy.setService("services");
	policy.setResources(resources);
	Mockito.when(svcStore.getPolicyFromEventTime(strdt, 1l)).thenReturn(null);

	Mockito.when(restErrorUtil.createRESTException(Mockito.anyInt(), Mockito.anyString(), Mockito.anyBoolean()))
			.thenThrow(new WebApplicationException());
	thrown.expect(WebApplicationException.class);

	serviceREST.getPolicyFromEventTime(request);
}
 

private void removeEvaluatorFromTrie(RangerPolicyEvaluator oldEvaluator, RangerResourceTrie<RangerPolicyEvaluator> trie, String resourceDefName) {
    if (oldEvaluator != null) {
        RangerPolicy.RangerPolicyResource resource = oldEvaluator.getPolicyResource().get(resourceDefName);
        if (resource != null) {
            trie.delete(resource, oldEvaluator);
        }
    }
}
 

@Test
public void test30getPolicyFromEventTime() throws Exception {
	HttpServletRequest request = Mockito.mock(HttpServletRequest.class);

	String strdt = new Date().toString();
	String userName="Admin";
	Set<String> userGroupsList = new HashSet<String>();
	userGroupsList.add("group1");
	userGroupsList.add("group2");
	Mockito.when(request.getParameter("eventTime")).thenReturn(strdt);
	Mockito.when(request.getParameter("policyId")).thenReturn("1");
	Mockito.when(request.getParameter("versionNo")).thenReturn("1");
	RangerPolicy policy=new RangerPolicy();
	Map<String, RangerPolicyResource> resources=new HashMap<String, RangerPolicy.RangerPolicyResource>();
	policy.setService("services");
	policy.setResources(resources);
	Mockito.when(svcStore.getPolicyFromEventTime(strdt, 1l)).thenReturn(policy);
	Mockito.when(bizUtil.isAdmin()).thenReturn(false);
	Mockito.when(bizUtil.getCurrentUserLoginId()).thenReturn(userName);

	Mockito.when(restErrorUtil.createRESTException(Mockito.anyInt(), Mockito.anyString(), Mockito.anyBoolean()))
			.thenThrow(new WebApplicationException());
	thrown.expect(WebApplicationException.class);

	RangerPolicy dbRangerPolicy = serviceREST
			.getPolicyFromEventTime(request);
	Assert.assertNull(dbRangerPolicy);
	Mockito.verify(request).getParameter("eventTime");
	Mockito.verify(request).getParameter("policyId");
	Mockito.verify(request).getParameter("versionNo");
}
 

@Test
public void testDelegateAdmin() {
    final String user1 = "user-1";

    final String resourceIdentifier1 = "/resource-1";
    RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);

    final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
    policy1Resources.put(resourceIdentifier1, resource1);

    final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
    policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
    policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
    policy1Item.setDelegateAdmin(true);

    final RangerPolicy policy1 = new RangerPolicy();
    policy1.setResources(policy1Resources);
    policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));

    final List<RangerPolicy> policies = new ArrayList<>();
    policies.add(policy1);

    final RangerServiceDef serviceDef = new RangerServiceDef();
    serviceDef.setName("nifi-registry");

    final ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicies(policies);
    servicePolicies.setServiceDef(serviceDef);

    // set all the policies in the plugin
    final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
    pluginWithPolicies.setPolicies(servicePolicies);

    assertEquals(4, pluginWithPolicies.getAccessPolicies().size());
    assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
    assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
    assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.READ));
    assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.WRITE));
}
 

public static Integer getLeafResourceLevel(RangerServiceDef serviceDef, Map<String, RangerPolicy.RangerPolicyResource> policyResource) {
    Integer ret = null;

    RangerResourceDef resourceDef = getLeafResourceDef(serviceDef, policyResource);

    if (resourceDef != null) {
        ret = resourceDef.getLevel();
    }

    return ret;
}
 

@Test
public void testDoesPolicyExist() {
    final String resourceIdentifier1 = "resource1";
    RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);

    final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
    policy1Resources.put(resourceIdentifier1, resource1);

    final RangerPolicy policy1 = new RangerPolicy();
    policy1.setResources(policy1Resources);

    final String resourceIdentifier2 = "resource2";
    RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2);

    final Map<String, RangerPolicy.RangerPolicyResource> policy2Resources = new HashMap<>();
    policy2Resources.put(resourceIdentifier2, resource2);

    final RangerPolicy policy2 = new RangerPolicy();
    policy2.setResources(policy2Resources);

    final List<RangerPolicy> policies = new ArrayList<>();
    policies.add(policy1);
    policies.add(policy2);

    final ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicies(policies);

    // set all the policies in the plugin
    final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
    pluginWithPolicies.setPolicies(servicePolicies);

    Assert.assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1));
    Assert.assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2));
    Assert.assertFalse(pluginWithPolicies.doesPolicyExist("resource3"));
}
 

private boolean scrubPolicy(RangerPolicy policy) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerPolicyRepository.scrubPolicy(" + policy + ")");
    }
    boolean altered = false;
    Long policyId = policy.getId();
    Map<String, RangerPolicy.RangerPolicyResource> resourceMap = policy.getResources();
    for (Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : resourceMap.entrySet()) {
        String resourceName = entry.getKey();
        RangerPolicy.RangerPolicyResource resource = entry.getValue();
        Iterator<String> iterator = resource.getValues().iterator();
        while (iterator.hasNext()) {
            String value = iterator.next();
            if (value == null) {
                LOG.warn("RangerPolicyRepository.scrubPolicyResource: found null resource value for " + resourceName + " in policy " + policyId + "!  Removing...");
                iterator.remove();
                altered = true;
            }
        }
    }

    scrubPolicyItems(policyId, policy.getPolicyItems());
    scrubPolicyItems(policyId, policy.getAllowExceptions());
    scrubPolicyItems(policyId, policy.getDenyPolicyItems());
    scrubPolicyItems(policyId, policy.getDenyExceptions());
    scrubPolicyItems(policyId, policy.getRowFilterPolicyItems());
    scrubPolicyItems(policyId, policy.getDataMaskPolicyItems());

    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerPolicyRepository.scrubPolicy(" + policy + "): " + altered);
    }
    return altered;
}
 

@Test
public void testPoliciesWithoutUserGroupProvider() {
    final String user1 = "user-1";
    final String group1 = "group-1";

    final String resourceIdentifier1 = "/resource-1";
    RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);

    final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
    policy1Resources.put(resourceIdentifier1, resource1);

    final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
    policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
    policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));

    final RangerPolicy policy1 = new RangerPolicy();
    policy1.setResources(policy1Resources);
    policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));

    final String resourceIdentifier2 = "/resource-2";
    RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2);

    final Map<String, RangerPolicy.RangerPolicyResource> policy2Resources = new HashMap<>();
    policy2Resources.put(resourceIdentifier2, resource2);

    final RangerPolicy.RangerPolicyItem policy2Item = new RangerPolicy.RangerPolicyItem();
    policy2Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
    policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));

    final RangerPolicy policy2 = new RangerPolicy();
    policy2.setResources(policy2Resources);
    policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));

    final List<RangerPolicy> policies = new ArrayList<>();
    policies.add(policy1);
    policies.add(policy2);

    final RangerServiceDef serviceDef = new RangerServiceDef();
    serviceDef.setName("nifi-registry");

    final ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicies(policies);
    servicePolicies.setServiceDef(serviceDef);

    // set all the policies in the plugin
    final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
    pluginWithPolicies.setPolicies(servicePolicies);

    // ensure the two ranger policies converted into 3 nifi-registry access policies
    final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
    assertEquals(3, accessPolicies.size());

    // resource 1 -> read but no write
    assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));

    // read
    final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
    assertNotNull(readResource1);
    assertTrue(accessPolicies.contains(readResource1));
    assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
    assertEquals(1, readResource1.getUsers().size());
    assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
    assertTrue(readResource1.getGroups().isEmpty());

    // but no write
    assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));

    // resource 2 -> read and write
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));

    // read
    final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
    assertNotNull(readResource2);
    assertTrue(accessPolicies.contains(readResource2));
    assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
    assertTrue(readResource2.getUsers().isEmpty());
    assertEquals(1, readResource2.getGroups().size());
    assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));

    // and write
    final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
    assertNotNull(writeResource2);
    assertTrue(accessPolicies.contains(writeResource2));
    assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
    assertTrue(writeResource2.getUsers().isEmpty());
    assertEquals(1, writeResource2.getGroups().size());
    assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));

    // resource 3 -> no read or write
    assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
    assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));

    // no read or write
    assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
    assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
}
 

private void buildZoneTrie(ServicePolicies servicePolicies) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> PolicyEngine.buildZoneTrie()");
    }

    Map<String, ServicePolicies.SecurityZoneInfo> securityZones = servicePolicies.getSecurityZones();

    if (MapUtils.isNotEmpty(securityZones)) {
        RangerServiceDef                serviceDef = servicePolicies.getServiceDef();
        List<RangerZoneResourceMatcher> matchers   = new ArrayList<>();

        for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> securityZone : securityZones.entrySet()) {
            String                           zoneName    = securityZone.getKey();
            ServicePolicies.SecurityZoneInfo zoneDetails = securityZone.getValue();

            if (LOG.isDebugEnabled()) {
                LOG.debug("Building matchers for zone:[" + zoneName +"]");
            }

            for (Map<String, List<String>> resource : zoneDetails.getResources()) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Building matcher for resource:[" + resource + "] in zone:[" + zoneName +"]");
                }

                Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();

                for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
                    String                            resourceDefName = entry.getKey();
                    List<String>                      resourceValues  = entry.getValue();
                    RangerPolicy.RangerPolicyResource policyResource  = new RangerPolicy.RangerPolicyResource();
                    policyResource.setIsExcludes(false);
                    policyResource.setIsRecursive(EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef, resourceDefName));
                    policyResource.setValues(resourceValues);
                    policyResources.put(resourceDefName, policyResource);
                }

                matchers.add(new RangerZoneResourceMatcher(zoneName, policyResources, serviceDef));

                if (LOG.isDebugEnabled()) {
                    LOG.debug("Built matcher for resource:[" + resource +"] in zone:[" + zoneName + "]");
                }
            }

            if (LOG.isDebugEnabled()) {
                LOG.debug("Built all matchers for zone:[" + zoneName +"]");
            }

            if (zoneDetails.getContainsAssociatedTagService()) {
                zoneTagServiceMap.put(zoneName, zoneName);
            }
        }

        if (LOG.isDebugEnabled()) {
            LOG.debug("Built matchers for all Zones");
        }

        for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
            resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers));
        }
    }

    if (LOG.isDebugEnabled()) {
        LOG.debug("<== PolicyEngine.buildZoneTrie()");
    }
}
 

public VXResource toVXResource(RangerPolicy policy, RangerService service) {
	if(policy == null || service == null || toAssetType(service.getType()) == null) {
		return null;
	}

	VXResource ret = new VXResource();

	rangerObjectToDataObject(policy, ret);

	ret.setAssetName(policy.getService());
	ret.setAssetId(service.getId());
	ret.setAssetType(toAssetType(service.getType()));
	ret.setPolicyName(policy.getName());
	ret.setDescription(policy.getDescription());
	ret.setGuid(policy.getGuid());
	ret.setResourceStatus(policy.getIsEnabled() ? RangerCommonEnums.STATUS_ENABLED : RangerCommonEnums.STATUS_DISABLED);

	List<VXAuditMap> auditList = null;
	if(policy.getIsAuditEnabled()) {
		VXAuditMap auditMap = new VXAuditMap();

		auditMap.setResourceId(policy.getId());
		auditMap.setAuditType(AppConstants.XA_AUDIT_TYPE_ALL);

		auditList = new ArrayList<VXAuditMap>();
		auditList.add(auditMap);
	}
	ret.setAuditList(auditList);

	for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) {
		RangerPolicy.RangerPolicyResource res       = e.getValue();
		String                            resType   = e.getKey();
		String                            resString = getResourceString(res.getValues());

		if("path".equalsIgnoreCase(resType)) {
			ret.setName(resString);
			ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? RangerCommonEnums.BOOL_TRUE : RangerCommonEnums.BOOL_FALSE);
		} else if("table".equalsIgnoreCase(resType)) {
			ret.setTables(resString);
			ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? RangerCommonEnums.POLICY_EXCLUSION : RangerCommonEnums.POLICY_INCLUSION);
		} else if("column-family".equalsIgnoreCase(resType)) {
			ret.setColumnFamilies(resString);
		} else if("column".equalsIgnoreCase(resType)) {
			ret.setColumns(resString);
			ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? RangerCommonEnums.POLICY_EXCLUSION : RangerCommonEnums.POLICY_INCLUSION);
		} else if("database".equalsIgnoreCase(resType)) {
			ret.setDatabases(resString);
		} else if("udf".equalsIgnoreCase(resType)) {
			ret.setUdfs(resString);
		} else if("topology".equalsIgnoreCase(resType)) {
			ret.setTopologies(resString);
		} else if("service".equalsIgnoreCase(resType)) {
			ret.setServices(resString);
		} else if(resType.equalsIgnoreCase("hiveservice")) {
			ret.setHiveServices(resString);
		}
	}
	updateResourceName(ret);

	List<VXPermMap> permMapList = getVXPermMapList(policy);
	
	ret.setPermMapList(permMapList);

	return ret;
}
 

public VXPolicy toVXPolicy(RangerPolicy policy, RangerService service) {
if(policy == null || service == null || toAssetType(service.getType()) == null) {
	return null;
}

VXPolicy ret = new VXPolicy();

rangerObjectToDataObject(policy, ret);

ret.setPolicyName(StringUtils.trim(policy.getName()));
ret.setDescription(policy.getDescription());
ret.setRepositoryName(policy.getService());
ret.setIsEnabled(policy.getIsEnabled() ? true : false);
ret.setRepositoryType(service.getType());
ret.setIsAuditEnabled(policy.getIsAuditEnabled());
if (policy.getVersion() != null ) {
	ret.setVersion(policy.getVersion().toString());
} else {
	ret.setVersion(version);
}

for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) {
	RangerPolicy.RangerPolicyResource res       = e.getValue();
	String                            resType   = e.getKey();
	String                            resString = getResourceString(res.getValues());

	if("path".equalsIgnoreCase(resType)) {
		ret.setResourceName(resString);
		ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? true : false);
	} else if("table".equalsIgnoreCase(resType)) {
		ret.setTables(resString);
		ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION));
	} else if("column-family".equalsIgnoreCase(resType)) {
		ret.setColumnFamilies(resString);
	} else if("column".equalsIgnoreCase(resType)) {
		ret.setColumns(resString);
		ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION));
	} else if("database".equalsIgnoreCase(resType)) {
		ret.setDatabases(resString);
	} else if("udf".equalsIgnoreCase(resType)) {
		ret.setUdfs(resString);
	} else if("topology".equalsIgnoreCase(resType)) {
		ret.setTopologies(resString);
	} else if("service".equalsIgnoreCase(resType)) {
		ret.setServices(resString);
	} else if(resType.equalsIgnoreCase("hiveservice")) {
		ret.setHiveServices(resString);
	}
}
updateResourceName(ret);
	
List<VXPermMap> vXPermMapList = getVXPermMapList(policy);
	
List<VXPermObj> vXPermObjList = mapPermMapToPermObj(vXPermMapList);

ret.setPermMapList(vXPermObjList);

return ret;
}
 

private RangerPolicy getRangerPolicy(String newResource, XXPortalUser xxPortalUser, XXService xxService) {
	RangerPolicy policy = new RangerPolicy();

	List<RangerPolicy.RangerPolicyItemAccess> accesses = getPolicyItemAccesses();
	List<String> users = new ArrayList<>(DEFAULT_POLICY_USERS);
	List<String> groups = new ArrayList<>();
	List<RangerPolicy.RangerPolicyItemCondition> conditions = new ArrayList<>();
	List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<>();
	RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
	rangerPolicyItem.setAccesses(accesses);
	rangerPolicyItem.setConditions(conditions);
	rangerPolicyItem.setGroups(groups);
	rangerPolicyItem.setUsers(users);
	rangerPolicyItem.setDelegateAdmin(false);

	policyItems.add(rangerPolicyItem);

	Map<String, RangerPolicy.RangerPolicyResource> policyResource = new HashMap<>();
	RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
	rangerPolicyResource.setIsExcludes(false);
	rangerPolicyResource.setIsRecursive(false);
	rangerPolicyResource.setValue("*");
	String policyResourceName = KAFKA_RESOURCE_CLUSTER;
	if ("all - delegationtoken".equals(newResource)) {
		policyResourceName = KAFKA_RESOURCE_DELEGATIONTOKEN;
	}
	policyResource.put(policyResourceName, rangerPolicyResource);
	policy.setCreateTime(new Date());
	policy.setDescription(newResource);
	policy.setIsEnabled(true);
	policy.setName(newResource);
	policy.setCreatedBy(xxPortalUser.getLoginId());
	policy.setUpdatedBy(xxPortalUser.getLoginId());
	policy.setUpdateTime(new Date());
	policy.setService(xxService.getName());
	policy.setIsAuditEnabled(true);
	policy.setPolicyItems(policyItems);
	policy.setResources(policyResource);
	policy.setPolicyType(0);
	policy.setId(0L);
	policy.setGuid("");
	policy.setPolicyLabels(new ArrayList<>());
	policy.setVersion(1L);
	RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy);
	policy.setResourceSignature(resourceSignature.getSignature());
	return policy;
}
 

public List<RangerPolicy> getMatchingPoliciesForResource(HttpServletRequest request,
		List<RangerPolicy> policyLists) {
	List<RangerPolicy> policies = new ArrayList<RangerPolicy>();
	final String serviceTypeForTag = EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME;
	if (request != null) {
		String resource = request.getParameter(SearchFilter.POL_RESOURCE);
		String serviceType = request.getParameter(SearchFilter.SERVICE_TYPE);
		if (!StringUtil.isEmpty(resource) && !StringUtil.isEmpty(serviceType)) {
			List<String> resourceList = null;
			Map<String, RangerPolicy.RangerPolicyResource> rangerPolicyResourceMap = null;
			RangerPolicy.RangerPolicyResource rangerPolicyResource = null;
			for (RangerPolicy rangerPolicy : policyLists) {
				if (rangerPolicy != null) {
					if(serviceTypeForTag.equals(rangerPolicy.getServiceType())) {
						policies.add(rangerPolicy);
					}else {
						rangerPolicyResourceMap = rangerPolicy.getResources();
						if (rangerPolicyResourceMap != null) {
							if (rangerPolicyResourceMap.containsKey("path")) {
								rangerPolicyResource = rangerPolicyResourceMap.get("path");
								if (rangerPolicyResource != null) {
									resourceList = rangerPolicyResource.getValues();
									if (CollectionUtils.isNotEmpty(resourceList) && resourceList.contains(resource)) {
												policies.add(rangerPolicy);
									}
								}
							} else if (rangerPolicyResourceMap.containsKey("database")) {
								rangerPolicyResource = rangerPolicyResourceMap.get("database");
								if (rangerPolicyResource != null) {
									resourceList = rangerPolicyResource.getValues();
									if (CollectionUtils.isNotEmpty(resourceList) && resourceList.contains(resource)) {
												policies.add(rangerPolicy);
									}
								}
							}
						}
					}
				}
			}
			policyLists.clear();
			if (CollectionUtils.isNotEmpty(policies)) {
				policyLists.addAll(policies);
			}
		}
	}
	return policyLists;
}
 

private RangerPolicy getRangerPolicy(String newResource, XXPortalUser xxPortalUser, XXService xxService) {
	RangerPolicy policy = new RangerPolicy();

	List<RangerPolicy.RangerPolicyItemAccess> accesses = getPolicyItemAccesses();
	List<String> users = new ArrayList<>(DEFAULT_POLICY_USERS);
	List<String> groups = new ArrayList<>(DEFAULT_POLICY_GROUP);
	List<RangerPolicy.RangerPolicyItemCondition> conditions = new ArrayList<>();
	List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<>();
	RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
	rangerPolicyItem.setAccesses(accesses);
	rangerPolicyItem.setConditions(conditions);
	rangerPolicyItem.setGroups(groups);
	rangerPolicyItem.setUsers(users);
	rangerPolicyItem.setDelegateAdmin(false);

	policyItems.add(rangerPolicyItem);

	Map<String, RangerPolicy.RangerPolicyResource> policyResource = new HashMap<>();
	RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
	rangerPolicyResource.setIsExcludes(false);
	rangerPolicyResource.setIsRecursive(false);
	rangerPolicyResource.setValue("*");
	String policyResourceName = CONSUMERGROUP_RESOURCE_NAME;
	policyResource.put(policyResourceName, rangerPolicyResource);
	policy.setCreateTime(new Date());
	policy.setDescription(newResource);
	policy.setIsEnabled(true);
	policy.setName(newResource);
	policy.setCreatedBy(xxPortalUser.getLoginId());
	policy.setUpdatedBy(xxPortalUser.getLoginId());
	policy.setUpdateTime(new Date());
	policy.setService(xxService.getName());
	policy.setIsAuditEnabled(true);
	policy.setPolicyItems(policyItems);
	policy.setResources(policyResource);
	policy.setPolicyType(0);
	policy.setId(0L);
	policy.setGuid("");
	policy.setPolicyLabels(new ArrayList<>());
	policy.setVersion(1L);
	RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy);
	policy.setResourceSignature(resourceSignature.getSignature());
	return policy;
}
 

public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerServiceYarn.getDefaultRangerPolicies() ");
	}

	List<RangerPolicy> ret = super.getDefaultRangerPolicies();

	String queueResourceName = RangerYarnAuthorizer.KEY_RESOURCE_QUEUE;

	for (RangerPolicy defaultPolicy : ret) {
		if(defaultPolicy.getName().contains("all")){
			RangerPolicy.RangerPolicyResource queuePolicyResource = defaultPolicy.getResources().get(queueResourceName);

			if (StringUtils.isNotBlank(lookUpUser)) {
				RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
				policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
				policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_SUBMIT_APP)));
				policyItemForLookupUser.setDelegateAdmin(false);
				defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
			}

			if (queuePolicyResource != null) {
				List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
				RangerServiceDef.RangerResourceDef queueResourceDef = null;
				for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
					if (resourceDef.getName().equals(queueResourceName)) {
						queueResourceDef = resourceDef;
						break;
					}
				}
				if (queueResourceDef != null) {
					queuePolicyResource.setValue(RangerAbstractResourceMatcher.WILDCARD_ASTERISK);
				} else {
					LOG.warn("No resourceDef found in YARN service-definition for '" + queueResourceName + "'");
				}
			} else {
				LOG.warn("No '" + queueResourceName + "' found in default policy");
			}
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerServiceYarn.getDefaultRangerPolicies() : " + ret);
	}
	return ret;
}
 

@Override
public RangerServiceResource buildResource(final RangerAtlasEntity entity) throws Exception {
	String qualifiedName = (String)entity.getAttributes().get(AtlasResourceMapper.ENTITY_ATTRIBUTE_QUALIFIED_NAME);
	String nameServiceId = (String)entity.getAttributes().get(ENTITY_ATTRIBUTE_NAME_SERVICE_ID);

	String path          = null;
	String clusterName   = null;

	if (StringUtils.isNotEmpty(qualifiedName)) {
		path = getResourceNameFromQualifiedName(qualifiedName);
		clusterName = getClusterNameFromQualifiedName(qualifiedName);
	}

	if (StringUtils.isEmpty(path)) {
		path = (String) entity.getAttributes().get(ENTITY_ATTRIBUTE_PATH);
	}
	if (StringUtils.isEmpty(path)) {
		throwExceptionWithMessage("path not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "' or '" + ENTITY_ATTRIBUTE_PATH +  "'");
	}

	if (StringUtils.isEmpty(clusterName)) {
		clusterName = (String) entity.getAttributes().get(ENTITY_ATTRIBUTE_CLUSTER_NAME);
	}
	if (StringUtils.isEmpty(clusterName)) {
		clusterName = defaultClusterName;
	}
	if (StringUtils.isEmpty(clusterName)) {
		throwExceptionWithMessage("clusterName not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "' or '" + ENTITY_ATTRIBUTE_CLUSTER_NAME +  "'");
	}

	String  entityGuid  = entity.getGuid();
	String  serviceName = StringUtils.isNotBlank(nameServiceId) ? getCustomRangerServiceNameForClusterAndNameService(clusterName, nameServiceId) : getRangerServiceName(clusterName);
	Boolean isExcludes  = Boolean.FALSE;
	Boolean isRecursive = Boolean.TRUE;

	Path pathObj = new Path(path);

	Map<String, RangerPolicyResource> elements = new HashMap<String, RangerPolicy.RangerPolicyResource>();
	elements.put(RANGER_TYPE_HDFS_PATH, new RangerPolicyResource(pathObj.toUri().getPath(), isExcludes, isRecursive));

	RangerServiceResource ret = new RangerServiceResource(entityGuid, serviceName, elements);

	return ret;
}
 

@Override
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerServiceHdfs.getDefaultRangerPolicies() ");
	}

	List<RangerPolicy> ret = super.getDefaultRangerPolicies();

	String pathResourceName = RangerHdfsAuthorizer.KEY_RESOURCE_PATH;

	for (RangerPolicy defaultPolicy : ret) {
		if(defaultPolicy.getName().contains("all")){
			if (StringUtils.isNotBlank(lookUpUser)) {
				RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
				policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
				policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_READ)));
				policyItemForLookupUser.setDelegateAdmin(false);
				defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
			}

			RangerPolicy.RangerPolicyResource pathPolicyResource = defaultPolicy.getResources().get(pathResourceName);
			if (pathPolicyResource != null) {
				List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
				RangerServiceDef.RangerResourceDef pathResourceDef = null;
				for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
					if (resourceDef.getName().equals(pathResourceName)) {
						pathResourceDef = resourceDef;
						break;
					}
				}
				if (pathResourceDef != null) {
					String pathSeparator = pathResourceDef.getMatcherOptions().get(RangerPathResourceMatcher.OPTION_PATH_SEPARATOR);
					if (StringUtils.isBlank(pathSeparator)) {
						pathSeparator = Character.toString(RangerPathResourceMatcher.DEFAULT_PATH_SEPARATOR_CHAR);
					}
					String value = pathSeparator + RangerAbstractResourceMatcher.WILDCARD_ASTERISK;
					pathPolicyResource.setValue(value);
				} else {
					LOG.warn("No resourceDef found in HDFS service-definition for '" + pathResourceName + "'");
				}
			} else {
				LOG.warn("No '" + pathResourceName + "' found in default policy");
			}
		}
	}

	try {
		// we need to create one policy for keyadmin user for audit to HDFS
		RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
		for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.filterHierarchies_containsOnlyMandatoryResources(RangerPolicy.POLICY_TYPE_ACCESS)) {
			RangerPolicy policy = getPolicyForKMSAudit(aHierarchy);
			if (policy != null) {
				ret.add(policy);
			}
		}
	} catch (Exception e) {
		LOG.error("Error creating policy for keyadmin for audit to HDFS : " + service.getName(), e);
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerServiceHdfs.getDefaultRangerPolicies() : " + ret);
	}
	return ret;
}
 

private boolean removeOldServiceResource(RangerServiceResource serviceResource, List<RangerServiceResourceMatcher> resourceMatchers, Map<String, RangerResourceTrie<RangerServiceResourceMatcher>> resourceTries) {
	boolean ret = true;

	if (enrichedServiceTags != null) {

		if (LOG.isDebugEnabled()) {
			LOG.debug("Removing service-resource:[" + serviceResource + "] from trie-map");
		}

		// Remove existing serviceResource from the copy

		RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();

		for (Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : serviceResource.getResourceElements().entrySet()) {
			accessResource.setValue(entry.getKey(), entry.getValue());
		}
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerAccessResource:[" + accessResource + "] created to represent service-resource[" + serviceResource + "] to find evaluators from trie-map");
		}

		List<RangerServiceResourceMatcher> oldMatchers = getEvaluators(accessResource, enrichedServiceTags);

		if (LOG.isDebugEnabled()) {
			LOG.debug("Found [" + oldMatchers.size() + "] matchers for service-resource[" + serviceResource + "]");
		}

		for (RangerServiceResourceMatcher matcher : oldMatchers) {

			for (String resourceDefName : serviceResource.getResourceElements().keySet()) {
				RangerResourceTrie<RangerServiceResourceMatcher> trie = resourceTries.get(resourceDefName);
				if (trie != null) {
					trie.delete(serviceResource.getResourceElements().get(resourceDefName), matcher);
				} else {
					LOG.error("Cannot find resourceDef with name:[" + resourceDefName + "]. Should NOT happen!!");
					LOG.error("Setting tagVersion to -1 to ensure that in the next download all tags are downloaded");
					ret = false;
					break;
				}
			}
		}

		// Remove old resource matchers
		if (ret) {
			resourceMatchers.removeAll(oldMatchers);

			if (LOG.isDebugEnabled()) {
				LOG.debug("Found and removed [" + oldMatchers.size() + "] matchers for service-resource[" + serviceResource + "] from trie-map");
			}
		}
	}
	return ret;
}