Java Code Examples for org.apache.ranger.plugin.model.RangerPolicy#getPolicyItems()

The following examples show how to use org.apache.ranger.plugin.model.RangerPolicy#getPolicyItems() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal hivePrincipal,
												  HivePrivilegeObject.HivePrivilegeObjectType objectType,
												  String dbName,
												  String objectName,
												  String columnName,
												  List<String> partValues,
												  String aclName,
												  RangerPolicy policy) {
	HivePrivilegeInfo ret = null;
	int     creationDate  = 0;
	boolean delegateAdmin = false;

	for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
		List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
		List<String> users = policyItem.getUsers();
		List<String> groups = policyItem.getGroups();
		List<String> accessTypes = new ArrayList<>();

		for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
			accessTypes.add(policyItemAccess.getType());
		}

		if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName())
				|| groups.contains(hivePrincipal.getName()))) {
			creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime()/1000);
			delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
		}
	}

	HivePrincipal grantorPrincipal = new HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR, HivePrincipal.HivePrincipalType.USER);
	HivePrivilegeObject privilegeObject = new HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
	HivePrivilege privilege = new HivePrivilege(aclName, null);
	ret = new HivePrivilegeInfo(hivePrincipal, privilege, privilegeObject, grantorPrincipal, delegateAdmin, creationDate);

	return ret;
}
Example 2
Source File: ServiceRESTUtil.java    From ranger with Apache License 2.0 5 votes vote down vote up 
static private void combinePolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) {

		List<RangerPolicy.RangerPolicyItem> appliedPolicyItems;

		// Combine allow policy-items
		appliedPolicyItems = appliedPolicy.getPolicyItems();
		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
			existingPolicy.getPolicyItems().addAll(appliedPolicyItems);
		}

		// Combine deny policy-items
		appliedPolicyItems = appliedPolicy.getDenyPolicyItems();
		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
			existingPolicy.getDenyPolicyItems().addAll(appliedPolicyItems);
		}

		// Combine allow-exception policy-items
		appliedPolicyItems = appliedPolicy.getAllowExceptions();
		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
			existingPolicy.getAllowExceptions().addAll(appliedPolicyItems);
		}

		// Combine deny-exception policy-items
		appliedPolicyItems = appliedPolicy.getDenyExceptions();
		if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
			existingPolicy.getDenyExceptions().addAll(appliedPolicyItems);
		}

	}
Example 3
Source File: ServiceRESTUtil.java    From ranger with Apache License 2.0 5 votes vote down vote up 
static private boolean removeUsersGroupsAndRolesFromPolicy(RangerPolicy policy, Set<String> users, Set<String> groups, Set<String> roles) {
	boolean policyUpdated = false;

	List<RangerPolicy.RangerPolicyItem> policyItems = policy.getPolicyItems();

	int numOfItems = policyItems.size();

	for(int i = 0; i < numOfItems; i++) {
		RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i);

		if(CollectionUtils.containsAny(policyItem.getUsers(), users)) {
			policyItem.getUsers().removeAll(users);

			policyUpdated = true;
		}

		if(CollectionUtils.containsAny(policyItem.getGroups(), groups)) {
			policyItem.getGroups().removeAll(groups);

			policyUpdated = true;
		}

		if(CollectionUtils.containsAny(policyItem.getRoles(), roles)) {
			policyItem.getRoles().removeAll(roles);

			policyUpdated = true;
		}

		if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()) && CollectionUtils.isEmpty(policyItem.getRoles())) {
			policyItems.remove(i);
			numOfItems--;
			i--;

			policyUpdated = true;
		}
	}

	return policyUpdated;
}
Example 4
Source File: RangerDefaultPolicyEvaluator.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private List<RangerPolicyItemEvaluator> createPolicyItemEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options, int policyItemType) {
	List<RangerPolicyItemEvaluator> ret         = null;
	List<RangerPolicyItem>          policyItems = null;

	if(isPolicyItemTypeEnabled(serviceDef, policyItemType)) {
		if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
			policyItems = policy.getPolicyItems();
		} else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
			policyItems = policy.getDenyPolicyItems();
		} else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS) {
			policyItems = policy.getAllowExceptions();
		} else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS) {
			policyItems = policy.getDenyExceptions();
		}
	}

	if(CollectionUtils.isNotEmpty(policyItems)) {
		ret = new ArrayList<>();

		int policyItemCounter = 1;

		for(RangerPolicyItem policyItem : policyItems) {
			RangerPolicyItemEvaluator itemEvaluator = new RangerDefaultPolicyItemEvaluator(serviceDef, policy, policyItem, policyItemType, policyItemCounter++, options);

			itemEvaluator.init();

			ret.add(itemEvaluator);

			if(CollectionUtils.isNotEmpty(itemEvaluator.getConditionEvaluators())) {
				customConditionsCount += itemEvaluator.getConditionEvaluators().size();
			}
		}
	} else {
		ret = Collections.<RangerPolicyItemEvaluator>emptyList();
	}

	return ret;
}
Example 5
Source File: ServiceRESTUtil.java    From ranger with Apache License 2.0 4 votes vote down vote up 
static private void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()");
	}

	List<RangerPolicy.RangerPolicyItem> appliedPolicyItems = null;

	switch (policyItemType) {
		case ALLOW:
			appliedPolicyItems = appliedPolicy.getPolicyItems();
			break;
		case DENY:
			appliedPolicyItems = appliedPolicy.getDenyPolicyItems();
			break;
		case ALLOW_EXCEPTIONS:
			appliedPolicyItems = appliedPolicy.getAllowExceptions();
			break;
		case DENY_EXCEPTIONS:
			appliedPolicyItems = appliedPolicy.getDenyExceptions();
			break;
		default:
			LOG.warn("processApplyPolicyForItemType(): invalid policyItemType=" + policyItemType);
	}

	if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {

		Set<String> users = new HashSet<String>();
		Set<String> groups = new HashSet<String>();
		Set<String> roles = new HashSet<String>();

		Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();
		Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();
		Map<String, RangerPolicy.RangerPolicyItem[]> rolePolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();

		// Extract users, groups, and roles specified in appliedPolicy items
		extractUsersGroupsAndRoles(appliedPolicyItems, users, groups, roles);

		// Split existing policyItems for users, groups, and roles extracted from appliedPolicyItem into userPolicyItems, groupPolicyItems, and rolePolicyItems
		splitExistingPolicyItems(existingPolicy, users, userPolicyItems, groups, groupPolicyItems, roles, rolePolicyItems);

		// Apply policyItems of given type in appliedPolicy to policyItems extracted from existingPolicy
		applyPolicyItems(appliedPolicyItems, policyItemType, userPolicyItems, groupPolicyItems, rolePolicyItems);

		// Add modified/new policyItems back to existing policy
		mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems, rolePolicyItems);

		compactPolicy(existingPolicy);
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== ServiceRESTUtil.processApplyPolicyForItemType()");
	}
}
Example 6
Source File: ServiceRESTUtil.java    From ranger with Apache License 2.0 4 votes vote down vote up 
static private void mergeExactMatchPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> ServiceRESTUtil.mergeExactMatchPolicyForItemType()");
	}
	List<RangerPolicy.RangerPolicyItem> appliedPolicyItems = null;
	switch (policyItemType) {
		case ALLOW:
			appliedPolicyItems = appliedPolicy.getPolicyItems();
			break;
		case DENY:
			appliedPolicyItems = appliedPolicy.getDenyPolicyItems();
			break;
		case ALLOW_EXCEPTIONS:
			appliedPolicyItems = appliedPolicy.getAllowExceptions();
			break;
		case DENY_EXCEPTIONS:
			appliedPolicyItems = appliedPolicy.getDenyExceptions();
			break;
		default:
			LOG.warn("mergeExactMatchPolicyForItemType(): invalid policyItemType=" + policyItemType);
	}

	if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {

		Set<String> users = new HashSet<String>();
		Set<String> groups = new HashSet<String>();
		Set<String> roles = new HashSet<String>();

		Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();
		Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();
		Map<String, RangerPolicy.RangerPolicyItem[]> rolePolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>();

		// Extract users and groups specified in appliedPolicy items
		extractUsersGroupsAndRoles(appliedPolicyItems, users, groups, roles);

		// Split existing policyItems for users and groups extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems
		splitExistingPolicyItems(existingPolicy, users, userPolicyItems, groups, groupPolicyItems, roles, rolePolicyItems);
		// Apply policyItems of given type in appliedPlicy to policyItems extracted from existingPolicy
		mergePolicyItems(appliedPolicyItems, policyItemType, userPolicyItems, groupPolicyItems, rolePolicyItems);
		// Add modified/new policyItems back to existing policy
		mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems, rolePolicyItems);
		compactPolicy(existingPolicy);
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== ServiceRESTUtil.mergeExactMatchPolicyForItemType()");
	}
}
Example 7
Source File: RangerServiceTag.java    From ranger with Apache License 2.0 4 votes vote down vote up 
@Override
public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerServiceTag.getDefaultRangerPolicies() ");
	}

	List<RangerPolicy> ret = new ArrayList<RangerPolicy>();

	boolean isConditionDefFound = false;

	List<RangerServiceDef.RangerPolicyConditionDef> policyConditionDefs = serviceDef.getPolicyConditions();

	if (CollectionUtils.isNotEmpty(policyConditionDefs)) {
		for (RangerServiceDef.RangerPolicyConditionDef conditionDef : policyConditionDefs) {
			if (conditionDef.getName().equals(RANGER_TAG_EXPIRY_CONDITION_NAME)) {
				isConditionDefFound = true;
				break;
			}
		}
	}

	if (isConditionDefFound) {

		ret = super.getDefaultRangerPolicies();
		String tagResourceName = null;
		if (!serviceDef.getResources().isEmpty()) {
			tagResourceName = serviceDef.getResources().get(0).getName();

			for (RangerPolicy defaultPolicy : ret) {

				RangerPolicy.RangerPolicyResource tagPolicyResource = defaultPolicy.getResources().get(tagResourceName);

				if (tagPolicyResource != null) {

					String value = RANGER_TAG_NAME_EXPIRES_ON;

					tagPolicyResource.setValue(value);
					defaultPolicy.setName(value);
					defaultPolicy.setDescription("Policy for data with " + value + " tag");

					List<RangerPolicy.RangerPolicyItem> defaultPolicyItems = defaultPolicy.getPolicyItems();

					for (RangerPolicy.RangerPolicyItem defaultPolicyItem : defaultPolicyItems) {

						List<String> groups = new ArrayList<String>();
						groups.add(GROUP_PUBLIC);
						defaultPolicyItem.setGroups(groups);

						List<RangerPolicy.RangerPolicyItemCondition> policyItemConditions = new ArrayList<RangerPolicy.RangerPolicyItemCondition>();
						List<String> values = new ArrayList<String>();
						values.add("yes");
						RangerPolicy.RangerPolicyItemCondition policyItemCondition = new RangerPolicy.RangerPolicyItemCondition(RANGER_TAG_EXPIRY_CONDITION_NAME, values);
						policyItemConditions.add(policyItemCondition);

						defaultPolicyItem.setConditions(policyItemConditions);
						defaultPolicyItem.setDelegateAdmin(Boolean.FALSE);
					}

					defaultPolicy.setDenyPolicyItems(defaultPolicyItems);
					defaultPolicy.setPolicyItems(null);
				}
			}
		}
	} else {
		LOG.error("RangerServiceTag.getDefaultRangerPolicies() - Cannot create default TAG policy: Cannot get tagPolicyConditionDef with name=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerServiceTag.getDefaultRangerPolicies() : " + ret);
	}
	return ret;
}