RANGER-4269: gds enricher implementation to grant access using datase…

…t/project policies - #2
gympass · Nov 9, 2023 · 4f362e1 · 4f362e1
1 parent 3842fd7
commit 4f362e1
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 154 deletions.
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -25,8 +25,8 @@
 import org.apache.ranger.plugin.util.ServiceDefUtil;
 
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 public class RangerAccessResult {
 	public  final static String KEY_MASK_TYPE      = "maskType";
@@ -328,23 +328,23 @@ public boolean isRowFilterEnabled() {
 		return StringUtils.isNotEmpty(getFilterExpr());
 	}
 
-	public List<String> getDatasets() {
-		return additionalInfo == null ? null : (List<String>) additionalInfo.get(KEY_DATASETS);
+	public Set<String> getDatasets() {
+		return additionalInfo == null ? null : (Set<String>) additionalInfo.get(KEY_DATASETS);
 	}
 
-	public void setDatasets(List<String> datasets) {
+	public void setDatasets(Set<String> datasets) {
 		if (datasets == null) {
 			removeAdditionalInfo(KEY_DATASETS);
 		} else {
 			addAdditionalInfo(KEY_DATASETS, datasets);
 		}
 	}
 
-	public List<String> getProjects() {
-		return additionalInfo == null ? null : (List<String>) additionalInfo.get(KEY_PROJECTS);
+	public Set<String> getProjects() {
+		return additionalInfo == null ? null : (Set<String>) additionalInfo.get(KEY_PROJECTS);
 	}
 
-	public void setProjects(List<String> projects) {
+	public void setProjects(Set<String> projects) {
 		if (projects == null) {
 			removeAdditionalInfo(KEY_PROJECTS);
 		} else {

diff --git a/...ts-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/...ts-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -1154,8 +1154,8 @@ private void updateFromGdsResult(RangerAccessResult result) {
 				result.setIsAudited(true);
 			}
 
-			result.setDatasets(gdsResult.getDatasetNames());
-			result.setProjects(gdsResult.getProjectNames());
+			result.setDatasets(gdsResult.getDatasets());
+			result.setProjects(gdsResult.getProjects());
 		} else {
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("updateFromGdsResult(): no GdsAccessResult found in request context({})", request);

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsAccessResult.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsAccessResult.java
@@ -22,75 +22,41 @@
 import java.util.*;
 
 public class GdsAccessResult {
-    private Set<Long>    datasets;
-    private Set<Long>    projects;
-    private List<String> datasetNames;
-    private List<String> projectNames;
-    private boolean      isAllowed;
-    private boolean      isAudited;
-    private long         policyId = -1;
-    private Long         policyVersion;
+    private Set<String> datasets;
+    private Set<String> projects;
+    private boolean     isAllowed;
+    private boolean     isAudited;
+    private long        policyId = -1;
+    private Long        policyVersion;
 
 
     public GdsAccessResult() {
     }
 
-    public void addDataset(Long datasetId) {
+    public void addDataset(String name) {
         if (datasets == null) {
             datasets = new HashSet<>();
         }
 
-        datasets.add(datasetId);
+        datasets.add(name);
     }
 
-    public boolean hasDataset(Long datasetId) {
-        return datasets != null && datasets.contains(datasetId);
-    }
-
-    public Set<Long> getDatasets() {
+    public Set<String> getDatasets() {
         return datasets;
     }
 
-    public void addDatasetName(String name) {
-        if (datasetNames == null) {
-            datasetNames = datasets == null ? new ArrayList<>() : new ArrayList<>(datasets.size());
-        }
-
-        datasetNames.add(name);
-    }
-
-    public List<String> getDatasetNames() {
-        return datasetNames;
-    }
-
-    public void addProject(Long projectId) {
+    public void addProject(String name) {
         if (projects == null) {
             projects = new HashSet<>();
         }
 
-        projects.add(projectId);
+        projects.add(name);
     }
 
-    public boolean hasProject(Long projectId) {
-        return projects != null && projects.contains(projectId);
-    }
-
-    public Set<Long> getProjects() {
+    public Set<String> getProjects() {
         return projects;
     }
 
-    public void addProjectName(String name) {
-        if (projectNames == null) {
-            projectNames = projects == null ? new ArrayList<>() : new ArrayList<>(projects.size());
-        }
-
-        projectNames.add(name);
-    }
-
-    public List<String> getProjectNames() {
-        return projectNames;
-    }
-
     public boolean getIsAllowed() {
         return isAllowed;
     }
@@ -125,7 +91,7 @@ public void setPolicyVersion(Long policyVersion) {
 
     @Override
     public int hashCode() {
-        return Objects.hash(datasets, projects, datasetNames, projectNames, isAllowed, isAudited, policyId, policyVersion);
+        return Objects.hash(datasets, projects, isAllowed, isAudited, policyId, policyVersion);
     }
 
     @Override
@@ -139,8 +105,6 @@ public boolean equals(Object obj) {
 
             return Objects.equals(datasets, other.datasets) &&
                    Objects.equals(projects, other.projects) &&
-                   Objects.equals(datasetNames, other.datasetNames) &&
-                   Objects.equals(projectNames, other.projectNames) &&
                    Objects.equals(isAllowed, other.isAllowed) &&
                    Objects.equals(isAudited, other.isAudited) &&
                    Objects.equals(policyId, other.policyId) &&
@@ -161,8 +125,6 @@ public StringBuilder toString(StringBuilder sb) {
         sb.append("RangerGdsAccessResult={");
         sb.append("datasets={").append(datasets).append("}");
         sb.append(", projects={").append(projects).append("}");
-        sb.append(", datasetNames={").append(datasetNames).append("}");
-        sb.append(", projectNames={").append(projectNames).append("}");
         sb.append(", isAllowed={").append(isAllowed).append("}");
         sb.append(", isAudited={").append(isAudited).append("}");
         sb.append(", policyId={").append(policyId).append("}");

diff --git a/...common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDataShareEvaluator.java b/...common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDataShareEvaluator.java
@@ -21,12 +21,11 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
-import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerResourceTrie;
 import org.apache.ranger.plugin.policyevaluator.RangerCustomConditionEvaluator;
-import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
 import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever;
 import org.apache.ranger.plugin.util.ServiceGdsInfo.DataShareInfo;
 import org.apache.ranger.plugin.util.ServiceGdsInfo.SharedResourceInfo;
@@ -56,8 +55,8 @@ public GdsDataShareEvaluator(DataShareInfo dsh, List<SharedResourceInfo> resourc
         this.conditionEvaluator = RangerCustomConditionEvaluator.getInstance().getExpressionEvaluator(dsh.getConditionExpr(), serviceDefHelper.getServiceDef());
 
         if (resources != null) {
-            Set<String>                   resourceKeys = new HashSet<>();
-            List<RangerResourceEvaluator> evaluators   = new ArrayList<>(resources.size());
+            Set<String>                      resourceKeys = new HashSet<>();
+            List<GdsSharedResourceEvaluator> evaluators   = new ArrayList<>(resources.size());
 
             for (SharedResourceInfo resource : resources) {
                 GdsSharedResourceEvaluator evaluator = new GdsSharedResourceEvaluator(resource, dsh.getDefaultAccessTypes(), serviceDefHelper);
@@ -68,8 +67,8 @@ public GdsDataShareEvaluator(DataShareInfo dsh, List<SharedResourceInfo> resourc
             }
 
             for (String resourceKey : resourceKeys) {
-                RangerServiceDef.RangerResourceDef resourceDef  = serviceDefHelper.getResourceDef(resourceKey);
-                RangerResourceTrie                 resourceTrie = new RangerResourceTrie<>(resourceDef, evaluators);
+                RangerResourceDef                              resourceDef  = serviceDefHelper.getResourceDef(resourceKey);
+                RangerResourceTrie<GdsSharedResourceEvaluator> resourceTrie = new RangerResourceTrie<>(resourceDef, evaluators);
 
                 resourceTries.put(resourceKey, resourceTrie);
             }
@@ -94,7 +93,7 @@ public void addDshidEvaluator(GdsDshidEvaluator dhidEvaluator) {
         dsidEvaluators.add(dhidEvaluator);
     }
 
-    public void evaluate(RangerAccessRequest request, GdsAccessResult result) {
+    public void evaluate(RangerAccessRequest request, GdsAccessResult result, Set<Long> datasetIds) {
         LOG.debug("==> GdsDataShareEvaluator.evaluate({}, {})", request, result);
 
         Collection<GdsSharedResourceEvaluator> evaluators = RangerResourceEvaluatorsRetriever.getEvaluators(resourceTries, request.getResource().getAsMap(), request.getResourceElementMatchingScopes());
@@ -126,9 +125,9 @@ public void evaluate(RangerAccessRequest request, GdsAccessResult result) {
 
                 if (isAllowed) { // now find dsidEvaluators that allow the request and collect their datasetIds
                     for (GdsDshidEvaluator dsidEvaluator : dsidEvaluators) {
-                        if (!result.hasDataset(dsidEvaluator.getDatasetId())) {
+                        if (!datasetIds.contains(dsidEvaluator.getDatasetId())) {
                             if (dsidEvaluator.isAllowed(request)) {
-                                result.addDataset(dsidEvaluator.getDatasetId());
+                                datasetIds.add(dsidEvaluator.getDatasetId());
                             }
                         }
                     }

diff --git a/...s-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDatasetEvaluator.java b/...s-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDatasetEvaluator.java
@@ -29,10 +29,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.List;
+import java.util.*;
 
 public class GdsDatasetEvaluator {
     private static final Logger LOG = LoggerFactory.getLogger(GdsDatasetEvaluator.class);
@@ -41,6 +38,7 @@ public class GdsDatasetEvaluator {
 
 
     private final DatasetInfo                 dataset;
+    private final RangerServiceDef            gdsServiceDef;
     private final String                      name;
     private final List<GdsDipEvaluator>       dipEvaluators = new ArrayList<>();
     private final List<RangerPolicyEvaluator> policyEvaluators;
@@ -49,8 +47,9 @@ public class GdsDatasetEvaluator {
     public GdsDatasetEvaluator(DatasetInfo dataset, RangerServiceDef gdsServiceDef, RangerPolicyEngineOptions options) {
         LOG.debug("==> GdsDatasetEvaluator()");
 
-        this.dataset = dataset;
-        this.name    = StringUtils.isBlank(dataset.getName()) ? StringUtils.EMPTY : dataset.getName();
+        this.dataset       = dataset;
+        this.gdsServiceDef = gdsServiceDef;
+        this.name          = StringUtils.isBlank(dataset.getName()) ? StringUtils.EMPTY : dataset.getName();
 
         if (dataset.getPolicies() != null) {
             policyEvaluators = new ArrayList<>(dataset.getPolicies().size());
@@ -81,10 +80,10 @@ public void addDipEvaluator(GdsDipEvaluator dipEvaluator) {
         dipEvaluators.add(dipEvaluator);
     }
 
-    public void evaluate(RangerAccessRequest request, GdsAccessResult result, RangerServiceDef gdsServiceDef) {
+    public void evaluate(RangerAccessRequest request, GdsAccessResult result, Set<Long> projectIds) {
         LOG.debug("==> GdsDatasetEvaluator.evaluate({}, {})", request, result);
 
-        result.addDatasetName(getName());
+        result.addDataset(getName());
 
         if (!policyEvaluators.isEmpty()) {
             GdsDatasetAccessRequest datasetRequest = new GdsDatasetAccessRequest(getId(), gdsServiceDef, request);
@@ -108,9 +107,9 @@ public void evaluate(RangerAccessRequest request, GdsAccessResult result, Ranger
         }
 
         for (GdsDipEvaluator dipEvaluator : dipEvaluators) {
-            if (!result.hasProject(dipEvaluator.getProjectId())) {
+            if (!projectIds.contains(dipEvaluator.getProjectId())) {
                 if (dipEvaluator.isAllowed(request)) {
-                    result.addProject(dipEvaluator.getProjectId());
+                    projectIds.add(dipEvaluator.getProjectId());
                 }
             }
         }