RANGER-4035: added catagory to access-types; added marker access-type…

…s.patch
gympass · Mar 30, 2023 · e11431f · e11431f
1 parent e89016c
commit e11431f
Show file tree

Hide file tree

Showing 16 changed files with 1,388 additions and 97 deletions.
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
@@ -65,6 +65,7 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
 	private List<RangerEnumDef>            enums;
 	private RangerDataMaskDef              dataMaskDef;
 	private RangerRowFilterDef             rowFilterDef;
+	private List<RangerAccessTypeDef>      markerAccessTypes; // read-only
 
 	public RangerServiceDef() {
 		this(null, null, null, null, null, null, null, null, null, null, null, null, null);
@@ -104,6 +105,7 @@ public RangerServiceDef(String name, String implClass, String label, String desc
 		setEnums(enums);
 		setDataMaskDef(dataMaskDef);
 		setRowFilterDef(rowFilterDef);
+		setMarkerAccessTypes(null);
 	}
 
 	public RangerServiceDef(String name, String displayName, String implClass, String label, String description,
@@ -137,6 +139,7 @@ public void updateFrom(RangerServiceDef other) {
 		setEnums(other.getEnums());
 		setDataMaskDef(other.getDataMaskDef());
 		setRowFilterDef(other.getRowFilterDef());
+		setMarkerAccessTypes(other.getMarkerAccessTypes());
 	}
 
 	/**
@@ -421,6 +424,26 @@ public void setRowFilterDef(RangerRowFilterDef rowFilterDef) {
 		this.rowFilterDef = rowFilterDef == null ? new RangerRowFilterDef() : rowFilterDef;
 	}
 
+	public List<RangerAccessTypeDef> getMarkerAccessTypes() {
+		return markerAccessTypes;
+	}
+
+	public void setMarkerAccessTypes(List<RangerAccessTypeDef> markerAccessTypes) {
+		if (this.markerAccessTypes == null) {
+			this.markerAccessTypes = new ArrayList<>();
+		}
+
+		if (this.markerAccessTypes == markerAccessTypes) {
+			return;
+		}
+
+		this.markerAccessTypes.clear();
+
+		if(markerAccessTypes != null) {
+			this.markerAccessTypes.addAll(markerAccessTypes);
+		}
+	}
+
 	public String getDisplayName() {
 		return displayName;
 	}
@@ -481,6 +504,12 @@ public void dedupStrings(Map<String, String> strTbl) {
 		if (rowFilterDef != null) {
 			rowFilterDef.dedupStrings(strTbl);
 		}
+
+		if (markerAccessTypes != null) {
+			for (RangerAccessTypeDef accessType : markerAccessTypes) {
+				accessType.dedupStrings(strTbl);
+			}
+		}
 	}
 
 	@Override
@@ -585,6 +614,16 @@ public StringBuilder toString(StringBuilder sb) {
 		}
 		sb.append("} ");
 
+		sb.append("markerAccessTypes={");
+		if(markerAccessTypes != null) {
+			for(RangerAccessTypeDef accessType : markerAccessTypes) {
+				if(accessType != null) {
+					accessType.toString(sb);
+				}
+			}
+		}
+		sb.append("} ");
+
 		sb.append("}");
 
 		return sb;
@@ -1925,22 +1964,34 @@ public boolean equals(Object obj) {
 	public static class RangerAccessTypeDef implements java.io.Serializable {
 		private static final long serialVersionUID = 1L;
 
+		public enum AccessTypeCategory { CREATE, READ, UPDATE, DELETE, MANAGE }
+
 		private Long               itemId;
 		private String             name;
 		private String             label;
 		private String             rbKeyLabel;
 		private Collection<String> impliedGrants;
+		private AccessTypeCategory category;
 
 		public RangerAccessTypeDef() {
-			this(null, null, null, null, null);
+			this(null, null, null, null, null, null);
+		}
+
+		public RangerAccessTypeDef(String name) {
+			this(null, name, name, null, null, null);
 		}
 
 		public RangerAccessTypeDef(Long itemId, String name, String label, String rbKeyLabel, Collection<String> impliedGrants) {
+			this(itemId, name, label, rbKeyLabel, impliedGrants, null);
+		}
+
+		public RangerAccessTypeDef(Long itemId, String name, String label, String rbKeyLabel, Collection<String> impliedGrants, AccessTypeCategory category) {
 			setItemId(itemId);
 			setName(name);
 			setLabel(label);
 			setRbKeyLabel(rbKeyLabel);
 			setImpliedGrants(impliedGrants);
+			setCategory(category);
 		}
 
 		public RangerAccessTypeDef(RangerAccessTypeDef other) {
@@ -1949,6 +2000,7 @@ public RangerAccessTypeDef(RangerAccessTypeDef other) {
 			setLabel(other.getLabel());
 			setRbKeyLabel(other.getRbKeyLabel());
 			setImpliedGrants(other.getImpliedGrants());
+			setCategory((other.getCategory()));
 		}
 
 		/**
@@ -2033,6 +2085,14 @@ public void setImpliedGrants(Collection<String> impliedGrants) {
 			}
 		}
 
+		public AccessTypeCategory getCategory() {
+			return category;
+		}
+
+		public void setCategory(AccessTypeCategory category) {
+			this.category = category;
+		}
+
 		public void dedupStrings(Map<String, String> strTbl) {
 			name          = StringUtil.dedupString(name, strTbl);
 			label         = StringUtil.dedupString(label, strTbl);
@@ -2065,6 +2125,7 @@ public StringBuilder toString(StringBuilder sb) {
 				}
 			}
 			sb.append("} ");
+			sb.append("category={").append(category).append("} ");
 
 			sb.append("}");
 

diff --git a/...common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/...common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -415,6 +415,18 @@ boolean isValidAccessTypeDef(RangerPolicy policy, final List<ValidationFailureDe
 					for(RangerAccessTypeDef rangerAccessTypeDef:serviceDef.getRowFilterDef().getAccessTypes()){
 						rowFilterAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
 					}
+
+					if (serviceDef.getMarkerAccessTypes() != null) {
+						for (RangerAccessTypeDef accessTypeDef : serviceDef.getMarkerAccessTypes()) {
+							if (accessTypeDef == null || accessTypeDef.getImpliedGrants() == null) {
+								continue;
+							}
+
+							if (CollectionUtils.containsAny(accessTypeDef.getImpliedGrants(), rowFilterAccessTypeDefNames)) {
+								rowFilterAccessTypeDefNames.add(accessTypeDef.getName());
+							}
+						}
+					}
 				}
 			}
 
@@ -445,6 +457,18 @@ boolean isValidAccessTypeDef(RangerPolicy policy, final List<ValidationFailureDe
 					for(RangerAccessTypeDef rangerAccessTypeDef:serviceDef.getDataMaskDef().getAccessTypes()){
 						dataMaskAccessTypeDefNames.add(rangerAccessTypeDef.getName().toLowerCase());
 					}
+
+					if (serviceDef.getMarkerAccessTypes() != null) {
+						for (RangerAccessTypeDef accessTypeDef : serviceDef.getMarkerAccessTypes()) {
+							if (accessTypeDef == null || accessTypeDef.getImpliedGrants() == null) {
+								continue;
+							}
+
+							if (CollectionUtils.containsAny(accessTypeDef.getImpliedGrants(), dataMaskAccessTypeDefNames)) {
+								dataMaskAccessTypeDefNames.add(accessTypeDef.getName());
+							}
+						}
+					}
 				}
 			}
 

diff --git a/...ommon/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java b/...ommon/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
@@ -36,6 +36,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -311,6 +312,10 @@ public RangerResourceDef getWildcardEnabledResourceDef(String resourceName, Inte
 		return _delegate.getWildcardEnabledResourceDef(resourceName, policyType);
 	}
 
+	public Map<String, Collection<String>> getImpliedAccessGrants() {
+		return _delegate.getImpliedAccessGrants();
+	}
+
 	/**
 	 * Not designed for public access.  Package level only for testability.
 	 */
@@ -323,6 +328,7 @@ static class Delegate {
 		final boolean _checkForCycles;
 		final boolean _valid;
 		final List<String> _orderedResourceNames;
+		final Map<String, Collection<String>> _impliedGrants;
 		final static Set<List<RangerResourceDef>> EMPTY_RESOURCE_HIERARCHY = Collections.unmodifiableSet(new HashSet<List<RangerResourceDef>>());
 
 
@@ -352,6 +358,8 @@ public Delegate(RangerServiceDef serviceDef, boolean checkForCycles) {
 				}
 			}
 
+			_impliedGrants = computeImpliedGrants();
+
 			if (isValid) {
 				_orderedResourceNames = buildSortedResourceNames();
 			} else {
@@ -611,6 +619,46 @@ List<String> getAllOrderedResourceNames() {
 			return this._orderedResourceNames;
 		}
 
+		Map<String, Collection<String>> getImpliedAccessGrants() { return _impliedGrants; }
+
+		private Map<String, Collection<String>> computeImpliedGrants() {
+			Map<String, Collection<String>> ret = new HashMap<>();
+
+			if (_serviceDef != null && CollectionUtils.isNotEmpty(_serviceDef.getAccessTypes())) {
+				for(RangerAccessTypeDef accessTypeDef : _serviceDef.getAccessTypes()) {
+					if(CollectionUtils.isNotEmpty(accessTypeDef.getImpliedGrants())) {
+						Collection<String> impliedAccessGrants = ret.get(accessTypeDef.getName());
+
+						if(impliedAccessGrants == null) {
+							impliedAccessGrants = new HashSet<>();
+
+							ret.put(accessTypeDef.getName(), impliedAccessGrants);
+						}
+
+						impliedAccessGrants.addAll(accessTypeDef.getImpliedGrants());
+					}
+				}
+
+				if (_serviceDef.getMarkerAccessTypes() != null) {
+					for (RangerAccessTypeDef accessTypeDef : _serviceDef.getMarkerAccessTypes()) {
+						if(CollectionUtils.isNotEmpty(accessTypeDef.getImpliedGrants())) {
+							Collection<String> impliedAccessGrants = ret.get(accessTypeDef.getName());
+
+							if(impliedAccessGrants == null) {
+								impliedAccessGrants = new HashSet<>();
+
+								ret.put(accessTypeDef.getName(), impliedAccessGrants);
+							}
+
+							impliedAccessGrants.addAll(accessTypeDef.getImpliedGrants());
+						}
+					}
+				}
+			}
+
+			return ret;
+		}
+
 		private static class ResourceNameLevel implements Comparable<ResourceNameLevel> {
 			private String resourceName;
 			private int    level;

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
@@ -434,6 +434,14 @@ Set<String> getAccessTypes(RangerServiceDef serviceDef) {
 					}
 				}
 			}
+
+			if (serviceDef.getMarkerAccessTypes() != null) {
+				for (RangerAccessTypeDef accessTypeDef : serviceDef.getMarkerAccessTypes()) {
+					if (accessTypeDef != null) {
+						accessTypes.add(accessTypeDef.getName());
+					}
+				}
+			}
 		}
 
 		if(LOG.isDebugEnabled()) {

diff --git a/...on/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java b/...on/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -100,10 +100,10 @@ public void evaluate(RangerAccessRequest request, RangerAccessResult result) {
     }
 
     @Override
-    protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) {
-        super.preprocessPolicy(policy, serviceDef);
+    protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
+        super.preprocessPolicy(policy, serviceDef, options);
 
-        Map<String, Collection<String>> impliedAccessGrants = getImpliedAccessGrants(serviceDef);
+        Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants();
 
         if (impliedAccessGrants == null || impliedAccessGrants.isEmpty()) {
             return;

diff --git a/.../src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/.../src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -23,7 +23,6 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -113,7 +112,7 @@ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyE
 
 		policy = getPolicy();
 
-		preprocessPolicy(policy, serviceDef);
+		preprocessPolicy(policy, serviceDef, options);
 
 		if(policy != null) {
 			validityScheduleEvaluators = createValidityScheduleEvaluators(policy);
@@ -1145,12 +1144,12 @@ public StringBuilder toString(StringBuilder sb) {
 		return sb;
 	}
 
-	protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) {
+	protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
 		if(policy == null || (!hasAllow() && !hasDeny()) || serviceDef == null) {
 			return;
 		}
 
-		Map<String, Collection<String>> impliedAccessGrants = getImpliedAccessGrants(serviceDef);
+		Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants();
 
 		if(impliedAccessGrants == null || impliedAccessGrants.isEmpty()) {
 			return;
@@ -1199,32 +1198,6 @@ protected void preprocessPolicyItems(List<? extends RangerPolicyItem> policyItem
 		}
 	}
 
-	protected Map<String, Collection<String>> getImpliedAccessGrants(RangerServiceDef serviceDef) {
-		Map<String, Collection<String>> ret = null;
-
-		if(serviceDef != null && !CollectionUtils.isEmpty(serviceDef.getAccessTypes())) {
-			for(RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
-				if(!CollectionUtils.isEmpty(accessTypeDef.getImpliedGrants())) {
-					if(ret == null) {
-						ret = new HashMap<>();
-					}
-
-					Collection<String> impliedAccessGrants = ret.get(accessTypeDef.getName());
-
-					if(impliedAccessGrants == null) {
-						impliedAccessGrants = new HashSet<>();
-
-						ret.put(accessTypeDef.getName(), impliedAccessGrants);
-					}
-
-					impliedAccessGrants.addAll(accessTypeDef.getImpliedGrants());
-				}
-			}
-		}
-
-		return ret;
-	}
-
 	private RangerPolicyItemAccess getAccess(RangerPolicyItem policyItem, String accessType) {
 		RangerPolicyItemAccess ret = null;