Update - 20220929

agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java

@@ -786,6 +786,45 @@ public static void authWithKerberos(String keytab, String principal,
 
 	}
 
+	public static void loginWithKeyTab(String keytab, String principal, String nameRules) {
+		if (logger.isDebugEnabled()) {
+			logger.debug("==> MiscUtil.loginWithKeyTab() keytab= " + keytab + "principal= " + principal + "nameRules= " + nameRules);
+		}
+
+		if (keytab == null || principal == null) {
+			logger.error("Failed to login as keytab or principal is null!");
+			return;
+		}
+
+		String[]             spnegoPrincipals;
+		UserGroupInformation ugi;
+
+		try {
+			if (principal.equals("*")) {
+				spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*"));
+				if (spnegoPrincipals.length == 0) {
+					logger.error("No principals found in keytab= " + keytab);
+				}
+			} else {
+				spnegoPrincipals = new String[] { principal };
+			}
+
+			if (nameRules != null) {
+				KerberosName.setRules(nameRules);
+			}
+
+			logger.info("Creating UGI from keytab directly. keytab= " + keytab + ", principal= " + spnegoPrincipals[0]);
+			ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0], keytab);
+			MiscUtil.setUGILoginUser(ugi, null);
+		} catch (Exception e) {
+			logger.error("Failed to login with given keytab= " + keytab + "principal= " + principal + "nameRules= " + nameRules, e);
+		}
+
+		if (logger.isDebugEnabled()) {
+			logger.debug("<== MiscUtil.loginWithKeyTab()");
+		}
+	}
+
 	static class LogHistory {
 		long lastLogTime = 0;
 		int counter = 0;

agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java

@@ -22,6 +22,7 @@
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ranger.plugin.model.RangerRole;
 import org.apache.ranger.plugin.util.*;
 import org.slf4j.Logger;
@@ -34,6 +35,8 @@ public abstract class AbstractRangerAdminClient implements RangerAdminClient {
 
     protected Gson gson;
 
+    private boolean forceNonKerberos = false;
+
     @Override
     public void init(String serviceName, String appId, String configPropertyPrefix, Configuration config) {
         Gson gson = null;
@@ -45,6 +48,7 @@ public void init(String serviceName, String appId, String configPropertyPrefix,
         }
 
         this.gson = gson;
+        this.forceNonKerberos = config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
     }
 
     @Override
@@ -116,4 +120,16 @@ public List<String> getTagTypes(String tagTypePattern) throws Exception {
     public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, long lastActivationTimeInMillis) throws Exception {
         return null;
     }
+
+    public boolean isKerberosEnabled(UserGroupInformation user) {
+        final boolean ret;
+
+        if (forceNonKerberos) {
+            ret = false;
+        } else {
+            ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
+        }
+
+        return ret;
+    }
 }

agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java

@@ -184,7 +184,7 @@ public RangerRole createRole(final RangerRole request) throws Exception {
 
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 		String relativeURL = RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE;
 
 		Map <String, String> queryParams = new HashMap<String, String> ();
@@ -239,7 +239,7 @@ public void dropRole(final String execUser, final String roleName) throws Except
 
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		Map<String, String> queryParams = new HashMap<String, String>();
 		queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam);
@@ -294,7 +294,7 @@ public List<String> getUserRoles(final String execUser) throws Exception {
 		String emptyString = "";
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 		String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser;
 
 		if (isSecureMode) {
@@ -349,7 +349,7 @@ public List<String> getAllRoles(final String execUser) throws Exception {
 		String emptyString = "";
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 		String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES;
 
 		Map<String, String> queryParams = new HashMap<String, String>();
@@ -407,7 +407,7 @@ public RangerRole getRole(final String execUser, final String roleName) throws E
 		RangerRole ret = null;
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 		String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName;
 
 		Map<String, String> queryParams = new HashMap<String, String>();
@@ -465,7 +465,7 @@ public void grantRole(final GrantRevokeRoleRequest request) throws Exception {
 
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 		String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam;
 
 		if (isSecureMode) {
@@ -513,7 +513,7 @@ public void revokeRole(final GrantRevokeRoleRequest request) throws Exception {
 
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 		String relativeURL = RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam;
 
 		if (isSecureMode) {
@@ -561,7 +561,7 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception {
 
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		Map<String, String> queryParams = new HashMap<String, String>();
 		queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
@@ -613,7 +613,7 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception {
 
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		Map<String, String> queryParams = new HashMap<String, String>();
 		queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
@@ -704,7 +704,7 @@ public List<String> getTagTypes(String pattern) throws Exception {
 		List<String> ret = null;
 		String emptyString = "";
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		Map<String, String> queryParams = new HashMap<String, String>();
 		queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam);
@@ -755,7 +755,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon
 
 		final RangerUserStore ret;
 		final UserGroupInformation user = MiscUtil.getUGILoginUser();
-		final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		final boolean isSecureMode = isKerberosEnabled(user);
 		final ClientResponse response;
 
 		Map<String, String> queryParams = new HashMap<String, String>();
@@ -838,7 +838,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long lastKnown
 		final ServicePolicies ret;
 
 		final UserGroupInformation user         = MiscUtil.getUGILoginUser();
-		final boolean              isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		final boolean              isSecureMode = isKerberosEnabled(user);
 		final ClientResponse       response     = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode);
 
 		if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
@@ -888,7 +888,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKno
 		final ServicePolicies ret;
 
 		final UserGroupInformation user         = MiscUtil.getUGILoginUser();
-		final boolean              isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		final boolean              isSecureMode = isKerberosEnabled(user);
 		final ClientResponse       response     = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode);
 
 		if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
@@ -1016,7 +1016,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final long lastKnownVersion,
 		final ServiceTags ret;
 
 		final UserGroupInformation user = MiscUtil.getUGILoginUser();
-		final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		final boolean isSecureMode = isKerberosEnabled(user);
 		final ClientResponse response = getRangerAdminTagDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode);
 
 		if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) {
@@ -1070,7 +1070,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCookie(final long lastKnownVersio
 		final ServiceTags ret;
 
 		final UserGroupInformation user = MiscUtil.getUGILoginUser();
-		final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		final boolean isSecureMode = isKerberosEnabled(user);
 		final ClientResponse response = getRangerAdminTagDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode);
 
 		if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) {
@@ -1198,7 +1198,7 @@ private RangerRoles getRolesIfUpdatedWithCred(final long lastKnownRoleVersion, f
 		final RangerRoles ret;
 
 		final UserGroupInformation user = MiscUtil.getUGILoginUser();
-		final boolean isSecureMode      = user != null && UserGroupInformation.isSecurityEnabled();
+		final boolean isSecureMode      = isKerberosEnabled(user);
 		final ClientResponse response   = getRangerRolesDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user, isSecureMode);
 
 		if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
@@ -1253,7 +1253,7 @@ private RangerRoles getRolesIfUpdatedWithCookie(final long lastKnownRoleVersion,
 		final RangerRoles ret;
 
 		final UserGroupInformation user = MiscUtil.getUGILoginUser();
-		final boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		final boolean isSecureMode = isKerberosEnabled(user);
 		final ClientResponse response = getRangerRolesDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user, isSecureMode);
 
 		if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) {

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java

@@ -36,6 +36,7 @@
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
 import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
@@ -311,39 +312,43 @@ public RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer r
 					MatchType matchType = tagMatchTypeMap.get(evaluator.getPolicyId());
 
 					boolean isMatched = false;
+					boolean isConditionalMatch = false;
 
 					if (matchType == null) {
 						for (RangerPolicyResourceEvaluator resourceEvaluator : evaluator.getResourceEvaluators()) {
-							matchType = resourceEvaluator.getPolicyResourceMatcher().getMatchType(request.getResource(), request.getContext());
+							RangerPolicyResourceMatcher matcher = resourceEvaluator.getPolicyResourceMatcher();
 
-							if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-								isMatched = matchType != MatchType.NONE;
-							} else {
-								isMatched = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
-							}
+							matchType = matcher.getMatchType(request.getResource(), request.getContext());
+							isMatched = isMatch(matchType, request.getResourceMatchingScope());
 
 							if (isMatched) {
+								isConditionalMatch = false;
+
 								break;
+							} else if (matcher.getNeedsDynamicEval() && !isConditionalMatch) {
+								MatchType dynWildCardMatch = resourceEvaluator.getMacrosReplaceWithWildcardMatcher(policyEngine).getMatchType(request.getResource(), request.getContext());
+
+								isConditionalMatch = isMatch(dynWildCardMatch, request.getResourceMatchingScope());
 							}
 						}
 					} else {
-						if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-							isMatched = matchType != MatchType.NONE;
-						} else {
-							isMatched = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
-						}
+						isMatched = isMatch(matchType, request.getResourceMatchingScope());
 					}
 
-					if (!isMatched) {
+					if (!isMatched && !isConditionalMatch) {
 						continue;
 					}
 
+					if (!isConditionalMatch) {
+						isConditionalMatch = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
+					}
+
 					if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
-						updateFromPolicyACLs(evaluator, policyIdForTemporalTags, ret);
+						updateFromPolicyACLs(evaluator, isConditionalMatch, ret);
 					} else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
-						updateRowFiltersFromPolicy(evaluator, policyIdForTemporalTags, ret);
+						updateRowFiltersFromPolicy(evaluator, isConditionalMatch, ret);
 					} else if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
-						updateDataMasksFromPolicy(evaluator, policyIdForTemporalTags, ret);
+						updateDataMasksFromPolicy(evaluator, isConditionalMatch, ret);
 					}
 				}
 
@@ -1172,15 +1177,13 @@ private boolean getIsFallbackSupported() {
 		return policyEngine.getPluginContext().getConfig().getIsFallbackSupported();
 	}
 
-	private void updateFromPolicyACLs(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
+	private void updateFromPolicyACLs(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) {
 		PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
 
 		if (aclSummary == null) {
 			return;
 		}
 
-		boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
-
 		for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> userAccessInfo : aclSummary.getUsersAccessInfo().entrySet()) {
 			final String userName = userAccessInfo.getKey();
 
@@ -1248,12 +1251,10 @@ private void updateFromPolicyACLs(RangerPolicyEvaluator evaluator, Set<Long> pol
 		}
 	}
 
-	private void updateRowFiltersFromPolicy(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
+	private void updateRowFiltersFromPolicy(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) {
 		PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
 
 		if (aclSummary != null) {
-			boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
-
 			for (RowFilterResult rowFilterResult : aclSummary.getRowFilters()) {
 				rowFilterResult = copyRowFilter(rowFilterResult);
 
@@ -1266,12 +1267,10 @@ private void updateRowFiltersFromPolicy(RangerPolicyEvaluator evaluator, Set<Lon
 		}
 	}
 
-	private void updateDataMasksFromPolicy(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
+	private void updateDataMasksFromPolicy(RangerPolicyEvaluator evaluator, boolean isConditional, RangerResourceACLs resourceACLs) {
 		PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
 
 		if (aclSummary != null) {
-			boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
-
 			for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) {
 				dataMaskResult = copyDataMask(dataMaskResult);
 
@@ -1312,6 +1311,18 @@ private Set<String> copyStrings(Set<String> values) {
 		return values != null ? new HashSet<>(values) : null;
 	}
 
+	private boolean isMatch(MatchType matchType, RangerAccessRequest.ResourceMatchingScope matchingScope) {
+		final boolean ret;
+
+		if (matchingScope == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+			ret = matchType != MatchType.NONE;
+		} else {
+			ret = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
+		}
+
+		return ret;
+	}
+
 	private static class ServiceConfig {
 		private final Set<String> auditExcludedUsers;
 		private final Set<String> auditExcludedGroups;