Skip to content

Commit

Permalink
RANGER-4911: support validity-schedule in datasets/projects to enable…
Browse files Browse the repository at this point in the history 
… automatic expiry
  • Loading branch information
@mneethiraj
mneethiraj committed Aug 21, 2024
1 parent cf2c4a5 commit 2e34537
Show file tree
Hide file tree
Showing 8 changed files with 224 additions and 92 deletions.
24 changes: 18 additions & 6 deletions agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGds.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,10 @@ public StringBuilder toString(StringBuilder sb) {
public static class RangerDataset extends RangerGdsBaseModelObject implements java.io.Serializable {
private static final long serialVersionUID = 1L;

private String name;
private RangerGdsObjectACL acl;
private String termsOfUse;
private String name;
private RangerGdsObjectACL acl;
private RangerValiditySchedule validitySchedule;
private String termsOfUse;

public RangerDataset() { }

Expand All @@ -103,6 +104,10 @@ public RangerDataset() { }

public void setAcl(RangerGdsObjectACL acl) { this.acl = acl; }

public RangerValiditySchedule getValiditySchedule() { return validitySchedule; }

public void setValiditySchedule(RangerValiditySchedule validitySchedule) { this.validitySchedule = validitySchedule; }

public String getTermsOfUse() { return termsOfUse; }

public void setTermsOfUse(String termsOfUse) { this.termsOfUse = termsOfUse; }
Expand All @@ -115,6 +120,7 @@ public StringBuilder toString(StringBuilder sb) {

sb.append("name={").append(name).append("} ")
.append("acl={").append(acl).append("} ")
.append("validitySchedule={").append(validitySchedule).append("} ")
.append("termsOfUse={").append(termsOfUse).append("} ")
.append("}");

Expand All @@ -130,9 +136,10 @@ public StringBuilder toString(StringBuilder sb) {
public static class RangerProject extends RangerGdsBaseModelObject implements java.io.Serializable {
private static final long serialVersionUID = 1L;

private String name;
private RangerGdsObjectACL acl;
private String termsOfUse;
private String name;
private RangerGdsObjectACL acl;
private RangerValiditySchedule validitySchedule;
private String termsOfUse;

public RangerProject() { }

Expand All @@ -144,6 +151,10 @@ public RangerProject() { }

public void setAcl(RangerGdsObjectACL acl) { this.acl = acl; }

public RangerValiditySchedule getValiditySchedule() { return validitySchedule; }

public void setValiditySchedule(RangerValiditySchedule validitySchedule) { this.validitySchedule = validitySchedule; }

public String getTermsOfUse() { return termsOfUse; }

public void setTermsOfUse(String termsOfUse) { this.termsOfUse = termsOfUse; }
Expand All @@ -156,6 +167,7 @@ public StringBuilder toString(StringBuilder sb) {

sb.append("name={").append(name).append("} ")
.append("acl={").append(acl).append("} ")
.append("validitySchedule={").append(validitySchedule).append("} ")
.append("termsOfUse={").append(termsOfUse).append("} ")
.append("}");

Expand Down
88 changes: 52 additions & 36 deletions ...s-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDatasetEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import org.apache.ranger.plugin.policyengine.*;
import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerValidityScheduleEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.util.ServiceGdsInfo.DatasetInfo;
import org.slf4j.Logger;
Expand All @@ -38,19 +39,26 @@ public class GdsDatasetEvaluator {
public static final GdsDatasetEvalOrderComparator EVAL_ORDER_COMPARATOR = new GdsDatasetEvalOrderComparator();


private final DatasetInfo dataset;
private final RangerServiceDef gdsServiceDef;
private final String name;
private final List<GdsDipEvaluator> dipEvaluators = new ArrayList<>();
private final List<RangerPolicyEvaluator> policyEvaluators;
private final DatasetInfo dataset;
private final RangerServiceDef gdsServiceDef;
private final String name;
private final RangerValidityScheduleEvaluator scheduleEvaluator;
private final List<GdsDipEvaluator> dipEvaluators = new ArrayList<>();
private final List<RangerPolicyEvaluator> policyEvaluators;


public GdsDatasetEvaluator(DatasetInfo dataset, RangerServiceDef gdsServiceDef, RangerPolicyEngineOptions options) {
LOG.debug("==> GdsDatasetEvaluator()");

this.dataset = dataset;
this.gdsServiceDef = gdsServiceDef;
this.name = StringUtils.isBlank(dataset.getName()) ? StringUtils.EMPTY : dataset.getName();
this.dataset = dataset;
this.gdsServiceDef = gdsServiceDef;
this.name = StringUtils.isBlank(dataset.getName()) ? StringUtils.EMPTY : dataset.getName();

if (dataset.getValiditySchedule() != null) {
scheduleEvaluator = new RangerValidityScheduleEvaluator(dataset.getValiditySchedule());
} else {
scheduleEvaluator = null;
}

if (dataset.getPolicies() != null) {
policyEvaluators = new ArrayList<>(dataset.getPolicies().size());
Expand Down Expand Up @@ -94,33 +102,35 @@ public boolean isInProject(long projectId) {
public void evaluate(RangerAccessRequest request, GdsAccessResult result, Set<Long> projectIds) {
LOG.debug("==> GdsDatasetEvaluator.evaluate({}, {})", request, result);

result.addDataset(getName());
if (isActive()) {
result.addDataset(getName());

if (!policyEvaluators.isEmpty()) {
GdsDatasetAccessRequest datasetRequest = new GdsDatasetAccessRequest(getId(), gdsServiceDef, request);
RangerAccessResult datasetResult = datasetRequest.createAccessResult();
if (!policyEvaluators.isEmpty()) {
GdsDatasetAccessRequest datasetRequest = new GdsDatasetAccessRequest(getId(), gdsServiceDef, request);
RangerAccessResult datasetResult = datasetRequest.createAccessResult();

for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
policyEvaluator.evaluate(datasetRequest, datasetResult);
}
for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
policyEvaluator.evaluate(datasetRequest, datasetResult);
}

if (!result.getIsAllowed()) {
if (datasetResult.getIsAllowed()) {
result.setIsAllowed(true);
result.setPolicyId(datasetResult.getPolicyId());
result.setPolicyVersion(datasetResult.getPolicyVersion());
if (!result.getIsAllowed()) {
if (datasetResult.getIsAllowed()) {
result.setIsAllowed(true);
result.setPolicyId(datasetResult.getPolicyId());
result.setPolicyVersion(datasetResult.getPolicyVersion());
}
}
}

if (!result.getIsAudited()) {
result.setIsAudited(datasetResult.getIsAudited());
if (!result.getIsAudited()) {
result.setIsAudited(datasetResult.getIsAudited());
}
}
}

for (GdsDipEvaluator dipEvaluator : dipEvaluators) {
if (!projectIds.contains(dipEvaluator.getProjectId())) {
if (dipEvaluator.isAllowed(request)) {
projectIds.add(dipEvaluator.getProjectId());
for (GdsDipEvaluator dipEvaluator : dipEvaluators) {
if (!projectIds.contains(dipEvaluator.getProjectId())) {
if (dipEvaluator.isAllowed(request)) {
projectIds.add(dipEvaluator.getProjectId());
}
}
}
}
Expand All @@ -129,18 +139,20 @@ public void evaluate(RangerAccessRequest request, GdsAccessResult result, Set<Lo
}

public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, Set<String> allowedAccessTypes) {
acls.getDatasets().add(getName());
if (isActive()) {
acls.getDatasets().add(getName());

if (!policyEvaluators.isEmpty()) {
GdsDatasetAccessRequest datasetRequest = new GdsDatasetAccessRequest(getId(), gdsServiceDef, request);
if (!policyEvaluators.isEmpty()) {
GdsDatasetAccessRequest datasetRequest = new GdsDatasetAccessRequest(getId(), gdsServiceDef, request);

for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
policyEvaluator.getResourceACLs(datasetRequest, acls, isConditional, allowedAccessTypes, RangerPolicyResourceMatcher.MatchType.SELF, null);
for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
policyEvaluator.getResourceACLs(datasetRequest, acls, isConditional, allowedAccessTypes, RangerPolicyResourceMatcher.MatchType.SELF, null);
}
}
}

for (GdsDipEvaluator dipEvaluator : dipEvaluators) {
dipEvaluator.getResourceACLs(request, acls, isConditional, allowedAccessTypes);
for (GdsDipEvaluator dipEvaluator : dipEvaluators) {
dipEvaluator.getResourceACLs(request, acls, isConditional, allowedAccessTypes);
}
}
}

Expand All @@ -162,6 +174,10 @@ void addDipEvaluator(GdsDipEvaluator dipEvaluator) {
dipEvaluators.add(dipEvaluator);
}

private boolean isActive() {
return scheduleEvaluator == null || scheduleEvaluator.isApplicable(System.currentTimeMillis());
}

private static class GdsDatasetAccessRequest extends RangerAccessRequestImpl {
public GdsDatasetAccessRequest(Long datasetId, RangerServiceDef gdsServiceDef, RangerAccessRequest request) {
super.setResource(new RangerDatasetResource(datasetId, gdsServiceDef, request.getResource().getOwnerUser()));
Expand Down
70 changes: 43 additions & 27 deletions ...s-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsProjectEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import org.apache.ranger.plugin.policyengine.*;
import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerValidityScheduleEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.util.ServiceGdsInfo.ProjectInfo;
import org.slf4j.Logger;
Expand All @@ -41,17 +42,24 @@ public class GdsProjectEvaluator {

public static final GdsProjectEvalOrderComparator EVAL_ORDER_COMPARATOR = new GdsProjectEvalOrderComparator();

private final ProjectInfo project;
private final RangerServiceDef gdsServiceDef;
private final String name;
private final List<RangerPolicyEvaluator> policyEvaluators;
private final ProjectInfo project;
private final RangerServiceDef gdsServiceDef;
private final String name;
private final RangerValidityScheduleEvaluator scheduleEvaluator;
private final List<RangerPolicyEvaluator> policyEvaluators;

public GdsProjectEvaluator(ProjectInfo project, RangerServiceDef gdsServiceDef, RangerPolicyEngineOptions options) {
LOG.debug("==> GdsProjectEvaluator({})", project);

this.project = project;
this.gdsServiceDef = gdsServiceDef;
this.name = StringUtils.isBlank(project.getName()) ? StringUtils.EMPTY : project.getName();
this.project = project;
this.gdsServiceDef = gdsServiceDef;
this.name = StringUtils.isBlank(project.getName()) ? StringUtils.EMPTY : project.getName();

if (project.getValiditySchedule() != null) {
scheduleEvaluator = new RangerValidityScheduleEvaluator(project.getValiditySchedule());
} else {
scheduleEvaluator = null;
}

if (project.getPolicies() != null) {
policyEvaluators = new ArrayList<>(project.getPolicies().size());
Expand Down Expand Up @@ -81,40 +89,44 @@ public String getName() {
public void evaluate(RangerAccessRequest request, GdsAccessResult result) {
LOG.debug("==> GdsDatasetEvaluator.evaluate({}, {})", request, result);

result.addProject(getName());
if (isActive()) {
result.addProject(getName());

if (!policyEvaluators.isEmpty()) {
GdsProjectAccessRequest projectRequest = new GdsProjectAccessRequest(getId(), gdsServiceDef, request);
RangerAccessResult projectResult = projectRequest.createAccessResult();
if (!policyEvaluators.isEmpty()) {
GdsProjectAccessRequest projectRequest = new GdsProjectAccessRequest(getId(), gdsServiceDef, request);
RangerAccessResult projectResult = projectRequest.createAccessResult();

for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
policyEvaluator.evaluate(projectRequest, projectResult);
}
for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
policyEvaluator.evaluate(projectRequest, projectResult);
}

if (!result.getIsAllowed()) {
if (projectResult.getIsAllowed()) {
result.setIsAllowed(true);
result.setPolicyId(projectResult.getPolicyId());
result.setPolicyVersion(projectResult.getPolicyVersion());
if (!result.getIsAllowed()) {
if (projectResult.getIsAllowed()) {
result.setIsAllowed(true);
result.setPolicyId(projectResult.getPolicyId());
result.setPolicyVersion(projectResult.getPolicyVersion());
}
}
}

if (!result.getIsAudited()) {
result.setIsAudited(projectResult.getIsAudited());
if (!result.getIsAudited()) {
result.setIsAudited(projectResult.getIsAudited());
}
}
}

LOG.debug("<== GdsDatasetEvaluator.evaluate({}, {})", request, result);
}

public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, Set<String> allowedAccessTypes) {
acls.getProjects().add(getName());
if (isActive()) {
acls.getProjects().add(getName());

if (!policyEvaluators.isEmpty()) {
GdsProjectAccessRequest projectRequest = new GdsProjectAccessRequest(getId(), gdsServiceDef, request);
if (!policyEvaluators.isEmpty()) {
GdsProjectAccessRequest projectRequest = new GdsProjectAccessRequest(getId(), gdsServiceDef, request);

for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
policyEvaluator.getResourceACLs(projectRequest, acls, isConditional, allowedAccessTypes, RangerPolicyResourceMatcher.MatchType.SELF, null);
for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
policyEvaluator.getResourceACLs(projectRequest, acls, isConditional, allowedAccessTypes, RangerPolicyResourceMatcher.MatchType.SELF, null);
}
}
}
}
Expand All @@ -133,6 +145,10 @@ public boolean hasReference(Set<String> users, Set<String> groups, Set<String> r
return ret;
}

private boolean isActive() {
return scheduleEvaluator == null || scheduleEvaluator.isApplicable(System.currentTimeMillis());
}


private static class GdsProjectAccessRequest extends RangerAccessRequestImpl {
public GdsProjectAccessRequest(Long projectId, RangerServiceDef gdsServiceDef, RangerAccessRequest request) {
Expand Down
28 changes: 20 additions & 8 deletions agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceGdsInfo.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -537,9 +537,10 @@ public StringBuilder toString(StringBuilder sb) {
public static class DatasetInfo implements java.io.Serializable {
private static final long serialVersionUID = 1L;

private Long id;
private String name;
private List<RangerPolicy> policies;
private Long id;
private String name;
private RangerValiditySchedule validitySchedule;
private List<RangerPolicy> policies;

public DatasetInfo() {
}
Expand All @@ -560,6 +561,10 @@ public void setName(String name) {
this.name = name;
}

public RangerValiditySchedule getValiditySchedule() { return validitySchedule; }

public void setValiditySchedule(RangerValiditySchedule validitySchedule) { this.validitySchedule = validitySchedule; }

public List<RangerPolicy> getPolicies() {
return policies;
}
Expand All @@ -576,7 +581,8 @@ public String toString( ) {
public StringBuilder toString(StringBuilder sb) {
sb.append("DatasetInfo={")
.append("id=").append(id)
.append(", name=").append(name);
.append(", name=").append(name)
.append(", validitySchedule=").append(validitySchedule);

sb.append(", policies=[");
if (policies != null) {
Expand All @@ -598,9 +604,10 @@ public StringBuilder toString(StringBuilder sb) {
public static class ProjectInfo implements java.io.Serializable {
private static final long serialVersionUID = 1L;

private Long id;
private String name;
private List<RangerPolicy> policies;
private Long id;
private String name;
private RangerValiditySchedule validitySchedule;
private List<RangerPolicy> policies;

public ProjectInfo() {
}
Expand All @@ -621,6 +628,10 @@ public void setName(String name) {
this.name = name;
}

public RangerValiditySchedule getValiditySchedule() { return validitySchedule; }

public void setValiditySchedule(RangerValiditySchedule validitySchedule) { this.validitySchedule = validitySchedule; }

public List<RangerPolicy> getPolicies() {
return policies;
}
Expand All @@ -637,7 +648,8 @@ public String toString( ) {
public StringBuilder toString(StringBuilder sb) {
sb.append("ProjectInfo={")
.append("id=").append(id)
.append(", name=").append(name);
.append(", name=").append(name)
.append(", validitySchedule=").append(validitySchedule);

sb.append(", policies=[");
if (policies != null) {
Expand Down
Loading

0 comments on commit 2e34537

Please sign in to comment.