diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCustomConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCustomConditionEvaluator.java index 6f15eed8e3..271edf97f7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCustomConditionEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCustomConditionEvaluator.java @@ -20,161 +20,129 @@ package org.apache.ranger.plugin.policyevaluator; import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.lang.StringUtils; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.util.RangerPerfTracer; +import org.apache.ranger.plugin.util.ServiceDefUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.util.ArrayList; +import java.util.Collections; import java.util.List; - +// +// this class should have been named RangerConditionEvaluatorFactory +// public class RangerCustomConditionEvaluator { - - private static final Logger LOG = LoggerFactory.getLogger(RangerCustomConditionEvaluator.class); - private static final Logger PERF_POLICY_INIT_LOG = RangerPerfTracer.getPerfLogger("policy.init"); - private static final Logger PERF_POLICYITEM_INIT_LOG = RangerPerfTracer.getPerfLogger("policyitem.init"); + private static final Logger LOG = LoggerFactory.getLogger(RangerCustomConditionEvaluator.class); + private static final Logger PERF_POLICY_INIT_LOG = RangerPerfTracer.getPerfLogger("policy.init"); + private static final Logger PERF_POLICYITEM_INIT_LOG = RangerPerfTracer.getPerfLogger("policyitem.init"); private static final Logger PERF_POLICYCONDITION_INIT_LOG = RangerPerfTracer.getPerfLogger("policycondition.init"); - public List getRangerPolicyConditionEvaluator(RangerPolicy policy, - RangerServiceDef serviceDef, - RangerPolicyEngineOptions options) { - List conditionEvaluators = new ArrayList<>(); - - if (!getConditionsDisabledOption(options) && CollectionUtils.isNotEmpty(policy.getConditions())) { - - RangerPerfTracer perf = null; - - long policyId = policy.getId(); - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerCustomConditionEvaluator.init(policyId=" + policyId + ")"); - } - - for (RangerPolicy.RangerPolicyItemCondition condition : policy.getConditions()) { - RangerServiceDef.RangerPolicyConditionDef conditionDef = getConditionDef(condition.getType(),serviceDef); - - if (conditionDef == null) { - LOG.error("RangerCustomConditionEvaluator.getRangerPolicyConditionEvaluator(policyId=" + policyId + "): conditionDef '" + condition.getType() + "' not found. Ignoring the condition"); - - continue; - } - - RangerConditionEvaluator conditionEvaluator = newConditionEvaluator(conditionDef.getEvaluator()); - if (conditionEvaluator != null) { - conditionEvaluator.setServiceDef(serviceDef); - conditionEvaluator.setConditionDef(conditionDef); - conditionEvaluator.setPolicyItemCondition(condition); + public static RangerCustomConditionEvaluator getInstance() { + return RangerCustomConditionEvaluator.SingletonHolder.s_instance; + } - RangerPerfTracer perfConditionInit = null; + private RangerCustomConditionEvaluator() { + } - if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) { - perfConditionInit = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(policyId=" + policyId + "policyConditionType=" + condition.getType() + ")"); - } + public List getPolicyConditionEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { + RangerPerfTracer perf = null; + String parentId = "policyId=" + policy.getId() ; - conditionEvaluator.init(); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.getPolicyConditionEvaluators(" + parentId + ")"); + } - RangerPerfTracer.log(perfConditionInit); + List ret = getConditionEvaluators(parentId, policy.getConditions(), serviceDef, options); - conditionEvaluators.add(conditionEvaluator); - } else { - LOG.error("RangerCustomConditionEvaluator.getRangerPolicyConditionEvaluator(policyId=" + policyId + "): failed to init Policy ConditionEvaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'"); - } - } + RangerPerfTracer.log(perf); - RangerPerfTracer.log(perf); - } - return conditionEvaluators; + return ret; } + public List getPolicyItemConditionEvaluators(RangerPolicy policy, RangerPolicyItem policyItem, RangerServiceDef serviceDef, RangerPolicyEngineOptions options, int policyItemIndex) { + RangerPerfTracer perf = null; + String parentId = "policyId=" + policy.getId() + ", policyItemIndex=" + policyItemIndex; - public List getPolicyItemConditionEvaluator(RangerPolicy policy, - RangerPolicyItem policyItem, - RangerServiceDef serviceDef, - RangerPolicyEngineOptions options, - int policyItemIndex) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_INIT_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_INIT_LOG, "RangerPolicyItemEvaluator.getPolicyItemConditionEvaluators(" + parentId + ")"); + } - List conditionEvaluators = new ArrayList<>(); + List ret = getConditionEvaluators(parentId, policyItem.getConditions(), serviceDef, options); - if (!getConditionsDisabledOption(options) && CollectionUtils.isNotEmpty(policyItem.getConditions())) { + RangerPerfTracer.log(perf); - RangerPerfTracer perf = null; + return ret; + } - Long policyId = policy.getId(); + public List getConditionEvaluators(String parentId, List conditions, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { + final List ret; - if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_INIT_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_INIT_LOG, "RangerPolicyItemEvaluator.getRangerPolicyConditionEvaluator(policyId=" + policyId + ",policyItemIndex=" + policyItemIndex + ")"); - } + if (!getConditionsDisabledOption(options) && CollectionUtils.isNotEmpty(conditions)) { + ret = new ArrayList<>(conditions.size()); - for (RangerPolicyItemCondition condition : policyItem.getConditions()) { - RangerServiceDef.RangerPolicyConditionDef conditionDef = getConditionDef(condition.getType(), serviceDef); + for (RangerPolicyItemCondition condition : conditions) { + RangerPolicyConditionDef conditionDef = ServiceDefUtil.getConditionDef(serviceDef, condition.getType()); if (conditionDef == null) { - LOG.error("RangerCustomConditionEvaluator.getPolicyItemConditionEvaluator(policyId=" + policyId + "): conditionDef '" + condition.getType() + "' not found. Ignoring the condition"); + LOG.error("RangerCustomConditionEvaluator.getConditionEvaluators(" + parentId + "): conditionDef '" + condition.getType() + "' not found. Ignoring the condition"); continue; } - RangerConditionEvaluator conditionEvaluator = newConditionEvaluator(conditionDef.getEvaluator()); + RangerConditionEvaluator conditionEvaluator = getConditionEvaluator(parentId, condition, conditionDef, serviceDef, options); if (conditionEvaluator != null) { - conditionEvaluator.setServiceDef(serviceDef); - conditionEvaluator.setConditionDef(conditionDef); - conditionEvaluator.setPolicyItemCondition(condition); - - RangerPerfTracer perfConditionInit = null; - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) { - perfConditionInit = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(policyId=" + policyId + ",policyItemIndex=" + policyItemIndex + ",policyConditionType=" + condition.getType() + ")"); - } - - conditionEvaluator.init(); - - RangerPerfTracer.log(perfConditionInit); - - conditionEvaluators.add(conditionEvaluator); - } else { - LOG.error("RangerCustomConditionEvaluator.getPolicyItemConditionEvaluator(policyId=" + policyId + "): failed to init PolicyItem ConditionEvaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'"); + ret.add(conditionEvaluator); } } - RangerPerfTracer.log(perf); + } else { + ret = Collections.emptyList(); } - return conditionEvaluators; + + return ret; } - private RangerServiceDef.RangerPolicyConditionDef getConditionDef(String conditionName, RangerServiceDef serviceDef) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerCustomConditionEvaluator.getConditionDef(" + conditionName + ")"); - } + public RangerConditionEvaluator getConditionEvaluator(String parentId, RangerPolicyItemCondition condition, RangerPolicyConditionDef conditionDef, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { + final RangerConditionEvaluator ret; + + if (condition != null && conditionDef != null && !getConditionsDisabledOption(options)) { + ret = newConditionEvaluator(conditionDef.getEvaluator()); - RangerServiceDef.RangerPolicyConditionDef ret = null; + if (ret != null) { + ret.setServiceDef(serviceDef); + ret.setConditionDef(conditionDef); + ret.setPolicyItemCondition(condition); - if (serviceDef != null && CollectionUtils.isNotEmpty(serviceDef.getPolicyConditions())) { - for(RangerServiceDef.RangerPolicyConditionDef conditionDef : serviceDef.getPolicyConditions()) { - if(StringUtils.equals(conditionName, conditionDef.getName())) { - ret = conditionDef; - break; + RangerPerfTracer perf = null; + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(" + parentId + ", policyConditionType=" + condition.getType() + ")"); } - } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerCustomConditionEvaluator.getConditionDef(" + conditionName + "): " + ret); + ret.init(); + + RangerPerfTracer.log(perf); + } else { + LOG.error("RangerCustomConditionEvaluator.getConditionEvaluator(" + parentId + "): failed to init ConditionEvaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'"); + } + } else { + ret = null; } return ret; } - private RangerConditionEvaluator newConditionEvaluator(String className) { - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerCustomConditionEvaluator.newConditionEvaluator(" + className + ")"); } @@ -182,14 +150,14 @@ private RangerConditionEvaluator newConditionEvaluator(String className) { try { @SuppressWarnings("unchecked") - Class matcherClass = (Class)Class.forName(className); + Class evaluatorClass = (Class)Class.forName(className); - evaluator = matcherClass.newInstance(); - } catch(Throwable t) { + evaluator = evaluatorClass.newInstance(); + } catch (Throwable t) { LOG.error("RangerCustomConditionEvaluator.newConditionEvaluator(" + className + "): error instantiating evaluator", t); } - if(LOG.isDebugEnabled()) { + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerCustomConditionEvaluator.newConditionEvaluator(" + className + "): " + evaluator); } @@ -199,4 +167,8 @@ private RangerConditionEvaluator newConditionEvaluator(String className) { private boolean getConditionsDisabledOption(RangerPolicyEngineOptions options) { return options != null && options.disableCustomConditions; } + + private static class SingletonHolder { + private static final RangerCustomConditionEvaluator s_instance = new RangerCustomConditionEvaluator(); + } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 8e908f6a91..bc627adf53 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -162,7 +162,7 @@ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyE dataMaskEvaluators = createDataMaskPolicyItemEvaluators(policy, serviceDef, options, policy.getDataMaskPolicyItems()); rowFilterEvaluators = createRowFilterPolicyItemEvaluators(policy, serviceDef, options, policy.getRowFilterPolicyItems()); - conditionEvaluators = createRangerPolicyConditionEvaluator(policy, serviceDef, options); + conditionEvaluators = createPolicyConditionEvaluators(policy, serviceDef, options); } else { validityScheduleEvaluators = Collections.emptyList(); allowEvaluators = Collections.emptyList(); @@ -1542,20 +1542,12 @@ private boolean matchPolicyCustomConditions(RangerAccessRequest request) { return ret; } - private List createRangerPolicyConditionEvaluator(RangerPolicy policy, - RangerServiceDef serviceDef, - RangerPolicyEngineOptions options) { - List rangerConditionEvaluators = null; + private List createPolicyConditionEvaluators(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { + List ret = RangerCustomConditionEvaluator.getInstance().getPolicyConditionEvaluators(policy, serviceDef, options); - RangerCustomConditionEvaluator rangerConditionEvaluator = new RangerCustomConditionEvaluator(); + customConditionsCount += ret.size(); - rangerConditionEvaluators = rangerConditionEvaluator.getRangerPolicyConditionEvaluator(policy,serviceDef,options); - - if (rangerConditionEvaluators != null) { - customConditionsCount += rangerConditionEvaluators.size(); - } - - return rangerConditionEvaluators; + return ret; } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java index 2528aeafae..9ed0249efe 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java @@ -30,7 +30,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; @@ -61,9 +60,7 @@ public void init() { LOG.debug("==> RangerDefaultPolicyItemEvaluator(policyId=" + policyId + ", policyItem=" + policyItem + ", serviceType=" + getServiceType() + ", conditionsDisabled=" + getConditionsDisabledOption() + ")"); } - RangerCustomConditionEvaluator rangerCustomConditionEvaluator = new RangerCustomConditionEvaluator(); - - conditionEvaluators = rangerCustomConditionEvaluator.getPolicyItemConditionEvaluator(policy, policyItem, serviceDef, options, policyItemIndex); + conditionEvaluators = RangerCustomConditionEvaluator.getInstance().getPolicyItemConditionEvaluators(policy, policyItem, serviceDef, options, policyItemIndex); List users = policyItem.getUsers(); this.hasCurrentUser = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.USER_CURRENT); @@ -291,51 +288,4 @@ public boolean matchCustomConditions(RangerAccessRequest request) { public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { policyEvaluator.updateAccessResult(result, matchType, getPolicyItemType() != RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, getComments()); } - - RangerPolicyConditionDef getConditionDef(String conditionName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyItemEvaluator.getConditionDef(" + conditionName + ")"); - } - - RangerPolicyConditionDef ret = null; - - if (serviceDef != null && CollectionUtils.isNotEmpty(serviceDef.getPolicyConditions())) { - for (RangerPolicyConditionDef conditionDef : serviceDef.getPolicyConditions()) { - if (StringUtils.equals(conditionName, conditionDef.getName())) { - ret = conditionDef; - - break; - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyItemEvaluator.getConditionDef(" + conditionName + "): " + ret); - } - - return ret; - } - - RangerConditionEvaluator newConditionEvaluator(String className) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + className + ")"); - } - - RangerConditionEvaluator evaluator = null; - - try { - @SuppressWarnings("unchecked") - Class matcherClass = (Class)Class.forName(className); - - evaluator = matcherClass.newInstance(); - } catch(Throwable t) { - LOG.error("RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + className + "): error instantiating evaluator", t); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + className + "): " + evaluator); - } - - return evaluator; - } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java index 53eb0f81ed..d78674d518 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java @@ -23,6 +23,7 @@ import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; +import org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator; import org.apache.ranger.plugin.contextenricher.RangerUserStoreEnricher; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; @@ -34,6 +35,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem; import org.apache.ranger.plugin.model.RangerPolicyDelta; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef; @@ -57,6 +59,11 @@ public class ServiceDefUtil { private static final Logger LOG = LoggerFactory.getLogger(ServiceDefUtil.class); + public static final String IMPLICIT_CONDITION_EXPRESSION_EVALUATOR = RangerScriptConditionEvaluator.class.getCanonicalName(); + public static final String IMPLICIT_CONDITION_EXPRESSION_NAME = "_expression"; + public static final String IMPLICIT_CONDITION_EXPRESSION_LABEL = "Enter boolean expression"; + public static final String IMPLICIT_CONDITION_EXPRESSION_DESC = "Boolean expression"; + private static final String USER_STORE_ENRICHER = RangerUserStoreEnricher.class.getCanonicalName(); public static boolean getOption_enableDenyAndExceptionsInPolicies(RangerServiceDef serviceDef, RangerPluginContext pluginContext) { @@ -99,6 +106,22 @@ public static RangerServiceDef normalize(RangerServiceDef serviceDef) { return serviceDef; } + public static RangerPolicyConditionDef getConditionDef(RangerServiceDef serviceDef, String conditionName) { + RangerPolicyConditionDef ret = null; + + if (serviceDef != null && serviceDef.getPolicyConditions() != null) { + for (RangerPolicyConditionDef conditionDef : serviceDef.getPolicyConditions()) { + if (StringUtils.equals(conditionDef.getName(), conditionName)) { + ret = conditionDef; + + break; + } + } + } + + return ret; + } + public static RangerResourceDef getResourceDef(RangerServiceDef serviceDef, String resource) { RangerResourceDef ret = null; @@ -589,6 +612,31 @@ public static boolean addUserStoreEnricherIfNeeded(ServicePolicies policies, Str return ret; } + public static RangerPolicyConditionDef createImplicitExpressionConditionDef(Long itemId) { + RangerPolicyConditionDef ret = new RangerPolicyConditionDef(itemId, IMPLICIT_CONDITION_EXPRESSION_NAME, IMPLICIT_CONDITION_EXPRESSION_EVALUATOR, new HashMap<>()); + + ret.getEvaluatorOptions().put("ui.isMultiline", "true"); + ret.setLabel(IMPLICIT_CONDITION_EXPRESSION_LABEL); + ret.setDescription(IMPLICIT_CONDITION_EXPRESSION_DESC); + ret.setUiHint("{ \"isMultiline\":true }"); + + return ret; + } + + public static long getConditionsMaxItemId(List conditions) { + long ret = 0; + + if (conditions != null) { + for (RangerPolicyConditionDef condition : conditions) { + if (condition != null && condition.getItemId() != null && ret < condition.getItemId()) { + ret = condition.getItemId(); + } + } + } + + return ret; + } + private static boolean anyPolicyHasUserGroupAttributeExpression(List policies) { boolean ret = false; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java index 83f662518e..dead32e87a 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java @@ -53,8 +53,8 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; import org.apache.ranger.plugin.model.RangerRole; +import org.apache.ranger.plugin.util.ServiceDefUtil; import org.apache.ranger.service.RangerAuditFields; -import org.apache.ranger.service.RangerServiceDefService; import org.apache.ranger.service.XGroupService; import org.apache.ranger.view.VXGroup; import org.apache.ranger.view.VXResponse; @@ -253,7 +253,7 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy XXPolicyConditionDef xPolCondDef = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition); if (xPolCondDef == null) { - if (StringUtils.equalsIgnoreCase(condition, RangerServiceDefService.IMPLICIT_CONDITION_EXPRESSION_NAME)) { + if (StringUtils.equalsIgnoreCase(condition, ServiceDefUtil.IMPLICIT_CONDITION_EXPRESSION_NAME)) { continue; } diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java index dcbfbfdc2c..e820c8b617 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java @@ -37,7 +37,6 @@ import org.apache.ranger.common.SearchField.DATA_TYPE; import org.apache.ranger.common.SearchField.SEARCH_TYPE; import org.apache.ranger.entity.*; -import org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef; @@ -56,6 +55,8 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import static org.apache.ranger.plugin.util.ServiceDefUtil.IMPLICIT_CONDITION_EXPRESSION_EVALUATOR; + public abstract class RangerServiceDefServiceBase extends RangerBaseModelService { private static final Logger LOG = LoggerFactory.getLogger(RangerServiceDefServiceBase.class); @@ -63,10 +64,6 @@ public abstract class RangerServiceDefServiceBase rangerAuditFields; @@ -724,7 +721,6 @@ boolean addImplicitConditionExpressionIfNeeded(RangerServiceDef serviceDef) { if (implicitConditionEnabled) { boolean exists = false; - Long maxItemId = 0L; List conditionDefs = serviceDef.getPolicyConditions(); if (conditionDefs == null) { @@ -737,26 +733,12 @@ boolean addImplicitConditionExpressionIfNeeded(RangerServiceDef serviceDef) { break; } - - if (conditionDef.getItemId() != null && maxItemId < conditionDef.getItemId()) { - maxItemId = conditionDef.getItemId(); - } } if (!exists) { - RangerPolicyConditionDef conditionDef = new RangerPolicyConditionDef(); - Map options = new HashMap<>(); - - options.put("ui.isMultiline", "true"); - - conditionDef.setItemId(maxItemId + 1); - conditionDef.setName(IMPLICIT_CONDITION_EXPRESSION_NAME); - conditionDef.setLabel(IMPLICIT_CONDITION_EXPRESSION_LABEL); - conditionDef.setDescription(IMPLICIT_CONDITION_EXPRESSION_DESC); - conditionDef.setEvaluator(IMPLICIT_CONDITION_EXPRESSION_EVALUATOR); - conditionDef.setEvaluatorOptions(options); - conditionDef.setUiHint("{ \"isMultiline\":true }"); - conditionDefs.add(conditionDef); + long maxItemId = ServiceDefUtil.getConditionsMaxItemId(conditionDefs); + + conditionDefs.add(ServiceDefUtil.createImplicitExpressionConditionDef(maxItemId + 1)); serviceDef.setPolicyConditions(conditionDefs); diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java index 31f6982925..7894288549 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java @@ -38,6 +38,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef; +import org.apache.ranger.plugin.util.ServiceDefUtil; import org.apache.ranger.security.context.RangerContextHolder; import org.apache.ranger.security.context.RangerSecurityContext; import org.junit.Assert; @@ -768,7 +769,7 @@ public void testImplicitConditionExpression() { boolean exists = false; for (RangerPolicyConditionDef conditionDef : serviceDef.getPolicyConditions()) { - if (StringUtils.equals(conditionDef.getEvaluator(), RangerServiceDefService.IMPLICIT_CONDITION_EXPRESSION_EVALUATOR)) { + if (StringUtils.equals(conditionDef.getEvaluator(), ServiceDefUtil.IMPLICIT_CONDITION_EXPRESSION_EVALUATOR)) { exists = true; break;