Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.ranger.rest; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.util.GrantRevokeRequest; import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; import java.util.TreeSet; public class ServiceRESTUtil { private static final Log LOG = LogFactory.getLog(ServiceRESTUtil.class); private enum POLICYITEM_TYPE { ALLOW, DENY, ALLOW_EXCEPTIONS, DENY_EXCEPTIONS } static public boolean processGrantRequest(RangerPolicy policy, GrantRevokeRequest grantRequest) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.processGrantRequest()"); } boolean policyUpdated = false; // replace all existing privileges for users and groups if (grantRequest.getReplaceExistingPermissions()) { policyUpdated = removeUsersAndGroupsFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups()); } //Build a policy and set up policyItem in it to mimic grant request RangerPolicy appliedPolicy = new RangerPolicy(); RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); policyItem.getUsers().addAll(grantRequest.getUsers()); policyItem.getGroups().addAll(grantRequest.getGroups()); List<RangerPolicy.RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); Set<String> accessTypes = grantRequest.getAccessTypes(); for (String accessType : accessTypes) { accesses.add(new RangerPolicy.RangerPolicyItemAccess(accessType, true)); } policyItem.setAccesses(accesses); appliedPolicy.getPolicyItems().add(policyItem); processApplyPolicy(policy, appliedPolicy); policyUpdated = true; if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.processGrantRequest() : " + policyUpdated); } return policyUpdated; } static public boolean processRevokeRequest(RangerPolicy existingRangerPolicy, GrantRevokeRequest revokeRequest) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.processRevokeRequest()"); } boolean policyUpdated = false; // remove all existing privileges for users and groups if (revokeRequest.getReplaceExistingPermissions()) { policyUpdated = removeUsersAndGroupsFromPolicy(existingRangerPolicy, revokeRequest.getUsers(), revokeRequest.getGroups()); } else { //Build a policy and set up policyItem in it to mimic revoke request RangerPolicy appliedRangerPolicy = new RangerPolicy(); RangerPolicy.RangerPolicyItem appliedRangerPolicyItem = new RangerPolicy.RangerPolicyItem(); appliedRangerPolicyItem.setDelegateAdmin(revokeRequest.getDelegateAdmin()); appliedRangerPolicyItem.getUsers().addAll(revokeRequest.getUsers()); appliedRangerPolicyItem.getGroups().addAll(revokeRequest.getGroups()); List<RangerPolicy.RangerPolicyItemAccess> appliedRangerPolicyItemAccess = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); Set<String> appliedPolicyItemAccessType = revokeRequest.getAccessTypes(); for (String accessType : appliedPolicyItemAccessType) { appliedRangerPolicyItemAccess.add(new RangerPolicy.RangerPolicyItemAccess(accessType, false)); } appliedRangerPolicyItem.setAccesses(appliedRangerPolicyItemAccess); appliedRangerPolicy.getPolicyItems().add(appliedRangerPolicyItem); List<RangerPolicy.RangerPolicyItem> appliedRangerPolicyItems = appliedRangerPolicy.getPolicyItems(); //processApplyPolicyForItemType(existingRangerPolicy, appliedRangerPolicy, POLICYITEM_TYPE.ALLOW); if (CollectionUtils.isNotEmpty(appliedRangerPolicyItems)) { Set<String> users = new HashSet<String>(); Set<String> groups = new HashSet<String>(); Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>(); Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>(); // Extract users and groups specified in appliedPolicy items extractUsersAndGroups(appliedRangerPolicyItems, users, groups); // Split existing policyItems for users and groups extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems splitExistingPolicyItems(existingRangerPolicy, users, userPolicyItems, groups, groupPolicyItems); for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { List<String> appliedPolicyItemsUser = tempPolicyItem.getUsers(); for (String user : appliedPolicyItemsUser) { RangerPolicy.RangerPolicyItem[] rangerPolicyItems = userPolicyItems.get(user); if (rangerPolicyItems != null && rangerPolicyItems.length > 0) { if (rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()] != null) { removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); if (!CollectionUtils.isEmpty( rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())) { rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()] .setDelegateAdmin(revokeRequest.getDelegateAdmin()); } else { rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()] .setDelegateAdmin(Boolean.FALSE); } } if (rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] != null) { removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] .setDelegateAdmin(Boolean.FALSE); } } } } for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { List<String> appliedPolicyItemsGroup = tempPolicyItem.getGroups(); for (String group : appliedPolicyItemsGroup) { RangerPolicy.RangerPolicyItem[] rangerPolicyItems = groupPolicyItems.get(group); if (rangerPolicyItems != null && rangerPolicyItems.length > 0) { if (rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()] != null) { removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); if (!CollectionUtils.isEmpty( rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())) { rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()] .setDelegateAdmin(revokeRequest.getDelegateAdmin()); } else { rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()] .setDelegateAdmin(Boolean.FALSE); } } if (rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] != null) { removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] .setDelegateAdmin(Boolean.FALSE); } } } } // Add modified/new policyItems back to existing policy mergeProcessedPolicyItems(existingRangerPolicy, userPolicyItems, groupPolicyItems); compactPolicy(existingRangerPolicy); } policyUpdated = true; } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.processRevokeRequest() : " + policyUpdated); } return policyUpdated; } static public void processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.processApplyPolicy()"); } processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS); if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.processApplyPolicy()"); } } static private void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()"); } List<RangerPolicy.RangerPolicyItem> appliedPolicyItems = null; switch (policyItemType) { case ALLOW: appliedPolicyItems = appliedPolicy.getPolicyItems(); break; case DENY: appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); break; case ALLOW_EXCEPTIONS: appliedPolicyItems = appliedPolicy.getAllowExceptions(); break; case DENY_EXCEPTIONS: appliedPolicyItems = appliedPolicy.getDenyExceptions(); break; default: LOG.warn("processApplyPolicyForItemType(): invalid policyItemType=" + policyItemType); } if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { Set<String> users = new HashSet<String>(); Set<String> groups = new HashSet<String>(); Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>(); Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>(); // Extract users and groups specified in appliedPolicy items extractUsersAndGroups(appliedPolicyItems, users, groups); // Split existing policyItems for users and groups extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems splitExistingPolicyItems(existingPolicy, users, userPolicyItems, groups, groupPolicyItems); // Apply policyItems of given type in appliedPolicy to policyItems extracted from existingPolicy applyPolicyItems(appliedPolicyItems, policyItemType, userPolicyItems, groupPolicyItems); // Add modified/new policyItems back to existing policy mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems); compactPolicy(existingPolicy); } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.processApplyPolicyForItemType()"); } } static private void extractUsersAndGroups(List<RangerPolicy.RangerPolicyItem> policyItems, Set<String> users, Set<String> groups) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.extractUsersAndGroups()"); } if (CollectionUtils.isNotEmpty(policyItems)) { for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { if (CollectionUtils.isNotEmpty(policyItem.getUsers())) { users.addAll(policyItem.getUsers()); } if (CollectionUtils.isNotEmpty(policyItem.getGroups())) { groups.addAll(policyItem.getGroups()); } } } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.extractUsersAndGroups()"); } } static private void splitExistingPolicyItems(RangerPolicy existingPolicy, Set<String> users, Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems, Set<String> groups, Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems) { if (existingPolicy == null || users == null || userPolicyItems == null || groups == null || groupPolicyItems == null) { return; } if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.splitExistingPolicyItems()"); } List<RangerPolicy.RangerPolicyItem> allowItems = existingPolicy.getPolicyItems(); List<RangerPolicy.RangerPolicyItem> denyItems = existingPolicy.getDenyPolicyItems(); List<RangerPolicy.RangerPolicyItem> allowExceptionItems = existingPolicy.getAllowExceptions(); List<RangerPolicy.RangerPolicyItem> denyExceptionItems = existingPolicy.getDenyExceptions(); for (String user : users) { RangerPolicy.RangerPolicyItem value[] = userPolicyItems.get(user); if (value == null) { value = new RangerPolicy.RangerPolicyItem[4]; userPolicyItems.put(user, value); } RangerPolicy.RangerPolicyItem policyItem = null; policyItem = splitAndGetConsolidatedPolicyItemForUser(allowItems, user); value[POLICYITEM_TYPE.ALLOW.ordinal()] = policyItem; policyItem = splitAndGetConsolidatedPolicyItemForUser(denyItems, user); value[POLICYITEM_TYPE.DENY.ordinal()] = policyItem; policyItem = splitAndGetConsolidatedPolicyItemForUser(allowExceptionItems, user); value[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()] = policyItem; policyItem = splitAndGetConsolidatedPolicyItemForUser(denyExceptionItems, user); value[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] = policyItem; } for (String group : groups) { RangerPolicy.RangerPolicyItem value[] = groupPolicyItems.get(group); if (value == null) { value = new RangerPolicy.RangerPolicyItem[4]; groupPolicyItems.put(group, value); } RangerPolicy.RangerPolicyItem policyItem = null; policyItem = splitAndGetConsolidatedPolicyItemForGroup(allowItems, group); value[POLICYITEM_TYPE.ALLOW.ordinal()] = policyItem; policyItem = splitAndGetConsolidatedPolicyItemForGroup(denyItems, group); value[POLICYITEM_TYPE.DENY.ordinal()] = policyItem; policyItem = splitAndGetConsolidatedPolicyItemForGroup(allowExceptionItems, group); value[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()] = policyItem; policyItem = splitAndGetConsolidatedPolicyItemForGroup(denyExceptionItems, group); value[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] = policyItem; } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.splitExistingPolicyItems()"); } } static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser( List<RangerPolicy.RangerPolicyItem> policyItems, String user) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); } RangerPolicy.RangerPolicyItem ret = null; if (CollectionUtils.isNotEmpty(policyItems)) { for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { List<String> users = policyItem.getUsers(); if (users.contains(user)) { if (ret == null) { ret = new RangerPolicy.RangerPolicyItem(); } ret.getUsers().add(user); if (policyItem.getDelegateAdmin()) { ret.setDelegateAdmin(Boolean.TRUE); } addAccesses(ret, policyItem.getAccesses()); // Remove this user from existingPolicyItem users.remove(user); } } } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); } return ret; } static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup( List<RangerPolicy.RangerPolicyItem> policyItems, String group) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); } RangerPolicy.RangerPolicyItem ret = null; if (CollectionUtils.isNotEmpty(policyItems)) { for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { List<String> groups = policyItem.getGroups(); if (groups.contains(group)) { if (ret == null) { ret = new RangerPolicy.RangerPolicyItem(); } ret.getGroups().add(group); if (policyItem.getDelegateAdmin()) { ret.setDelegateAdmin(Boolean.TRUE); } addAccesses(ret, policyItem.getAccesses()); // Remove this group from existingPolicyItem groups.remove(group); } } } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); } return ret; } static private void applyPolicyItems(List<RangerPolicy.RangerPolicyItem> appliedPolicyItems, POLICYITEM_TYPE policyItemType, Map<String, RangerPolicy.RangerPolicyItem[]> existingUserPolicyItems, Map<String, RangerPolicy.RangerPolicyItem[]> existingGroupPolicyItems) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.applyPolicyItems()"); } for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { List<String> users = policyItem.getUsers(); for (String user : users) { RangerPolicy.RangerPolicyItem[] items = existingUserPolicyItems.get(user); if (items == null) { // Should not get here LOG.warn("Should not have come here.."); items = new RangerPolicy.RangerPolicyItem[4]; existingUserPolicyItems.put(user, items); } addPolicyItemForUser(items, policyItemType.ordinal(), user, policyItem); switch (policyItemType) { case ALLOW: removeAccesses(items[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); removeAccesses(items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); addPolicyItemForUser(items, POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal(), user, policyItem); break; case DENY: removeAccesses(items[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); addPolicyItemForUser(items, POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal(), user, policyItem); removeAccesses(items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); break; case ALLOW_EXCEPTIONS: removeAccesses(items[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); break; case DENY_EXCEPTIONS: break; default: LOG.warn("Should not have come here.."); break; } } } for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { List<String> groups = policyItem.getGroups(); for (String group : groups) { RangerPolicy.RangerPolicyItem[] items = existingGroupPolicyItems.get(group); if (items == null) { // Should not get here items = new RangerPolicy.RangerPolicyItem[4]; existingGroupPolicyItems.put(group, items); } addPolicyItemForGroup(items, policyItemType.ordinal(), group, policyItem); switch (policyItemType) { case ALLOW: removeAccesses(items[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); removeAccesses(items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); addPolicyItemForGroup(items, POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal(), group, policyItem); break; case DENY: removeAccesses(items[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); addPolicyItemForGroup(items, POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal(), group, policyItem); removeAccesses(items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); break; case ALLOW_EXCEPTIONS: removeAccesses(items[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); break; case DENY_EXCEPTIONS: break; default: break; } } } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.applyPolicyItems()"); } } static private void mergeProcessedPolicyItems(RangerPolicy existingPolicy, Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems, Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.mergeProcessedPolicyItems()"); } for (Map.Entry<String, RangerPolicy.RangerPolicyItem[]> entry : userPolicyItems.entrySet()) { RangerPolicy.RangerPolicyItem[] items = entry.getValue(); RangerPolicy.RangerPolicyItem item = null; item = items[POLICYITEM_TYPE.ALLOW.ordinal()]; if (item != null) { existingPolicy.getPolicyItems().add(item); } item = items[POLICYITEM_TYPE.DENY.ordinal()]; if (item != null) { existingPolicy.getDenyPolicyItems().add(item); } item = items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()]; if (item != null) { existingPolicy.getAllowExceptions().add(item); } item = items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]; if (item != null) { existingPolicy.getDenyExceptions().add(item); } } for (Map.Entry<String, RangerPolicy.RangerPolicyItem[]> entry : groupPolicyItems.entrySet()) { RangerPolicy.RangerPolicyItem[] items = entry.getValue(); RangerPolicy.RangerPolicyItem item = null; item = items[POLICYITEM_TYPE.ALLOW.ordinal()]; if (item != null) { existingPolicy.getPolicyItems().add(item); } item = items[POLICYITEM_TYPE.DENY.ordinal()]; if (item != null) { existingPolicy.getDenyPolicyItems().add(item); } item = items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()]; if (item != null) { existingPolicy.getAllowExceptions().add(item); } item = items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]; if (item != null) { existingPolicy.getDenyExceptions().add(item); } } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.mergeProcessedPolicyItems()"); } } static private boolean addAccesses(RangerPolicy.RangerPolicyItem policyItem, List<RangerPolicy.RangerPolicyItemAccess> accesses) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.addAccesses()"); } boolean ret = false; for (RangerPolicy.RangerPolicyItemAccess access : accesses) { RangerPolicy.RangerPolicyItemAccess policyItemAccess = null; String accessType = access.getType(); for (RangerPolicy.RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) { if (StringUtils.equals(itemAccess.getType(), accessType)) { policyItemAccess = itemAccess; break; } } if (policyItemAccess != null) { if (!policyItemAccess.getIsAllowed()) { policyItemAccess.setIsAllowed(Boolean.TRUE); ret = true; } } else { policyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(accessType, Boolean.TRUE)); ret = true; } } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.addAccesses() " + ret); } return ret; } static private boolean removeAccesses(RangerPolicy.RangerPolicyItem policyItem, List<RangerPolicy.RangerPolicyItemAccess> accesses) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.removeAccesses()"); } boolean ret = false; if (policyItem != null) { for (RangerPolicy.RangerPolicyItemAccess access : accesses) { String accessType = access.getType(); int numOfAccesses = policyItem.getAccesses().size(); for (int i = 0; i < numOfAccesses; i++) { RangerPolicy.RangerPolicyItemAccess itemAccess = policyItem.getAccesses().get(i); if (StringUtils.equals(itemAccess.getType(), accessType)) { policyItem.getAccesses().remove(i); numOfAccesses--; i--; ret = true; } } } } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.removeAccesses() " + ret); } return ret; } static private void compactPolicy(RangerPolicy policy) { policy.setPolicyItems(mergePolicyItems(policy.getPolicyItems())); policy.setDenyPolicyItems(mergePolicyItems(policy.getDenyPolicyItems())); policy.setAllowExceptions(mergePolicyItems(policy.getAllowExceptions())); policy.setDenyExceptions(mergePolicyItems(policy.getDenyExceptions())); } static private List<RangerPolicy.RangerPolicyItem> mergePolicyItems( List<RangerPolicy.RangerPolicyItem> policyItems) { List<RangerPolicy.RangerPolicyItem> ret = new ArrayList<RangerPolicy.RangerPolicyItem>(); if (CollectionUtils.isNotEmpty(policyItems)) { Map<String, RangerPolicy.RangerPolicyItem> matchedPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem>(); for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { if ((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) || (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) { continue; } if (policyItem.getConditions().size() > 1) { ret.add(policyItem); continue; } TreeSet<String> accesses = new TreeSet<String>(); for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) { accesses.add(access.getType()); } if (policyItem.getDelegateAdmin()) { accesses.add("delegateAdmin"); } String allAccessesString = accesses.toString(); RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString); if (matchingPolicyItem != null) { addDistinctItems(policyItem.getUsers(), matchingPolicyItem.getUsers()); addDistinctItems(policyItem.getGroups(), matchingPolicyItem.getGroups()); } else { matchedPolicyItems.put(allAccessesString, policyItem); } } for (Map.Entry<String, RangerPolicy.RangerPolicyItem> entry : matchedPolicyItems.entrySet()) { ret.add(entry.getValue()); } } return ret; } static void addPolicyItemForUser(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String user, RangerPolicy.RangerPolicyItem policyItem) { if (items[typeOfItems] == null) { RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem(); newItem.getUsers().add(user); items[typeOfItems] = newItem; } addAccesses(items[typeOfItems], policyItem.getAccesses()); if (policyItem.getDelegateAdmin()) { items[typeOfItems].setDelegateAdmin(Boolean.TRUE); } } static void addPolicyItemForGroup(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String group, RangerPolicy.RangerPolicyItem policyItem) { if (items[typeOfItems] == null) { RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem(); newItem.getGroups().add(group); items[typeOfItems] = newItem; } addAccesses(items[typeOfItems], policyItem.getAccesses()); if (policyItem.getDelegateAdmin()) { items[typeOfItems].setDelegateAdmin(Boolean.TRUE); } } static private void addDistinctItems(List<String> fromItems, List<String> toItems) { for (String fromItem : fromItems) { if (!toItems.contains(fromItem)) { toItems.add(fromItem); } } } static private boolean removeUsersAndGroupsFromPolicy(RangerPolicy policy, Set<String> users, Set<String> groups) { boolean policyUpdated = false; List<RangerPolicy.RangerPolicyItem> policyItems = policy.getPolicyItems(); int numOfItems = policyItems.size(); for (int i = 0; i < numOfItems; i++) { RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i); if (CollectionUtils.containsAny(policyItem.getUsers(), users)) { policyItem.getUsers().removeAll(users); policyUpdated = true; } if (CollectionUtils.containsAny(policyItem.getGroups(), groups)) { policyItem.getGroups().removeAll(groups); policyUpdated = true; } if (CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) { policyItems.remove(i); numOfItems--; i--; policyUpdated = true; } } return policyUpdated; } static boolean containsRangerCondition(RangerPolicy policy) { boolean ret = false; if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.containsRangerCondition(" + policy + ")"); } if (policy != null) { List<RangerPolicy.RangerPolicyItem> allItems = new ArrayList<RangerPolicy.RangerPolicyItem>(); allItems.addAll(policy.getPolicyItems()); allItems.addAll(policy.getDenyPolicyItems()); allItems.addAll(policy.getAllowExceptions()); allItems.addAll(policy.getDenyExceptions()); for (RangerPolicy.RangerPolicyItem policyItem : allItems) { if (policyItem.getConditions().size() > 0) { ret = true; break; } } } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTUtil.containsRangerCondition(" + policy + "): " + ret); } return ret; } }