|
33 | 33 | /** |
34 | 34 | * This is a sample implementation of a condition Evaluator. It works in conjunction with the sample context enricher |
35 | 35 | * <code>RangerSampleProjectProvider</code>. This is how it would be specified in the service definition: |
36 | | - { |
37 | | - ... |
38 | | - ... service definition |
39 | | - ... |
40 | | - "policyConditions": [ |
41 | | - { |
42 | | - "itemId": 1, |
43 | | - "name": "user-in-project", |
44 | | - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher", |
45 | | - "evaluatorOptions": { CONTEXT_NAME=’PROJECT’}, |
46 | | - "validationRegEx":"", |
47 | | - "validationMessage": "", |
48 | | - "uiHint":"", |
49 | | - "label": "Project Matcher", |
50 | | - "description": "Projects" |
51 | | - } |
52 | | - } |
53 | | - * |
| 36 | + * { |
| 37 | + * ... |
| 38 | + * ... service definition |
| 39 | + * ... |
| 40 | + * "policyConditions": [ |
| 41 | + * { |
| 42 | + * "itemId": 1, |
| 43 | + * "name": "user-in-project", |
| 44 | + * "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher", |
| 45 | + * "evaluatorOptions": { CONTEXT_NAME=’PROJECT’}, |
| 46 | + * "validationRegEx":"", |
| 47 | + * "validationMessage": "", |
| 48 | + * "uiHint":"", |
| 49 | + * "label": "Project Matcher", |
| 50 | + * "description": "Projects" |
| 51 | + * } |
| 52 | + * } |
| 53 | + * <p> |
54 | 54 | * Name of this class is specified via the "evaluator" of the policy condition definition. Significant evaluator option |
55 | 55 | * for this evaluator is the CONTEXT_NAME which indicates the name under which it would look for value for the condition. |
56 | 56 | * It is also use to lookup the condition values specified in the policy. This example uses CONTEXT_NAME of PROJECT |
57 | 57 | * which matches the value under which context is enriched by its companion class <code>RangerSampleProjectProvider</code>. |
58 | | - * |
| 58 | + * <p> |
59 | 59 | * Note that the same Condition Evaluator can be used to process Context enrichment done by <code>RangerSampleCountryProvider</code> |
60 | 60 | * provided the CONTEXT_NAME evaluator option is set to COUNTRY which is same as the value used by its companion Context |
61 | 61 | * Enricher <code>RangerSampleCountryProvider</code>. Which serves as an example of how a single Condition Evaluator |
62 | 62 | * implementation can be used to model multiple policy conditions. |
63 | | - * |
| 63 | + * <p> |
64 | 64 | * For matching context value against policy values it uses <code>FilenameUtils.wildcardMatch()</code> which allows policy authors |
65 | 65 | * flexibility to specify policy conditions using wildcards. Take a look at |
66 | | - * {@link org.apache.ranger.plugin.conditionevaluator.RangerSampleSimpleMatcherTest#testIsMatched_happyPath() testIsMatched_happyPath} |
| 66 | + * org.apache.ranger.plugin.conditionevaluator.RangerSampleSimpleMatcherTest#testIsMatched_happyPath() testIsMatched_happyPath |
67 | 67 | * test for examples of what sorts of matching is afforded by this use. |
68 | | - * |
69 | 68 | */ |
70 | 69 | public class RangerPolicyConditionSampleSimpleMatcher extends RangerAbstractConditionEvaluator { |
| 70 | + private static final Logger LOG = LoggerFactory.getLogger(RangerPolicyConditionSampleSimpleMatcher.class); |
| 71 | + |
| 72 | + public static final String CONTEXT_NAME = "CONTEXT_NAME"; |
| 73 | + |
| 74 | + private boolean allowAny; |
| 75 | + private String contextName; |
| 76 | + private final List<String> values = new ArrayList<>(); |
| 77 | + |
| 78 | + @Override |
| 79 | + public void init() { |
| 80 | + LOG.debug("==> RangerPolicyConditionSampleSimpleMatcher.init({})", condition); |
| 81 | + |
| 82 | + super.init(); |
| 83 | + |
| 84 | + if (condition == null) { |
| 85 | + LOG.debug("init: null policy condition! Will match always!"); |
| 86 | + |
| 87 | + allowAny = true; |
| 88 | + } else if (conditionDef == null) { |
| 89 | + LOG.debug("init: null policy condition definition! Will match always!"); |
| 90 | + |
| 91 | + allowAny = true; |
| 92 | + } else if (CollectionUtils.isEmpty(condition.getValues())) { |
| 93 | + LOG.debug("init: empty conditions collection on policy condition! Will match always!"); |
| 94 | + |
| 95 | + allowAny = true; |
| 96 | + } else if (MapUtils.isEmpty(conditionDef.getEvaluatorOptions())) { |
| 97 | + LOG.debug("init: Evaluator options were empty. Can't determine what value to use from context. Will match always."); |
| 98 | + |
| 99 | + allowAny = true; |
| 100 | + } else if (StringUtils.isEmpty(conditionDef.getEvaluatorOptions().get(CONTEXT_NAME))) { |
| 101 | + LOG.debug("init: CONTEXT_NAME is not specified in evaluator options. Can't determine what value to use from context. Will match always."); |
| 102 | + |
| 103 | + allowAny = true; |
| 104 | + } else { |
| 105 | + contextName = conditionDef.getEvaluatorOptions().get(CONTEXT_NAME); |
| 106 | + |
| 107 | + values.addAll(condition.getValues()); |
| 108 | + } |
| 109 | + |
| 110 | + LOG.debug("<== RangerPolicyConditionSampleSimpleMatcher.init({}): values[{}]", condition, values); |
| 111 | + } |
| 112 | + |
| 113 | + @Override |
| 114 | + public boolean isMatched(RangerAccessRequest request) { |
| 115 | + LOG.debug("==> RangerPolicyConditionSampleSimpleMatcher.isMatched({})", request); |
| 116 | + |
| 117 | + boolean matched = false; |
| 118 | + |
| 119 | + if (allowAny) { |
| 120 | + matched = true; |
| 121 | + } else { |
| 122 | + String requestValue = extractValue(request, contextName); |
| 123 | + |
| 124 | + if (StringUtils.isNotBlank(requestValue)) { |
| 125 | + for (String policyValue : values) { |
| 126 | + if (FilenameUtils.wildcardMatch(requestValue, policyValue)) { |
| 127 | + matched = true; |
| 128 | + break; |
| 129 | + } |
| 130 | + } |
| 131 | + } |
| 132 | + } |
| 133 | + |
| 134 | + LOG.debug("<== RangerPolicyConditionSampleSimpleMatcher.isMatched({}): {}", request, matched); |
| 135 | + |
| 136 | + return matched; |
| 137 | + } |
| 138 | + |
| 139 | + String extractValue(final RangerAccessRequest request, String key) { |
| 140 | + LOG.debug("==> RangerPolicyConditionSampleSimpleMatcher.extractValue({})", request); |
| 141 | + |
| 142 | + String value = null; |
| 143 | + |
| 144 | + if (request == null) { |
| 145 | + LOG.debug("isMatched: Unexpected: null request. Returning null!"); |
| 146 | + } else if (request.getContext() == null) { |
| 147 | + LOG.debug("isMatched: Context map of request is null. Ok. Returning null!"); |
| 148 | + } else if (CollectionUtils.isEmpty(request.getContext().entrySet())) { |
| 149 | + LOG.debug("isMatched: Missing context on request. Ok. Condition isn't applicable. Returning null!"); |
| 150 | + } else if (!request.getContext().containsKey(key)) { |
| 151 | + LOG.debug("isMatched: Unexpected: Context did not have data for condition[{}]. Returning null!", key); |
| 152 | + } else { |
| 153 | + value = (String) request.getContext().get(key); |
| 154 | + } |
| 155 | + |
| 156 | + LOG.debug("<== RangerPolicyConditionSampleSimpleMatcher.extractValue({}): {}", request, value); |
71 | 157 |
|
72 | | - private static final Logger LOG = LoggerFactory.getLogger(RangerPolicyConditionSampleSimpleMatcher.class); |
73 | | - |
74 | | - public static final String CONTEXT_NAME = "CONTEXT_NAME"; |
75 | | - |
76 | | - private boolean _allowAny = false; |
77 | | - private String _contextName = null; |
78 | | - private List<String> _values = new ArrayList<String>(); |
79 | | - |
80 | | - @Override |
81 | | - public void init() { |
82 | | - if(LOG.isDebugEnabled()) { |
83 | | - LOG.debug("==> RangerPolicyConditionSampleSimpleMatcher.init(" + condition + ")"); |
84 | | - } |
85 | | - |
86 | | - super.init(); |
87 | | - |
88 | | - if (condition == null) { |
89 | | - LOG.debug("init: null policy condition! Will match always!"); |
90 | | - _allowAny = true; |
91 | | - } else if (conditionDef == null) { |
92 | | - LOG.debug("init: null policy condition definition! Will match always!"); |
93 | | - _allowAny = true; |
94 | | - } else if (CollectionUtils.isEmpty(condition.getValues())) { |
95 | | - LOG.debug("init: empty conditions collection on policy condition! Will match always!"); |
96 | | - _allowAny = true; |
97 | | - } else if (MapUtils.isEmpty(conditionDef.getEvaluatorOptions())) { |
98 | | - LOG.debug("init: Evaluator options were empty. Can't determine what value to use from context. Will match always."); |
99 | | - _allowAny = true; |
100 | | - } else if (StringUtils.isEmpty(conditionDef.getEvaluatorOptions().get(CONTEXT_NAME))) { |
101 | | - LOG.debug("init: CONTEXT_NAME is not specified in evaluator options. Can't determine what value to use from context. Will match always."); |
102 | | - _allowAny = true; |
103 | | - } else { |
104 | | - _contextName = conditionDef.getEvaluatorOptions().get(CONTEXT_NAME); |
105 | | - for (String value : condition.getValues()) { |
106 | | - _values.add(value); |
107 | | - } |
108 | | - } |
109 | | - |
110 | | - if(LOG.isDebugEnabled()) { |
111 | | - LOG.debug("<== RangerPolicyConditionSampleSimpleMatcher.init(" + condition + "): values[" + _values + "]"); |
112 | | - } |
113 | | - } |
114 | | - |
115 | | - @Override |
116 | | - public boolean isMatched(RangerAccessRequest request) { |
117 | | - |
118 | | - if(LOG.isDebugEnabled()) { |
119 | | - LOG.debug("==> RangerPolicyConditionSampleSimpleMatcher.isMatched(" + request + ")"); |
120 | | - } |
121 | | - |
122 | | - boolean matched = false; |
123 | | - |
124 | | - if (_allowAny) { |
125 | | - matched = true; |
126 | | - } else { |
127 | | - String requestValue = extractValue(request, _contextName); |
128 | | - if (StringUtils.isNotBlank(requestValue)) { |
129 | | - for (String policyValue : _values) { |
130 | | - if (FilenameUtils.wildcardMatch(requestValue, policyValue)) { |
131 | | - matched = true; |
132 | | - break; |
133 | | - } |
134 | | - } |
135 | | - } |
136 | | - } |
137 | | - |
138 | | - if(LOG.isDebugEnabled()) { |
139 | | - LOG.debug("<== RangerPolicyConditionSampleSimpleMatcher.isMatched(" + request+ "): " + matched); |
140 | | - } |
141 | | - |
142 | | - return matched; |
143 | | - } |
144 | | - |
145 | | - String extractValue(final RangerAccessRequest request, String key) { |
146 | | - if(LOG.isDebugEnabled()) { |
147 | | - LOG.debug("==> RangerPolicyConditionSampleSimpleMatcher.extractValue(" + request+ ")"); |
148 | | - } |
149 | | - |
150 | | - String value = null; |
151 | | - if (request == null) { |
152 | | - LOG.debug("isMatched: Unexpected: null request. Returning null!"); |
153 | | - } else if (request.getContext() == null) { |
154 | | - LOG.debug("isMatched: Context map of request is null. Ok. Returning null!"); |
155 | | - } else if (CollectionUtils.isEmpty(request.getContext().entrySet())) { |
156 | | - LOG.debug("isMatched: Missing context on request. Ok. Condition isn't applicable. Returning null!"); |
157 | | - } else if (!request.getContext().containsKey(key)) { |
158 | | - if (LOG.isDebugEnabled()) { |
159 | | - LOG.debug("isMatched: Unexpected: Context did not have data for condition[" + key + "]. Returning null!"); |
160 | | - } |
161 | | - } else { |
162 | | - value = (String)request.getContext().get(key); |
163 | | - } |
164 | | - |
165 | | - if(LOG.isDebugEnabled()) { |
166 | | - LOG.debug("<== RangerPolicyConditionSampleSimpleMatcher.extractValue(" + request+ "): " + value); |
167 | | - } |
168 | | - return value; |
169 | | - } |
| 158 | + return value; |
| 159 | + } |
170 | 160 | } |
0 commit comments