RANGER-5367: simplify resource-name parsing (apache#699)

Author: mneethiraj

agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java

@@ -1417,7 +1417,6 @@ public static class RangerResourceDef implements java.io.Serializable {
         private String              rbKeyValidationMessage;
         private Set<String>         accessTypeRestrictions;
         private Boolean             isValidLeaf;
-        private String              rrnTemplate; // resource-name template. Examples: {database}.{table}.{column}, {container}@{storageaccount}/{relativepath}
 
         public RangerResourceDef() {
             this(null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null);
@@ -1445,7 +1444,6 @@ public RangerResourceDef(RangerResourceDef other) {
             setRbKeyValidationMessage(other.getRbKeyValidationMessage());
             setAccessTypeRestrictions(other.getAccessTypeRestrictions());
             setIsValidLeaf(other.getIsValidLeaf());
-            setRrnTemplate(other.getRrnTemplate());
         }
 
         public RangerResourceDef(Long itemId, String name, String type, Integer level, String parent, Boolean mandatory, Boolean lookupSupported, Boolean recursiveSupported, Boolean excludesSupported, String matcher, Map<String, String> matcherOptions, String validationRegEx, String validationMessage, String uiHint, String label, String description, String rbKeyLabel, String rbKeyDescription, String rbKeyValidationMessage, Set<String> accessTypeRestrictions, Boolean isValidLeaf) {
@@ -1754,14 +1752,6 @@ public void setIsValidLeaf(Boolean isValidLeaf) {
             this.isValidLeaf = isValidLeaf;
         }
 
-        public String getRrnTemplate() {
-            return rrnTemplate;
-        }
-
-        public void setRrnTemplate(String rrnTemplate) {
-            this.rrnTemplate = rrnTemplate;
-        }
-
         public void dedupStrings(Map<String, String> strTbl) {
             name                   = StringUtil.dedupString(name, strTbl);
             type                   = StringUtil.dedupString(type, strTbl);
@@ -1777,7 +1767,6 @@ public void dedupStrings(Map<String, String> strTbl) {
             rbKeyDescription       = StringUtil.dedupString(rbKeyDescription, strTbl);
             rbKeyValidationMessage = StringUtil.dedupString(rbKeyValidationMessage, strTbl);
             accessTypeRestrictions = StringUtil.dedupStringsSet(accessTypeRestrictions, strTbl);
-            rrnTemplate            = StringUtil.dedupString(rrnTemplate, strTbl);
         }
 
         public StringBuilder toString(StringBuilder sb) {
@@ -1803,7 +1792,6 @@ public StringBuilder toString(StringBuilder sb) {
             sb.append("rbKeyValidationMessage={").append(rbKeyValidationMessage).append("} ");
             sb.append("accessTypeRestrictions={").append(accessTypeRestrictions == null ? "null" : accessTypeRestrictions.toString()).append("} ");
             sb.append("isValidLeaf={").append(isValidLeaf == null ? "null" : isValidLeaf.toString()).append("} ");
-            sb.append("rrnTemplate={").append(rrnTemplate == null ? "null" : rrnTemplate).append("} ");
             sb.append("}");
 
             return sb;
@@ -1866,9 +1854,6 @@ public int hashCode() {
             result = prime
                     * result
                     + ((isValidLeaf == null) ? 0 : isValidLeaf.hashCode());
-            result = prime
-                    * result
-                    + ((rrnTemplate == null) ? 0 : rrnTemplate.hashCode());
             return result;
         }
 
@@ -2024,12 +2009,6 @@ public boolean equals(Object obj) {
                 return false;
             }
 
-            if (rrnTemplate == null) {
-                return other.rrnTemplate == null;
-            } else if (!rrnTemplate.equals(other.rrnTemplate)) {
-                return false;
-            }
-
             return true;
         }
 

agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java

@@ -48,10 +48,7 @@
 public class RangerServiceDefHelper {
     private static final Logger LOG = LoggerFactory.getLogger(RangerServiceDefHelper.class);
 
-    public static final String RRN_RESOURCE_PREFIX   = "{";
-    public static final String RRN_RESOURCE_SUFFIX   = "}";
-    public static final String RRN_RESOURCE_SEP      = ".";
-    public static final String RRN_PATH_RESOURCE_SEP = "/";
+    public static final String RRN_RESOURCE_SEP = "/";
 
     static final Map<String, Delegate> cache = new ConcurrentHashMap<>();
     final        Delegate              delegate;
@@ -497,13 +494,7 @@ public Delegate(RangerServiceDef serviceDef, boolean checkForCycles) {
                 orderedResourceNames = buildSortedResourceNames();
 
                 for (RangerResourceDef resourceDef : serviceDef.getResources()) {
-                    if (StringUtils.isBlank(resourceDef.getRrnTemplate())) {
-                        resourceDef.setRrnTemplate(getDefaultRrnTemplate(resourceDef));
-
-                        LOG.debug("No rrnTemplate was defined for resource {}.{}. It is now set to default: {}", serviceName, resourceDef.getName(), resourceDef.getRrnTemplate());
-                    }
-
-                    this.rrnTemplates.put(resourceDef.getName(), resourceDef.getRrnTemplate());
+                    this.rrnTemplates.put(resourceDef.getName(), getDefaultRrnTemplate(resourceDef));
                 }
             } else {
                 orderedResourceNames = new ArrayList<>();
@@ -901,11 +892,11 @@ public int compareTo(ResourceNameLevel other) {
         }
 
         // create default resource-name template for the resource-def, like:
-        //  database:{database}
-        //  table:{database}.{table}
-        //  column:{database}.{table}.{column}
-        //  path:{bucket}/{path}
-        //  key:{volume}.{bucket}/{key}
+        //  database:database
+        //  table:database/table
+        //  column:database/table/column
+        //  path:bucket/path
+        //  key:volume/bucket/key
         private String getDefaultRrnTemplate(RangerResourceDef resourceDef) {
             List<RangerResourceDef> path = new ArrayList<>();
 
@@ -919,10 +910,10 @@ private String getDefaultRrnTemplate(RangerResourceDef resourceDef) {
                 RangerResourceDef res = path.get(i);
 
                 if (i > 0) {
-                    sb.append(StringUtils.equalsIgnoreCase(res.getType(), "path") ? RRN_PATH_RESOURCE_SEP : RRN_RESOURCE_SEP);
+                    sb.append(RRN_RESOURCE_SEP);
                 }
 
-                sb.append(RRN_RESOURCE_PREFIX).append(res.getName()).append(RRN_RESOURCE_SUFFIX);
+                sb.append(res.getName());
             }
 
             return sb.toString();

agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java

@@ -382,19 +382,12 @@ public void testRrnTemplateHive() {
         RangerServiceDef       svcDef       = JsonUtils.jsonToObject(reader, RangerServiceDef.class);
         RangerServiceDefHelper svcDefHelper = new RangerServiceDefHelper(svcDef);
 
-        String rrnDatabase = svcDefHelper.getRrnTemplate("database");
-        String rrnTable    = svcDefHelper.getRrnTemplate("table");
-        String rrnColumn   = svcDefHelper.getRrnTemplate("column");
-        String rrnUdf      = svcDefHelper.getRrnTemplate("udf");
-        String rrnUrl      = svcDefHelper.getRrnTemplate("url");
-        String rrnUnknown  = svcDefHelper.getRrnTemplate("unknown-resource");
-
-        assertEquals("{database}", rrnDatabase);
-        assertEquals("{database}.{table}", rrnTable);
-        assertEquals("{database}.{table}.{column}", rrnColumn);
-        assertEquals("{database}.{udf}", rrnUdf);
-        assertEquals("{url}", rrnUrl);
-        assertNull(rrnUnknown);
+        assertEquals("database", svcDefHelper.getRrnTemplate("database"));
+        assertEquals("database/table", svcDefHelper.getRrnTemplate("table"));
+        assertEquals("database/table/column", svcDefHelper.getRrnTemplate("column"));
+        assertEquals("database/udf", svcDefHelper.getRrnTemplate("udf"));
+        assertEquals("url", svcDefHelper.getRrnTemplate("url"));
+        assertNull(svcDefHelper.getRrnTemplate("unknown-resource"));
     }
 
     @Test
@@ -403,11 +396,8 @@ public void testRrnTemplateS3() {
         RangerServiceDef       svcDef       = JsonUtils.jsonToObject(reader, RangerServiceDef.class);
         RangerServiceDefHelper svcDefHelper = new RangerServiceDefHelper(svcDef);
 
-        String rrnBucket = svcDefHelper.getRrnTemplate("bucket");
-        String rrnPath   = svcDefHelper.getRrnTemplate("path");
-
-        assertEquals("{bucket}", rrnBucket);
-        assertEquals("{bucket}/{path}", rrnPath);
+        assertEquals("bucket", svcDefHelper.getRrnTemplate("bucket"));
+        assertEquals("bucket/path", svcDefHelper.getRrnTemplate("path"));
     }
 
     RangerResourceDef createResourceDef(String name, String parent) {

authz-api/src/main/java/org/apache/ranger/authz/api/RangerAuthzApiErrorCode.java

@@ -35,13 +35,11 @@ public enum RangerAuthzApiErrorCode implements RangerAuthzErrorCode {
     INVALID_REQUEST_PERMISSION_NOT_FOUND(400, "00-011", "{0}: permission not found"),
     INVALID_REQUEST_PERMISSIONS_EMPTY(400, "00-012", "permissions is empty. Nothing to authorize"),
     INVALID_REQUEST_SERVICE_NAME_OR_TYPE_MANDATORY(400, "00-013", "service name or service type is mandatory"),
-    INVALID_RESOURCE_TEMPLATE_UNEXPECTED_MARKER_AT(400, "00-014", "invalid resource template: {0}. Unexpected marker \"{1}\" at position {2}"),
+    INVALID_RESOURCE_TEMPLATE_EMPTY_VALUE(400, "00-014", "invalid resource template - empty"),
 
     INVALID_RESOURCE_TYPE_NOT_VALID(400, "00-015", "invalid resource \"{0}\" - unknown type \"{1}\""),
     INVALID_RESOURCE_EMPTY_VALUE(400, "00-016", "invalid resource - empty"),
-    INVALID_RESOURCE_PREFIX_MISMATCH(400, "00-017", "invalid resource \"{0}\" - prefix \"{1}\" not found"),
-    INVALID_RESOURCE_SUFFIX_MISMATCH(400, "00-018", "invalid resource \"{0}\" - suffix \"{1}\" not found"),
-    INVALID_RESOURCE_VALUE(400, "00-019", "invalid resource \"{0}\" - does not match template \"{1}\"");
+    INVALID_RESOURCE_VALUE(400, "00-017", "invalid resource \"{0}\" - does not match template \"{1}\"");
 
     private static final String ERROR_CODE_MODULE_PREFIX = "AUTHZ";
 

authz-api/src/main/java/org/apache/ranger/authz/util/RangerResourceNameParser.java

@@ -0,0 +1,216 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.authz.util;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.ranger.authz.api.RangerAuthzException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+import static org.apache.ranger.authz.api.RangerAuthzApiErrorCode.INVALID_RESOURCE_EMPTY_VALUE;
+import static org.apache.ranger.authz.api.RangerAuthzApiErrorCode.INVALID_RESOURCE_TEMPLATE_EMPTY_VALUE;
+import static org.apache.ranger.authz.api.RangerAuthzApiErrorCode.INVALID_RESOURCE_VALUE;
+
+public class RangerResourceNameParser {
+    private static final Logger LOG = LoggerFactory.getLogger(RangerResourceNameParser.class);
+
+    public static final char ESCAPE_CHAR    = '\\';
+    public static final char SEPARATOR_CHAR = '/';
+
+    private static final String   SEPARATOR_STRING  = String.valueOf(SEPARATOR_CHAR);
+    private static final String   ESCAPED_SEPARATOR = "\\\\" + SEPARATOR_STRING;
+    private static final Pattern  SEPARATOR_PATTERN = Pattern.compile(SEPARATOR_STRING);
+    private static final String[] EMPTY_ARRAY       = new String[0];
+
+    private final String   template;   // examples: database/table/column, bucket/volume/path
+    private final String[] resources;  // examples: [database, table, column],   [bucket, volume, path]
+
+    public RangerResourceNameParser(String template) throws RangerAuthzException {
+        if (StringUtils.isBlank(template)) {
+            throw new RangerAuthzException(INVALID_RESOURCE_TEMPLATE_EMPTY_VALUE);
+        }
+
+        this.template  = template;
+        this.resources = template.split(SEPARATOR_STRING); // assumption: '/' is not a valid character in resource names
+    }
+
+    public String getTemplate() {
+        return template;
+    }
+
+    public String getResourceType() {
+        return resources[resources.length - 1];
+    }
+
+    public int count() {
+        return resources.length;
+    }
+
+    public String resourceAt(int index) {
+        return resources[index];
+    }
+
+    public String[] parseToArray(final String resourceName) throws RangerAuthzException {
+        if (StringUtils.isBlank(resourceName)) {
+            throw new RangerAuthzException(INVALID_RESOURCE_EMPTY_VALUE);
+        }
+
+        final String[]      ret         = new String[resources.length];
+        final int           nameLen     = resourceName.length();
+        final StringBuilder token       = new StringBuilder();
+        int                 idxToken    = 0;
+        boolean             isLastToken = resources.length == 1;
+        boolean             isInEscape  = false;
+
+        for (int i = 0; i < nameLen; i++) {
+            char c = resourceName.charAt(i);
+
+            if (c == ESCAPE_CHAR) {
+                if (!isInEscape) {
+                    isInEscape = true;
+
+                    continue;
+                }
+            } else if (c == SEPARATOR_CHAR) {
+                if (!isInEscape) {
+                    if (!isLastToken) { // for last token, '/' is not a separator
+                        ret[idxToken++] = token.toString();
+
+                        token.setLength(0);
+
+                        isLastToken = idxToken == (resources.length - 1);
+
+                        continue;
+                    }
+                }
+            }
+
+            token.append(c);
+
+            isInEscape = false;
+        }
+
+        ret[idxToken] = token.toString();
+
+        if (!isLastToken) {
+            throw new RangerAuthzException(INVALID_RESOURCE_VALUE, resourceName, template);
+        }
+
+        LOG.debug("parseToArray(resource='{}', template='{}'): ret={}", resourceName, template, ret);
+
+        return ret;
+    }
+
+    public Map<String, String> parseToMap(final String resourceName) throws RangerAuthzException {
+        final String[]            arr = parseToArray(resourceName);
+        final Map<String, String> ret = new HashMap<>(arr.length);
+
+        for (int i = 0; i < arr.length; i++) {
+            ret.put(resources[i], arr[i]);
+        }
+
+        LOG.debug("parseToMap(resourceName='{}', template='{}'): ret={}", resourceName, template, ret);
+
+        return ret;
+    }
+
+    public String toResourceName(String[] values) {
+        StringBuilder ret = new StringBuilder();
+
+        if (values == null) {
+            values = EMPTY_ARRAY;
+        }
+
+        for (int i = 0; i < resources.length; i++) {
+            String  value  = values.length > i ? values[i] : null;
+            boolean isLast = i == (resources.length - 1);
+
+            if (value == null) {
+                value = "";
+            }
+
+            if (!isLast) { // escape '/' in all but the last resource
+                value = escapeIfNeeded(value);
+            }
+
+            if (i > 0) {
+                ret.append(SEPARATOR_CHAR);
+            }
+
+            ret.append(value);
+        }
+
+        LOG.debug("toResourceName(values={}, template='{}'): ret='{}'", values, template, ret);
+
+        return ret.toString();
+    }
+
+    public String toResourceName(Map<String, String> values) {
+        StringBuilder ret = new StringBuilder();
+
+        if (values == null) {
+            values = Collections.emptyMap();
+        }
+
+        for (int i = 0; i < resources.length; i++) {
+            String  value  = values.get(resources[i]);
+            boolean isLast = i == (resources.length - 1);
+
+            if (value == null) {
+                value = "";
+            }
+
+            if (!isLast) { // escape '/' in all but the last resource
+                value = escapeIfNeeded(value);
+            }
+
+            if (i > 0) {
+                ret.append(SEPARATOR_CHAR);
+            }
+
+            ret.append(value);
+        }
+
+        LOG.debug("toResourceName(values={}, template='{}'): ret='{}'", values, template, ret);
+
+        return ret.toString();
+    }
+
+    @Override
+    public String toString() {
+        return "RangerResourceTemplate{" +
+                "template=" + template +
+                ", resources='" + String.join(SEPARATOR_STRING, resources) + "'" +
+                "}";
+    }
+
+    private String escapeIfNeeded(String value) {
+        if (value.contains(SEPARATOR_STRING)) {
+            return SEPARATOR_PATTERN.matcher(value).replaceAll(ESCAPED_SEPARATOR);
+        } else {
+            return value;
+        }
+    }
+}