Merge branch 'RANGER-5309' into RANGER-5312

Author: mneethiraj

agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java

@@ -48,6 +48,11 @@
 public class RangerServiceDefHelper {
     private static final Logger LOG = LoggerFactory.getLogger(RangerServiceDefHelper.class);
 
+    public static final String RRN_RESOURCE_PREFIX   = "{";
+    public static final String RRN_RESOURCE_SUFFIX   = "}";
+    public static final String RRN_RESOURCE_SEP      = ".";
+    public static final String RRN_PATH_RESOURCE_SEP = "/";
+
     static final Map<String, Delegate> cache = new ConcurrentHashMap<>();
     final        Delegate              delegate;
 
@@ -492,21 +497,10 @@ public Delegate(RangerServiceDef serviceDef, boolean checkForCycles) {
                 orderedResourceNames = buildSortedResourceNames();
 
                 for (RangerResourceDef resourceDef : serviceDef.getResources()) {
-                    // when rrnTemplate is not specified, create a default one using the full path from root to this resource
                     if (StringUtils.isBlank(resourceDef.getRrnTemplate())) {
-                        List<String> path = new ArrayList<>();
-
-                        for (RangerResourceDef resource = resourceDef; resource != null; resource = getResourceDef(resource.getParent(), RangerPolicy.POLICY_TYPE_ACCESS)) {
-                            path.add(resource.getName());
-                        }
-
-                        Collections.reverse(path);
+                        resourceDef.setRrnTemplate(getDefaultRrnTemplate(resourceDef));
 
-                        String rrnTemplate = "{" + StringUtils.join(path, "}.{") + "}";
-
-                        LOG.debug("Setting rrnTemplate for resource {}.{} to: {}", serviceName, resourceDef.getName(), rrnTemplate);
-
-                        resourceDef.setRrnTemplate(rrnTemplate);
+                        LOG.debug("No rrnTemplate was defined for resource {}.{}. It is now set to default: {}", serviceName, resourceDef.getName(), resourceDef.getRrnTemplate());
                     }
 
                     this.rrnTemplates.put(resourceDef.getName(), resourceDef.getRrnTemplate());
@@ -905,6 +899,34 @@ public int compareTo(ResourceNameLevel other) {
                 return Integer.compare(this.level, other.level);
             }
         }
+
+        // create default resource-name template for the resource-def, like:
+        //  database:{database}
+        //  table:{database}.{table}
+        //  column:{database}.{table}.{column}
+        //  path:{bucket}/{path}
+        //  key:{volume}.{bucket}/{key}
+        private String getDefaultRrnTemplate(RangerResourceDef resourceDef) {
+            List<RangerResourceDef> path = new ArrayList<>();
+
+            for (RangerResourceDef resource = resourceDef; resource != null; resource = getResourceDef(resource.getParent(), RangerPolicy.POLICY_TYPE_ACCESS)) {
+                path.add(0, resource);
+            }
+
+            StringBuilder sb = new StringBuilder();
+
+            for (int i = 0; i < path.size(); i++) {
+                RangerResourceDef res = path.get(i);
+
+                if (i > 0) {
+                    sb.append(StringUtils.equalsIgnoreCase(res.getType(), "path") ? RRN_PATH_RESOURCE_SEP : RRN_RESOURCE_SEP);
+                }
+
+                sb.append(RRN_RESOURCE_PREFIX).append(res.getName()).append(RRN_RESOURCE_SUFFIX);
+            }
+
+            return sb.toString();
+        }
     }
 
     /**

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java

@@ -104,6 +104,7 @@ public class RangerBasePlugin {
     private       RangerRoles                 roles;
     private       boolean                     isUserStoreEnricherAddedImplcitly;
     private       Map<String, String>         serviceConfigs;
+    private       boolean                     synchronousPolicyRefresh;
 
     public RangerBasePlugin(String serviceType, String appId) {
         this(new RangerPluginConfig(serviceType, null, appId, null, null, null));
@@ -660,6 +661,10 @@ public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessReq
     }
 
     public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+        if (this.synchronousPolicyRefresh) {
+            refreshPoliciesAndTags();
+        }
+
         RangerAccessResult ret          = null;
         RangerPolicyEngine policyEngine = this.policyEngine;
 
@@ -701,6 +706,10 @@ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAcc
     }
 
     public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor) {
+        if (this.synchronousPolicyRefresh) {
+            refreshPoliciesAndTags();
+        }
+
         Collection<RangerAccessResult> ret          = null;
         RangerPolicyEngine             policyEngine = this.policyEngine;
 
@@ -742,6 +751,10 @@ public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessReq
     }
 
     public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+        if (this.synchronousPolicyRefresh) {
+            refreshPoliciesAndTags();
+        }
+
         RangerPolicyEngine policyEngine = this.policyEngine;
         RangerAccessResult ret          = null;
 
@@ -772,6 +785,10 @@ public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, Rang
     }
 
     public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+        if (this.synchronousPolicyRefresh) {
+            refreshPoliciesAndTags();
+        }
+
         RangerPolicyEngine policyEngine = this.policyEngine;
         RangerAccessResult ret          = null;
 
@@ -802,6 +819,10 @@ public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, Ran
     }
 
     public void evalAuditPolicies(RangerAccessResult result) {
+        if (this.synchronousPolicyRefresh) {
+            refreshPoliciesAndTags();
+        }
+
         RangerPolicyEngine policyEngine = this.policyEngine;
 
         if (policyEngine != null) {
@@ -824,6 +845,10 @@ public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
     }
 
     public RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer policyType) {
+        if (this.synchronousPolicyRefresh) {
+            refreshPoliciesAndTags();
+        }
+
         RangerResourceACLs ret          = null;
         RangerPolicyEngine policyEngine = this.policyEngine;
 
@@ -1065,7 +1090,7 @@ public void registerAuthContextEventListener(RangerAuthContextListener authConte
     }
 
     public void refreshPoliciesAndTags() {
-        LOG.debug("==> refreshPoliciesAndTags()");
+        LOG.debug("==> refreshPoliciesAndTags(): synchronousPolicyRefresh={}", synchronousPolicyRefresh);
 
         try {
             long oldPolicyVersion = getPoliciesVersion();
@@ -1193,7 +1218,7 @@ public GdsPolicyEngine getGdsPolicyEngine() {
     }
 
     public Map<String, String> getServiceConfigs() {
-        return serviceConfigs;
+        return (serviceConfigs == null) ? Collections.emptyMap() : serviceConfigs;
     }
 
     public Long getPolicyVersion() {
@@ -1216,6 +1241,14 @@ private void setServiceConfigs(Map<String, String> serviceConfigs) {
         if (authContext != null && !Objects.equals(oldServiceConfigs, this.serviceConfigs)) {
             authContext.onServiceConfigsUpdate(this.serviceConfigs);
         }
+
+        String isSyncPolicyRefresh = this.pluginConfig == null ? null : this.serviceConfigs.get(this.pluginConfig.getPropertyPrefix() + ".policy.refresh.synchronous");
+
+        this.synchronousPolicyRefresh = Boolean.parseBoolean(isSyncPolicyRefresh);
+
+        if (this.synchronousPolicyRefresh) {
+            LOG.info("synchronousPolicyRefresh = {}", this.synchronousPolicyRefresh);
+        }
     }
 
     private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {

agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java

@@ -377,7 +377,7 @@ public void test_invalid_resourceHierarchies_with_leaf_specification() {
     }
 
     @Test
-    public void testRrnTemplate() {
+    public void testRrnTemplateHive() {
         InputStreamReader      reader       = new InputStreamReader(requireNonNull(this.getClass().getResourceAsStream("/admin/service-defs/test-hive-servicedef.json")));
         RangerServiceDef       svcDef       = JsonUtils.jsonToObject(reader, RangerServiceDef.class);
         RangerServiceDefHelper svcDefHelper = new RangerServiceDefHelper(svcDef);
@@ -397,6 +397,19 @@ public void testRrnTemplate() {
         assertNull(rrnUnknown);
     }
 
+    @Test
+    public void testRrnTemplateS3() {
+        InputStreamReader      reader       = new InputStreamReader(requireNonNull(this.getClass().getResourceAsStream("/admin/service-defs/test-s3-servicedef.json")));
+        RangerServiceDef       svcDef       = JsonUtils.jsonToObject(reader, RangerServiceDef.class);
+        RangerServiceDefHelper svcDefHelper = new RangerServiceDefHelper(svcDef);
+
+        String rrnBucket = svcDefHelper.getRrnTemplate("bucket");
+        String rrnPath   = svcDefHelper.getRrnTemplate("path");
+
+        assertEquals("{bucket}", rrnBucket);
+        assertEquals("{bucket}/{path}", rrnPath);
+    }
+
     RangerResourceDef createResourceDef(String name, String parent) {
         return createResourceDef(name, parent, null);
     }

agents-common/src/test/resources/admin/service-defs/test-s3-servicedef.json

@@ -0,0 +1,22 @@
+{
+  "id": 1, "name": "s3", "label": "AWS S3", "description": "AWS S3", "implClass": "org.apache.ranger.services.s3.RangerServiceS3",
+  "resources":
+  [
+    {
+      "itemId": 1, "name": "bucket", "type": "string", "parent": "", "level": 10, "label": "S3 Bucket", "description": "S3 Bucket",
+      "mandatory": true, "lookupSupported": false, "recursiveSupported": false, "excludesSupported": true,
+      "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }
+    },
+    {
+      "itemId": 2, "name": "path", "type": "path", "parent": "bucket", "level": 20, "label": "Path", "description": "Path inside Bucket",
+      "mandatory": true, "lookupSupported": false, "recursiveSupported": true, "excludesSupported": true,
+      "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }
+    }
+  ],
+
+  "accessTypes":
+  [
+    { "itemId": 1, "name": "read", "label": "Read" },
+    { "itemId": 2, "name": "write", "label": "Write" }
+  ]
+}

dev-support/ranger-docker/scripts/create-ranger-services.py

@@ -17,24 +17,29 @@ def service_not_exists(service):
                       'configs': {'username': 'hdfs', 'password': 'hdfs',
                                   'fs.default.name': 'hdfs://ranger-hadoop:9000',
                                   'hadoop.security.authentication': 'simple',
-                                  'hadoop.security.authorization': 'true'}})
+                                  'hadoop.security.authorization': 'true',
+                                  'ranger.plugin.hdfs.policy.refresh.synchronous':'true'}})
 
 hive = RangerService({'name': 'dev_hive', 'type': 'hive',
                       'configs': {'username': 'hive', 'password': 'hive',
                                   'jdbc.driverClassName': 'org.apache.hive.jdbc.HiveDriver',
                                   'jdbc.url': 'jdbc:hive2://ranger-hive:10000',
-                                  'hadoop.security.authorization': 'true'}})
+                                  'hadoop.security.authorization': 'true',
+                                  'ranger.plugin.hive.policy.refresh.synchronous':'true'}})
 
 kafka = RangerService({'name': 'dev_kafka', 'type': 'kafka',
                        'configs': {'username': 'kafka', 'password': 'kafka',
-                                   'zookeeper.connect': 'ranger-zk.example.com:2181'}})
+                                   'zookeeper.connect': 'ranger-zk.example.com:2181',
+                                   'ranger.plugin.kafka.policy.refresh.synchronous':'true'}})
 
 knox = RangerService({'name': 'dev_knox', 'type': 'knox',
-                      'configs': {'username': 'knox', 'password': 'knox', 'knox.url': 'https://ranger-knox:8443'}})
+                      'configs': {'username': 'knox', 'password': 'knox', 'knox.url': 'https://ranger-knox:8443',
+                      'ranger.plugin.knox.policy.refresh.synchronous':'true'}})
 
 yarn = RangerService({'name': 'dev_yarn', 'type': 'yarn',
                       'configs': {'username': 'yarn', 'password': 'yarn',
-                                  'yarn.url': 'http://ranger-hadoop:8088'}})
+                                  'yarn.url': 'http://ranger-hadoop:8088',
+                                  'ranger.plugin.yarn.policy.refresh.synchronous':'true'}})
 
 hbase = RangerService({'name': 'dev_hbase', 'type': 'hbase',
                        'configs': {'username': 'hbase', 'password': 'hbase',
@@ -43,11 +48,13 @@ def service_not_exists(service):
                                    'hadoop.security.authorization': 'true',
                                    'hbase.zookeeper.property.clientPort': '2181',
                                    'hbase.zookeeper.quorum': 'ranger-zk',
-                                   'zookeeper.znode.parent': '/hbase'}})
+                                   'zookeeper.znode.parent': '/hbase',
+                                   'ranger.plugin.hbase.policy.refresh.synchronous':'true'}})
 
 kms = RangerService({'name': 'dev_kms', 'type': 'kms',
                      'configs': {'username': 'keyadmin', 'password': 'rangerR0cks!',
-                                 'provider': 'http://ranger-kms:9292'}})
+                                 'provider': 'http://ranger-kms:9292',
+                                 'ranger.plugin.kms.policy.refresh.synchronous':'true'}})
 
 trino = RangerService({'name': 'dev_trino',
                        'type': 'trino',
@@ -56,14 +63,16 @@ def service_not_exists(service):
                            'password': 'trino',
                            'jdbc.driverClassName': 'io.trino.jdbc.TrinoDriver',
                            'jdbc.url': 'jdbc:trino://ranger-trino:8080',
+                           'ranger.plugin.trino.policy.refresh.synchronous':'true'
                        }})
 
 ozone = RangerService({'name': 'dev_ozone',
                        'type': 'ozone',
                        'displayName': 'dev_ozone',
                        'configs': {'username': 'hdfs', 'password': 'hdfs',
                                    'ozone.om.http-address': 'http://om:9874',
-                                   'hadoop.security.authentication': 'simple'}})
+                                   'hadoop.security.authentication': 'simple',
+                                   'ranger.plugin.ozone.policy.refresh.synchronous':'true'}})
 
 services = [hdfs, yarn, hive, hbase, kafka, knox, kms, trino, ozone]
 for service in services:

security-admin/src/main/java/org/apache/ranger/AccessAuditsService.java

@@ -71,6 +71,7 @@ public AccessAuditsService() {
          */
         searchFields.add(new SearchField("-repoType", "-repoType", SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL));
         searchFields.add(new SearchField("-requestUser", "-reqUser", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
+        searchFields.add(new SearchField("excludeResourceName", "-resource", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.PARTIAL));
         searchFields.add(new SearchField("resourceType", "resType", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
         searchFields.add(new SearchField("reason", "reason", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
         searchFields.add(new SearchField("action", "action", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));

security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java

@@ -552,6 +552,7 @@ public VXAccessAuditList getAccessLogs(@Context HttpServletRequest request, @Que
         searchUtil.extractStringList(request, searchCriteria, "excludeUser", "Exclude Users", "-requestUser", null, StringUtil.VALIDATION_TEXT);
         searchUtil.extractString(request, searchCriteria, "requestData", "Request Data", StringUtil.VALIDATION_TEXT);
         searchUtil.extractString(request, searchCriteria, "resourcePath", "Resource Name", StringUtil.VALIDATION_TEXT);
+        searchUtil.extractString(request, searchCriteria, "excludeResourceName", "Exclude Resource Name", StringUtil.VALIDATION_TEXT);
         searchUtil.extractString(request, searchCriteria, "clientIP", "Client IP", StringUtil.VALIDATION_TEXT);
         searchUtil.extractString(request, searchCriteria, "resourceType", "Resource Type", StringUtil.VALIDATION_TEXT);
         searchUtil.extractString(request, searchCriteria, "excludeServiceUser", "Exclude Service User", StringUtil.VALIDATION_TEXT);

security-admin/src/main/webapp/react-webapp/src/views/AuditEvent/AccessLogs.jsx

@@ -1009,6 +1009,12 @@ function Access() {
       urlLabel: "zoneName",
       type: "textoptions",
       options: getZones
+    },
+    {
+      category: "excludeResourceName",
+      label: "Exclude Resource Name",
+      urlLabel: "excludeResourceName",
+      type: "text"
     }
   ];