RANGER-4985: update GdsAccessResult to include fields allowedByDatase…

…ts and allowedByProjects
apache · Nov 7, 2024 · e4b7f14 · e4b7f14
1 parent bec8af3
commit e4b7f14
Show file tree

Hide file tree

Showing 7 changed files with 241 additions and 99 deletions.
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -29,12 +29,14 @@
 import java.util.Set;
 
 public class RangerAccessResult {
-	public  final static String KEY_MASK_TYPE      = "maskType";
-	public  final static String KEY_MASK_CONDITION = "maskCondition";
-	public  final static String KEY_MASKED_VALUE   = "maskedValue";
-	private final static String KEY_FILTER_EXPR    = "filterExpr";
-	private final static String KEY_DATASETS       = "datasets";
-	private final static String KEY_PROJECTS       = "projects";
+	public  final static String KEY_MASK_TYPE           = "maskType";
+	public  final static String KEY_MASK_CONDITION      = "maskCondition";
+	public  final static String KEY_MASKED_VALUE        = "maskedValue";
+	private final static String KEY_FILTER_EXPR         = "filterExpr";
+	private final static String KEY_DATASETS            = "datasets";
+	private final static String KEY_PROJECTS            = "projects";
+	private final static String KEY_ALLOWED_BY_DATASETS = "allowedByDatasets";
+	private final static String KEY_ALLOWED_BY_PROJECTS = "allowedByProjects";
 
 	private final String              serviceName;
 	private final RangerServiceDef    serviceDef;
@@ -352,6 +354,30 @@ public void setProjects(Set<String> projects) {
 		}
 	}
 
+	public Set<String> getAllowedByDatasets() {
+		return additionalInfo == null ? null : (Set<String>) additionalInfo.get(KEY_ALLOWED_BY_DATASETS);
+	}
+
+	public void setAllowedByDatasets(Set<String> datasets) {
+		if (datasets == null) {
+			removeAdditionalInfo(KEY_ALLOWED_BY_DATASETS);
+		} else {
+			addAdditionalInfo(KEY_ALLOWED_BY_DATASETS, datasets);
+		}
+	}
+
+	public Set<String> getAllowedByProjects() {
+		return additionalInfo == null ? null : (Set<String>) additionalInfo.get(KEY_ALLOWED_BY_PROJECTS);
+	}
+
+	public void setAllowedByProjects(Set<String> projects) {
+		if (projects == null) {
+			removeAdditionalInfo(KEY_ALLOWED_BY_PROJECTS);
+		} else {
+			addAdditionalInfo(KEY_ALLOWED_BY_PROJECTS, projects);
+		}
+	}
+
 	@Override
 	public String toString( ) {
 		StringBuilder sb = new StringBuilder();

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsAccessResult.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsAccessResult.java
@@ -22,41 +22,19 @@
 import java.util.*;
 
 public class GdsAccessResult {
-    private Set<String> datasets;
-    private Set<String> projects;
     private boolean     isAllowed;
     private boolean     isAudited;
     private long        policyId = -1;
     private Long        policyVersion;
+    private Set<String> datasets;
+    private Set<String> projects;
+    private Set<String> allowedByDatasets;
+    private Set<String> allowedByProjects;
 
 
     public GdsAccessResult() {
     }
 
-    public void addDataset(String name) {
-        if (datasets == null) {
-            datasets = new HashSet<>();
-        }
-
-        datasets.add(name);
-    }
-
-    public Set<String> getDatasets() {
-        return datasets;
-    }
-
-    public void addProject(String name) {
-        if (projects == null) {
-            projects = new HashSet<>();
-        }
-
-        projects.add(name);
-    }
-
-    public Set<String> getProjects() {
-        return projects;
-    }
-
     public boolean getIsAllowed() {
         return isAllowed;
     }
@@ -89,9 +67,57 @@ public void setPolicyVersion(Long policyVersion) {
         this.policyVersion = policyVersion;
     }
 
+    public Set<String> getDatasets() {
+        return datasets;
+    }
+
+    public Set<String> getProjects() {
+        return projects;
+    }
+
+    public Set<String> getAllowedByDatasets() {
+        return allowedByDatasets;
+    }
+
+    public Set<String> getAllowedByProjects() {
+        return allowedByProjects;
+    }
+
+    public void addDataset(String name) {
+        if (datasets == null) {
+            datasets = new HashSet<>();
+        }
+
+        datasets.add(name);
+    }
+
+    public void addProject(String name) {
+        if (projects == null) {
+            projects = new HashSet<>();
+        }
+
+        projects.add(name);
+    }
+
+    public void addAllowedByDataset(String name) {
+        if (allowedByDatasets == null) {
+            allowedByDatasets = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+        }
+
+        allowedByDatasets.add(name);
+    }
+
+    public void addAllowedByProject(String name) {
+        if (allowedByProjects == null) {
+            allowedByProjects = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+        }
+
+        allowedByProjects.add(name);
+    }
+
     @Override
     public int hashCode() {
-        return Objects.hash(datasets, projects, isAllowed, isAudited, policyId, policyVersion);
+        return Objects.hash(isAllowed, isAudited, policyId, policyVersion, datasets, projects, allowedByDatasets, allowedByProjects);
     }
 
     @Override
@@ -103,12 +129,14 @@ public boolean equals(Object obj) {
         } else {
             GdsAccessResult other = (GdsAccessResult) obj;
 
-            return Objects.equals(datasets, other.datasets) &&
-                   Objects.equals(projects, other.projects) &&
-                   Objects.equals(isAllowed, other.isAllowed) &&
+            return Objects.equals(isAllowed, other.isAllowed) &&
                    Objects.equals(isAudited, other.isAudited) &&
                    Objects.equals(policyId, other.policyId) &&
-                   Objects.equals(policyVersion, other.policyVersion);
+                   Objects.equals(policyVersion, other.policyVersion) &&
+                   Objects.equals(datasets, other.datasets) &&
+                   Objects.equals(projects, other.projects) &&
+                   Objects.equals(allowedByDatasets, other.allowedByDatasets) &&
+                   Objects.equals(allowedByProjects, other.allowedByProjects);
         }
     }
 
@@ -123,12 +151,14 @@ public String toString( ) {
 
     public StringBuilder toString(StringBuilder sb) {
         sb.append("RangerGdsAccessResult={");
-        sb.append("datasets={").append(datasets).append("}");
-        sb.append(", projects={").append(projects).append("}");
-        sb.append(", isAllowed={").append(isAllowed).append("}");
+        sb.append("isAllowed={").append(isAllowed).append("}");
         sb.append(", isAudited={").append(isAudited).append("}");
         sb.append(", policyId={").append(policyId).append("}");
         sb.append(", policyVersion={").append(policyVersion).append("}");
+        sb.append(", datasets={").append(datasets).append("}");
+        sb.append(", projects={").append(projects).append("}");
+        sb.append(", allowedByDatasets={").append(allowedByDatasets).append("}");
+        sb.append(", allowedByProjects={").append(allowedByProjects).append("}");
         sb.append("}");
 
         return sb;

diff --git a/...common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDataShareEvaluator.java b/...common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDataShareEvaluator.java
@@ -30,10 +30,10 @@
 import org.slf4j.LoggerFactory;
 
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.stream.Collectors;
@@ -75,7 +75,7 @@ public String getZoneName() {
 
     public Set<String> getDefaultAccessTypes() { return dsh.getDefaultAccessTypes(); }
 
-    public Collection<GdsSharedResourceEvaluator> getResourceEvaluators() { return evaluators; }
+    public Set<GdsSharedResourceEvaluator> getResourceEvaluators() { return evaluators; }
 
     public List<GdsDshidEvaluator> getDshidEvaluators() { return dshidEvaluators; }
 
@@ -100,16 +100,16 @@ public boolean isInProject(Long projectId) {
         return dshidEvaluators.stream().anyMatch(e -> e.getDatasetEvaluator().isInProject(projectId) && e.isActive());
     }
 
-    public void collectDatasets(RangerAccessRequest request, GdsAccessResult result, Set<Long> datasetIds) {
-        LOG.debug("==> GdsDataShareEvaluator.collectDatasets({}, {})", request, result);
+    public void collectDatasets(RangerAccessRequest request, Map<GdsDatasetEvaluator, Set<GdsDataShareEvaluator>> datasetsToEval) {
+        LOG.debug("==> GdsDataShareEvaluator.collectDatasets({}, {})", request, datasetsToEval);
 
         boolean isAllowed = conditionEvaluator == null || conditionEvaluator.isMatched(request);
 
         if (isAllowed) {
-            dshidEvaluators.stream().filter(e -> !datasetIds.contains(e.getDatasetId()) && e.isAllowed(request) && e.getDatasetEvaluator().isActive()).map(GdsDshidEvaluator::getDatasetId).forEach(datasetIds::add);
+            dshidEvaluators.stream().filter(dshid -> dshid.isAllowed(request) && dshid.getDatasetEvaluator().isActive()).forEach(dshid -> datasetsToEval.computeIfAbsent(dshid.getDatasetEvaluator(), s -> new TreeSet<>(GdsDataShareEvaluator.EVAL_ORDER_COMPARATOR)).add(this));
         }
 
-        LOG.debug("<== GdsDataShareEvaluator.collectDatasets({}, {})", request, result);
+        LOG.debug("<== GdsDataShareEvaluator.collectDatasets({}, {})", request, datasetsToEval);
     }
 
     public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls) {

diff --git a/...s-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDatasetEvaluator.java b/...s-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDatasetEvaluator.java
@@ -27,11 +27,13 @@
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 import org.apache.ranger.plugin.policyevaluator.RangerValidityScheduleEvaluator;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 import org.apache.ranger.plugin.util.ServiceGdsInfo.DatasetInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
@@ -97,8 +99,8 @@ public boolean isActive() {
         return scheduleEvaluator == null || scheduleEvaluator.isApplicable(System.currentTimeMillis());
     }
 
-    public void evaluate(RangerAccessRequest request, GdsAccessResult result, Set<Long> projectIds) {
-        LOG.debug("==> GdsDatasetEvaluator.evaluate({}, {})", request, result);
+    public void evaluate(RangerAccessRequest request, GdsAccessResult result, Collection<GdsProjectEvaluator> projectsToEval) {
+        LOG.debug("==> GdsDatasetEvaluator.evaluate({}, {}, {})", request, result, projectsToEval);
 
         if (isActive()) {
             result.addDataset(getName());
@@ -107,7 +109,19 @@ public void evaluate(RangerAccessRequest request, GdsAccessResult result, Set<Lo
                 GdsDatasetAccessRequest datasetRequest = new GdsDatasetAccessRequest(getId(), gdsServiceDef, request);
                 RangerAccessResult      datasetResult  = datasetRequest.createAccessResult();
 
-                policyEvaluators.forEach(e -> e.evaluate(datasetRequest, datasetResult));
+                try {
+                    RangerAccessRequestUtil.setAccessTypeResults(datasetRequest.getContext(), null);
+                    RangerAccessRequestUtil.setAccessTypeACLResults(datasetRequest.getContext(), null);
+
+                    policyEvaluators.forEach(e -> e.evaluate(datasetRequest, datasetResult));
+                } finally {
+                    RangerAccessRequestUtil.setAccessTypeResults(datasetRequest.getContext(), null);
+                    RangerAccessRequestUtil.setAccessTypeACLResults(datasetRequest.getContext(), null);
+                }
+
+                if (datasetResult.getIsAllowed()) {
+                    result.addAllowedByDataset(getName());
+                }
 
                 if (!result.getIsAllowed()) {
                     if (datasetResult.getIsAllowed()) {
@@ -122,10 +136,10 @@ public void evaluate(RangerAccessRequest request, GdsAccessResult result, Set<Lo
                 }
             }
 
-            dipEvaluators.stream().filter(e -> !projectIds.contains(e.getProjectId()) && e.isAllowed(request) && e.getProjectEvaluator().isActive()).map(GdsDipEvaluator::getProjectId).forEach(projectIds::add);
+            dipEvaluators.stream().filter(e -> e.isAllowed(request) && e.getProjectEvaluator().isActive()).forEach(dip -> projectsToEval.add(dip.getProjectEvaluator()));
         }
 
-        LOG.debug("<== GdsDatasetEvaluator.evaluate({}, {})", request, result);
+        LOG.debug("<== GdsDatasetEvaluator.evaluate({}, {}, {})", request, result, projectsToEval);
     }
 
     public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, Set<String> allowedAccessTypes) {