RANGER-4484: security-zone names should be made available in context

apache · Oct 19, 2023 · c49ed48 · c49ed48
1 parent bef8c89
commit c49ed48
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 9 deletions.
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -408,13 +408,13 @@ public Set<String> getMatchedZonesForResourceAndChildren(RangerAccessResource ac
     }
 
     public String getUniquelyMatchedZoneName(Map<String, ?> resourceAsMap) {
-        String ret = null;
         Set<String> matchedZones = getMatchedZonesForResourceAndChildren(resourceAsMap, convertToAccessResource(resourceAsMap));
-        if (CollectionUtils.isNotEmpty(matchedZones) && matchedZones.size() == 1) {
-            String[] matchedZonesArray = new String[1];
-            matchedZones.toArray(matchedZonesArray);
-            ret = matchedZonesArray[0];
+        String      ret          = (matchedZones != null && matchedZones.size() == 1) ? matchedZones.iterator().next() : null;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("getUniquelyMatchedZoneName(" + resourceAsMap + "): matchedZones=" + matchedZones + ", ret=" + ret);
         }
+
         return ret;
     }
 

diff --git a/...ts-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/...ts-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -273,7 +273,7 @@ public RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer r
 
 			requestProcessor.preProcess(request);
 
-			String zoneName = policyEngine.getUniquelyMatchedZoneName(request.getResource().getAsMap());
+			String zoneName = RangerAccessRequestUtil.getResourceZoneNameFromContext(request.getContext());
 
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("zoneName:[" + zoneName + "]");
@@ -556,7 +556,7 @@ public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest reques
 		requestProcessor.preProcess(request);
 
 		RangerResourceAccessInfo ret       = new RangerResourceAccessInfo(request);
-		Set<String>              zoneNames = policyEngine.getMatchedZonesForResourceAndChildren(request.getResource());
+		Set<String>              zoneNames = RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext());
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("zoneNames:[" + zoneNames + "]");
@@ -633,7 +633,7 @@ private RangerAccessResult zoneAwareAccessEvaluationWithNoAudit(RangerAccessRequ
 		RangerAccessResult     ret                 = null;
 		RangerPolicyRepository policyRepository    = policyEngine.getPolicyRepository();
 		RangerPolicyRepository tagPolicyRepository = policyEngine.getTagPolicyRepository();
-		Set<String>            zoneNames            = policyEngine.getMatchedZonesForResourceAndChildren(request.getResource()); // Evaluate zone-name from request
+		Set<String>            zoneNames            = RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext());
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("zoneNames:[" + zoneNames + "]");

diff --git a/...mon/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java b/...mon/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
@@ -360,6 +360,18 @@ public String getResource() {
 		return ret;
 	}
 
+	public String getResourceZone() {
+		String ret = RangerAccessRequestUtil.getResourceZoneNameFromContext(getRequestContext());
+
+		return ret != null ? ret : StringUtils.EMPTY;
+	}
+
+	public Set<String> getResourceZones() {
+		Set<String> ret = RangerAccessRequestUtil.getResourceZoneNamesFromContext(getRequestContext());
+
+		return ret != null ? Collections.emptySet() : ret;
+	}
+
 	public String getRequestContextAttribute(String attributeName) {
 		String ret = null;
 

diff --git a/...-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java b/...-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
@@ -130,6 +130,10 @@ public void preProcess(RangerAccessRequest request) {
             RangerAccessRequestUtil.setCurrentUserRolesInContext(request.getContext(), roles);
         }
 
+        Set<String> zoneNames = policyEngine.getMatchedZonesForResourceAndChildren(request.getResource());
+
+        RangerAccessRequestUtil.setResourceZoneNamesInContext(request, zoneNames);
+
         enrich(request);
 
         RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(), Boolean.TRUE);

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -48,6 +48,7 @@ public class RangerAccessRequestUtil {
 	public static final String KEY_CONTEXT_IS_ANY_ACCESS = "ISANYACCESS";
 	public static final String KEY_CONTEXT_REQUEST       = "_REQUEST";
 	public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED = "ISREQUESTPREPROCESSED";
+	public static final String KEY_CONTEXT_RESOURCE_ZONE_NAMES     = "RESOURCE_ZONE_NAMES";
 
 	public static void setRequestTagsInContext(Map<String, Object> context, Set<RangerTagForEval> tags) {
 		if(CollectionUtils.isEmpty(tags)) {
@@ -131,6 +132,7 @@ public static Map<String, Object> copyContext(Map<String, Object> context) {
 			ret.remove(KEY_CONTEXT_TAGS);
 			ret.remove(KEY_CONTEXT_TAG_OBJECT);
 			ret.remove(KEY_CONTEXT_RESOURCE);
+			ret.remove(KEY_CONTEXT_RESOURCE_ZONE_NAMES);
 			ret.remove(KEY_CONTEXT_REQUEST);
 			ret.remove(KEY_CONTEXT_ACCESSTYPES);
 			ret.remove(KEY_CONTEXT_IS_ANY_ACCESS);
@@ -257,4 +259,38 @@ public static RangerAccessRequest getRequestFromContext(Map<String, Object> cont
 		return ret;
 	}
 
+	public static void setResourceZoneNamesInContext(RangerAccessRequest request, Set<String> zoneNames) {
+		Map<String, Object> context = request.getContext();
+
+		if (context != null) {
+			context.put(KEY_CONTEXT_RESOURCE_ZONE_NAMES, zoneNames);
+		} else {
+			LOG.error("setResourceZoneNamesInContext({}): context is null", request);
+		}
+	}
+
+	@SuppressWarnings("unchecked")
+	public static Set<String> getResourceZoneNamesFromContext(Map<String, Object> context) {
+		Set<String> ret = null;
+
+		if (context != null) {
+			Object val = context.get(KEY_CONTEXT_RESOURCE_ZONE_NAMES);
+
+			if (val instanceof Set) {
+				ret = (Set<String>) val;
+			} else {
+				if (val != null) {
+					LOG.error("getResourceZoneNamesFromContext(): expected Set<String>, but found {}", val.getClass().getCanonicalName());
+				}
+			}
+		}
+
+		return ret;
+	}
+
+	public static String getResourceZoneNameFromContext(Map<String, Object> context) {
+		Set<String> ret = getResourceZoneNamesFromContext(context);
+
+		return ret != null && ret.size() == 1 ? ret.iterator().next() : null;
+	}
 }
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -646,7 +646,7 @@ private List<RangerPolicy> getMatchingPolicies(RangerAccessResource resource, St
 
         requestProcessor.preProcess(request);
 
-        Set<String> zoneNames = policyEngine.getMatchedZonesForResourceAndChildren(resource);
+        Set<String> zoneNames = RangerAccessRequestUtil.getResourceZoneNamesFromContext(request.getContext());
 
         if (CollectionUtils.isEmpty(zoneNames)) {
             getMatchingPoliciesForZone(request, null, ret);