in security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java [128:343]
public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef, boolean createPrincipalsIfAbsent) throws Exception {
if (policy == null) {
return;
}
cleanupRefTables(policy);
final Set<String> resourceNames = policy.getResources().keySet();
final Set<String> roleNames = new HashSet<>();
final Set<String> groupNames = new HashSet<>();
final Set<String> userNames = new HashSet<>();
final Set<String> accessTypes = new HashSet<>();
final Set<String> conditionTypes = new HashSet<>();
final Set<String> dataMaskTypes = new HashSet<>();
boolean oldBulkMode = RangerBizUtil.isBulkMode();
List<RangerPolicy.RangerPolicyItemCondition> rangerPolicyConditions = policy.getConditions();
if (CollectionUtils.isNotEmpty(rangerPolicyConditions)) {
for (RangerPolicy.RangerPolicyItemCondition condition : rangerPolicyConditions) {
conditionTypes.add(condition.getType());
}
}
for (List<? extends RangerPolicyItem> policyItems : getAllPolicyItems(policy)) {
if (CollectionUtils.isEmpty(policyItems)) {
continue;
}
for (RangerPolicyItem policyItem : policyItems) {
roleNames.addAll(policyItem.getRoles());
groupNames.addAll(policyItem.getGroups());
userNames.addAll(policyItem.getUsers());
if (CollectionUtils.isNotEmpty(policyItem.getAccesses())) {
for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
accessTypes.add(access.getType());
}
}
if (CollectionUtils.isNotEmpty(policyItem.getConditions())) {
for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
conditionTypes.add(condition.getType());
}
}
if (policyItem instanceof RangerDataMaskPolicyItem) {
RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerDataMaskPolicyItem) policyItem).getDataMaskInfo();
dataMaskTypes.add(dataMaskInfo.getDataMaskType());
}
}
}
List<XXPolicyRefResource> xPolResources = new ArrayList<>();
for (String resource : resourceNames) {
XXResourceDef xResDef = daoMgr.getXXResourceDef().findByNameAndPolicyId(resource, policy.getId());
if (xResDef == null) {
throw new Exception(resource + ": is not a valid resource-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyRefResource xPolRes = rangerAuditFields.populateAuditFields(new XXPolicyRefResource(), xPolicy);
xPolRes.setPolicyId(policy.getId());
xPolRes.setResourceDefId(xResDef.getId());
xPolRes.setResourceName(resource);
xPolResources.add(xPolRes);
}
daoMgr.getXXPolicyRefResource().batchCreate(xPolResources);
if (createPrincipalsIfAbsent && !rangerBizUtil.checkAdminAccess()) {
LOG.warn("policy={}: createPrincipalIfAbsent=true, but current user does not have admin privileges!", policy.getName());
createPrincipalsIfAbsent = false;
}
List<XXPolicyRefRole> xPolRoles = new ArrayList<>();
for (String role : roleNames) {
if (StringUtils.isBlank(role)) {
continue;
}
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy);
if (!associator.doAssociate(false)) {
if (createPrincipalsIfAbsent) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
gjResponse.setMsgDesc("Operation denied. Role name: " + role + " specified in policy does not exist in ranger admin.");
throw restErrorUtil.generateRESTException(gjResponse);
}
}
}
RangerBizUtil.setBulkMode(oldBulkMode);
daoMgr.getXXPolicyRefRole().batchCreate(xPolRoles);
for (String group : groupNames) {
if (StringUtils.isBlank(group)) {
continue;
}
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy);
if (!associator.doAssociate(false)) {
if (createPrincipalsIfAbsent) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
gjResponse.setMsgDesc("Operation denied. Group name: " + group + " specified in policy does not exist in ranger admin.");
throw restErrorUtil.generateRESTException(gjResponse);
}
}
}
for (String user : userNames) {
if (StringUtils.isBlank(user)) {
continue;
}
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy);
if (!associator.doAssociate(false)) {
if (createPrincipalsIfAbsent) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
gjResponse.setMsgDesc("Operation denied. User name: " + user + " specified in policy does not exist in ranger admin.");
throw restErrorUtil.generateRESTException(gjResponse);
}
}
}
List<XXPolicyRefAccessType> xPolAccesses = new ArrayList<>();
// ignore built-in access-types while creating ref-table entries
accessTypes.removeAll(ServiceDefUtil.ACCESS_TYPE_MARKERS);
for (String accessType : accessTypes) {
XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(accessType, xPolicy.getService());
if (xAccTypeDef == null) {
throw new Exception(accessType + ": is not a valid access-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyRefAccessType xPolAccess = rangerAuditFields.populateAuditFields(new XXPolicyRefAccessType(), xPolicy);
xPolAccess.setPolicyId(policy.getId());
xPolAccess.setAccessDefId(xAccTypeDef.getId());
xPolAccess.setAccessTypeName(accessType);
xPolAccesses.add(xPolAccess);
}
daoMgr.getXXPolicyRefAccessType().batchCreate(xPolAccesses);
List<XXPolicyRefCondition> xPolConds = new ArrayList<>();
for (String condition : conditionTypes) {
XXPolicyConditionDef xPolCondDef = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition);
if (xPolCondDef == null) {
if (StringUtils.equalsIgnoreCase(condition, ServiceDefUtil.IMPLICIT_CONDITION_EXPRESSION_NAME)) {
continue;
}
throw new Exception(condition + ": is not a valid condition-type. policy='" + xPolicy.getName() + "' service='" + xPolicy.getService() + "'");
}
XXPolicyRefCondition xPolCond = rangerAuditFields.populateAuditFields(new XXPolicyRefCondition(), xPolicy);
xPolCond.setPolicyId(policy.getId());
xPolCond.setConditionDefId(xPolCondDef.getId());
xPolCond.setConditionName(condition);
xPolConds.add(xPolCond);
}
daoMgr.getXXPolicyRefCondition().batchCreate(xPolConds);
List<XXPolicyRefDataMaskType> xxDataMaskInfos = new ArrayList<>();
for (String dataMaskType : dataMaskTypes) {
XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskType, xPolicy.getService());
if (dataMaskDef == null) {
throw new Exception(dataMaskType + ": is not a valid datamask-type. policy='" + policy.getName() + "' service='" + policy.getService() + "'");
}
XXPolicyRefDataMaskType xxDataMaskInfo = new XXPolicyRefDataMaskType();
xxDataMaskInfo.setPolicyId(policy.getId());
xxDataMaskInfo.setDataMaskDefId(dataMaskDef.getId());
xxDataMaskInfo.setDataMaskTypeName(dataMaskType);
xxDataMaskInfos.add(xxDataMaskInfo);
}
daoMgr.getXXPolicyRefDataMaskType().batchCreate(xxDataMaskInfos);
}