RANGER-5312: authz-embedded

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDataShareEvaluator.java

@@ -127,7 +127,7 @@ public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls
             boolean isConditional = conditionEvaluator != null;
 
             for (GdsSharedResourceEvaluator evaluator : evaluators) {
-                evaluator.getResourceACLs(request, acls, isConditional, dshidEvaluators);
+                evaluator.getResourceACLs(request, acls, isConditional, this, dshidEvaluators);
             }
         }
 

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDatasetEvaluator.java

@@ -149,24 +149,48 @@ public void evaluate(RangerAccessRequest request, GdsAccessResult result, Collec
         LOG.debug("<== GdsDatasetEvaluator.evaluate({}, {}, {})", request, result, projectsToEval);
     }
 
-    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, Set<String> allowedAccessTypes) {
+    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, GdsDataShareEvaluator dshEvaluator, GdsSharedResourceEvaluator sharedResourceEvaluator, GdsDshidEvaluator dshidEvaluator) {
         if (isActive()) {
             acls.getDatasets().add(getName());
 
             if (!policyEvaluators.isEmpty()) {
                 GdsDatasetAccessRequest datasetRequest = new GdsDatasetAccessRequest(getId(), gdsServiceDef, request);
 
                 for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
-                    policyEvaluator.getResourceACLs(datasetRequest, acls, isConditional, allowedAccessTypes, RangerPolicyResourceMatcher.MatchType.SELF, null);
+                    policyEvaluator.getResourceACLs(datasetRequest, acls, isConditional, sharedResourceEvaluator.getAllowedAccessTypes(), RangerPolicyResourceMatcher.MatchType.SELF, null);
                 }
             }
 
             for (GdsDipEvaluator dipEvaluator : dipEvaluators) {
-                dipEvaluator.getResourceACLs(request, acls, isConditional, allowedAccessTypes);
+                dipEvaluator.getResourceACLs(request, acls, isConditional, sharedResourceEvaluator, dshEvaluator, dshidEvaluator.getDatasetEvaluator());
             }
         }
     }
 
+    public void getResourceMasks(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, GdsSharedResourceEvaluator sharedResourceEvaluator, GdsDataShareEvaluator dshEvaluator) {
+        if (isActive()) {
+            acls.getDatasets().add(getName());
+
+            if (!policyEvaluators.isEmpty()) {
+                isConditional = isConditional || scheduleEvaluator != null;
+
+                GdsDatasetAccessRequest datasetRequest = new GdsDatasetAccessRequest(getId(), gdsServiceDef, request);
+
+                for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
+                    boolean isPolicyConditional = isConditional || policyEvaluator.getPolicyConditionsCount() != 0 || policyEvaluator.getValidityScheduleEvaluatorsCount() != 0;
+
+                    // TODO: updated acls with masks from sharedResourceEvaluator and dshEvaluator
+                }
+            }
+
+            /* TODO:
+            for (GdsDipEvaluator dipEvaluator : dipEvaluators) {
+                dipEvaluator.getResourceMasks(request, acls, isConditional, sharedResourceEvaluator, dshEvaluator, this);
+            }
+             */
+        }
+    }
+
     public boolean hasReference(Set<String> users, Set<String> groups, Set<String> roles) {
         boolean ret = false;
 

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDipEvaluator.java

@@ -27,8 +27,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.util.Set;
-
 public class GdsDipEvaluator {
     private static final Logger LOG = LoggerFactory.getLogger(GdsDipEvaluator.class);
 
@@ -79,12 +77,12 @@ public boolean isAllowed(RangerAccessRequest request) {
         return ret;
     }
 
-    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, Set<String> allowedAccessTypes) {
+    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, GdsSharedResourceEvaluator sharedResourceEvaluator, GdsDataShareEvaluator dshEvaluator, GdsDatasetEvaluator dsEvaluator) {
         LOG.debug("==> GdsDipEvaluator.getResourceACLs({}, {})", request, acls);
 
         isConditional = isConditional || scheduleEvaluator != null;
 
-        projectEvaluator.getResourceACLs(request, acls, isConditional, allowedAccessTypes);
+        projectEvaluator.getResourceACLs(request, acls, isConditional, dshEvaluator, sharedResourceEvaluator, this);
 
         LOG.debug("<== GdsDipEvaluator.getResourceACLs({}, {})", request, acls);
     }

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsDshidEvaluator.java

@@ -27,8 +27,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.util.Set;
-
 public class GdsDshidEvaluator {
     private static final Logger LOG = LoggerFactory.getLogger(GdsDshidEvaluator.class);
 
@@ -79,13 +77,23 @@ public boolean isAllowed(RangerAccessRequest request) {
         return ret;
     }
 
-    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, Set<String> allowedAccessTypes) {
+    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, GdsDataShareEvaluator dshEvaluator, GdsSharedResourceEvaluator sharedResourceEvaluator) {
         LOG.debug("==> GdsDshidEvaluator.getResourceACLs({}, {})", request, acls);
 
         isConditional = isConditional || scheduleEvaluator != null;
 
-        datasetEvaluator.getResourceACLs(request, acls, isConditional, allowedAccessTypes);
+        datasetEvaluator.getResourceACLs(request, acls, isConditional, dshEvaluator, sharedResourceEvaluator, this);
 
         LOG.debug("<== GdsDshidEvaluator.getResourceACLs({}, {})", request, acls);
     }
+
+    public void getResourceMasks(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, GdsSharedResourceEvaluator sharedResourceEvaluator, GdsDataShareEvaluator dshEvaluator) {
+        LOG.debug("==> GdsDshidEvaluator.getResourceMasks({}, {})", request, acls);
+
+        isConditional = isConditional || scheduleEvaluator != null;
+
+        datasetEvaluator.getResourceMasks(request, acls, isConditional, sharedResourceEvaluator, dshEvaluator);
+
+        LOG.debug("<== GdsDshidEvaluator.getResourceMasks({}, {})", request, acls);
+    }
 }

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsPolicyEngine.java

@@ -95,7 +95,7 @@ public GdsAccessResult evaluate(RangerAccessRequest request) {
 
             evaluate(request, RangerPolicy.POLICY_TYPE_ACCESS, ret);
 
-            if (ret.getIsAllowed()) {
+            if (serviceDefHelper.isDataMaskSupported() && ret.getIsAllowed()) {
                 evaluate(request, RangerPolicy.POLICY_TYPE_DATAMASK, ret);
             }
 
@@ -128,6 +128,14 @@ public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
 
         getDataShareResources(request, RangerPolicy.POLICY_TYPE_ACCESS).keySet().forEach(e -> e.getResourceACLs(request, ret));
 
+        if (serviceDefHelper.isDataMaskSupported()) {
+            getDataShareResources(request, RangerPolicy.POLICY_TYPE_DATAMASK).keySet().forEach(e -> e.getResourceACLs(request, ret));
+        }
+
+        if (serviceDefHelper.isRowFilterSupported()) {
+            getDataShareResources(request, RangerPolicy.POLICY_TYPE_ROWFILTER).keySet().forEach(e -> e.getResourceACLs(request, ret));
+        }
+
         ret.finalizeAcls();
 
         return ret;

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsProjectEvaluator.java

@@ -137,7 +137,21 @@ public void evaluate(RangerAccessRequest request, GdsAccessResult result) {
         LOG.debug("<== GdsDatasetEvaluator.evaluate({}, {})", request, result);
     }
 
-    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, Set<String> allowedAccessTypes) {
+    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, GdsDataShareEvaluator dshEvaluator, GdsSharedResourceEvaluator sharedResourceEvaluator, GdsDipEvaluator dipEvaluator) {
+        if (isActive()) {
+            acls.getProjects().add(getName());
+
+            if (!policyEvaluators.isEmpty()) {
+                GdsProjectAccessRequest projectRequest = new GdsProjectAccessRequest(getId(), gdsServiceDef, request);
+
+                for (RangerPolicyEvaluator policyEvaluator : policyEvaluators) {
+                    policyEvaluator.getResourceACLs(projectRequest, acls, isConditional, sharedResourceEvaluator.getAllowedAccessTypes(), RangerPolicyResourceMatcher.MatchType.SELF, null);
+                }
+            }
+        }
+    }
+
+    public void getResourceMasks(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, Set<String> allowedAccessTypes) {
         if (isActive()) {
             acls.getProjects().add(getName());
 

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsSharedResourceEvaluator.java

@@ -205,7 +205,7 @@ public boolean isAllowed(RangerAccessRequest request) {
         return ret;
     }
 
-    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, List<GdsDshidEvaluator> dshidEvaluators) {
+    public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, GdsDataShareEvaluator dshEvaluator, List<GdsDshidEvaluator> dshidEvaluators) {
         LOG.debug("==> GdsSharedResourceEvaluator.getResourceACLs({}, {})", request, acls);
 
         boolean isResourceMatch = policyResourceMatcher.isMatch(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext());
@@ -214,13 +214,31 @@ public void getResourceACLs(RangerAccessRequest request, RangerResourceACLs acls
             isConditional = isConditional || conditionEvaluator != null;
 
             for (GdsDshidEvaluator dshidEvaluator : dshidEvaluators) {
-                dshidEvaluator.getResourceACLs(request, acls, isConditional, getAllowedAccessTypes());
+                dshidEvaluator.getResourceACLs(request, acls, isConditional, dshEvaluator, this);
             }
+
+            // TODO: get mask and row-filter
         }
 
         LOG.debug("<== GdsSharedResourceEvaluator.getResourceACLs({}, {})", request, acls);
     }
 
+    public void getResourceMasks(RangerAccessRequest request, RangerResourceACLs acls, boolean isConditional, GdsDataShareEvaluator dshEvaluator, List<GdsDshidEvaluator> dshidEvaluators) {
+        LOG.debug("==> GdsSharedResourceEvaluator.getResourceMasks({}, {})", request, acls);
+
+        boolean isResourceMatch = policyResourceMatcher.isMatch(request.getResource(), request.getResourceElementMatchingScopes(), request.getContext());
+
+        if (isResourceMatch) {
+            isConditional = isConditional || conditionEvaluator != null;
+
+            for (GdsDshidEvaluator dshidEvaluator : dshidEvaluators) {
+                dshidEvaluator.getResourceMasks(request, acls, isConditional, this, dshEvaluator);
+            }
+        }
+
+        LOG.debug("<== GdsSharedResourceEvaluator.getResourceMasks({}, {})", request, acls);
+    }
+
     public RangerPolicyItemRowFilterInfo getRowFilter() {
         return resource.getRowFilter();
     }