POC: support evaluting entity attributes with policyConditions

atlanhq · Feb 29, 2024 · 2fa7ac3 · 2fa7ac3
1 parent 57e56f6
commit 2fa7ac3
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 8 deletions.
diff --git a/auth-agents-common/pom.xml b/auth-agents-common/pom.xml
@@ -37,6 +37,12 @@
     </properties>
 
     <dependencies>
+       <!-- <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-plugins-common</artifactId>
+            <version>3.0.0-SNAPSHOT</version>
+        </dependency>-->
+
         <dependency>
             <groupId>org.apache.atlas</groupId>
             <artifactId>atlas-intg</artifactId>

diff --git a/.../main/java/org/apache/atlas/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b/.../main/java/org/apache/atlas/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
@@ -152,12 +152,14 @@ public boolean isMatched(RangerAccessRequest request) {
 				RangerScriptExecutionContext context    = new RangerScriptExecutionContext(readOnlyRequest);
 				RangerTagForEval             currentTag = context.getCurrentTag();
 				Map<String, String>          tagAttribs = currentTag != null ? currentTag.getAttributes() : Collections.emptyMap();
+				Map<String, String>          attributes = (Map<String, String>) readOnlyRequest.getContext().get("entityAttributes");
 
 				Bindings bindings = scriptEngine.createBindings();
 
 				bindings.put("ctx", context);
 				bindings.put("tag", currentTag);
 				bindings.put("tagAttr", tagAttribs);
+				bindings.put("attributes", attributes);
 
 				if (enableJsonCtx) {
 					bindings.put(SCRIPT_VAR_CONTEXT_JSON, context.toJson());

diff --git a/...src/main/java/org/apache/atlas/plugin/policyevaluator/RangerCustomConditionEvaluator.java b/...src/main/java/org/apache/atlas/plugin/policyevaluator/RangerCustomConditionEvaluator.java
@@ -51,7 +51,7 @@ public List<RangerConditionEvaluator> getRangerPolicyConditionEvaluator(RangerPo
 
             RangerPerfTracer perf = null;
 
-            long policyId = policy.getId();
+            String policyId = policy.getGuid();
 
             if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
                 perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerCustomConditionEvaluator.init(policyId=" + policyId + ")");

diff --git a/...n/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/...n/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -1389,7 +1389,7 @@ private boolean matchPolicyCustomConditions(RangerAccessRequest request) {
 						conditionType = ((RangerAbstractConditionEvaluator)conditionEvaluator).getPolicyItemCondition().getType();
 					}
 
-					perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchPolicyCustomConditions(policyId=" + getId() +  ",policyConditionType=" + conditionType + ")");
+					perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchPolicyCustomConditions(policyId=" + getGuid() +  ",policyConditionType=" + conditionType + ")");
 				}
 
 				boolean conditionEvalResult = conditionEvaluator.isMatched(request);

diff --git a/...s-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java b/...s-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java
@@ -25,6 +25,7 @@
 import org.apache.atlas.model.discovery.AtlasSearchResult;
 import org.apache.atlas.model.discovery.IndexSearchParams;
 import org.apache.atlas.model.instance.AtlasEntityHeader;
+import org.apache.atlas.model.instance.AtlasStruct;
 import org.apache.atlas.plugin.util.ServicePolicies;
 import org.apache.atlas.plugin.model.RangerPolicy;
 import org.apache.atlas.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
@@ -384,11 +385,12 @@ private List<RangerPolicyItemCondition> getPolicyConditions(AtlasEntityHeader at
 
         List<HashMap<String, Object>> conditions = (List<HashMap<String, Object>>) atlasPolicy.getAttribute("policyConditions");
 
-        for (HashMap<String, Object> condition : conditions) {
+        for (Object condition : conditions) {
+            AtlasStruct toStruct = (AtlasStruct) condition;
             RangerPolicyItemCondition rangerCondition = new RangerPolicyItemCondition();
 
-            rangerCondition.setType((String) condition.get("policyConditionType"));
-            rangerCondition.setValues((List<String>) condition.get("policyConditionValues"));
+            rangerCondition.setType((String) toStruct.getAttribute("policyConditionType"));
+            rangerCondition.setValues((List<String>) toStruct.getAttribute("policyConditionValues"));
 
             ret.add(rangerCondition);
         }

diff --git a/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json b/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json
@@ -498,5 +498,17 @@
 	],
 	"options": {
 		"enableDenyAndExceptionsInPolicies": "true"
-	}
+	},
+
+	"policyConditions":
+	[
+		{
+			"itemId":2,
+			"name":"expression",
+			"evaluator": "org.apache.atlas.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+			"evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+			"label":"Enter boolean expression",
+			"description": "Boolean expression"
+		}
+	]
 }
diff --git a/.../src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/.../src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -686,9 +686,12 @@ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAud
                 rangerResource.setValue(RESOURCE_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classification));
             }
 
+            Map<String, Object> contextOjb = rangerRequest.getContext();
+            contextOjb.put("entityAttributes", request.getEntity().getAttributes());
+
             if (CollectionUtils.isNotEmpty(request.getEntityClassifications())) {
                 Set<AtlasClassification> entityClassifications = request.getEntityClassifications();
-                Map<String, Object> contextOjb = rangerRequest.getContext();
+
 
                 Set<RangerTagForEval> rangerTagForEval = getRangerServiceTag(entityClassifications);
 

diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java
@@ -1499,7 +1499,7 @@ private EntityMutationResponse createOrUpdate(EntityStream entityStream, boolean
                         if (skipAuthBaseConditions && (skipAuthMeaningsUpdate || skipAuthStarredDetailsUpdate)) {
                             //do nothing, only diff is relationshipAttributes.meanings or starred, allow update
                         } else {
-                            AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, entityHeader,"update entity: type=" + entity.getTypeName());
+                            AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, new AtlasEntityHeader(entityRetriever.toAtlasEntity(entityHeader.getGuid())), "update entity: type=" + entity.getTypeName());
                         }
                     }
                 }