diff --git a/auth-agents-common/pom.xml b/auth-agents-common/pom.xml index aa37156d5f..1709c1be4b 100644 --- a/auth-agents-common/pom.xml +++ b/auth-agents-common/pom.xml @@ -37,6 +37,12 @@ + + org.apache.atlas atlas-intg diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/conditionevaluator/RangerScriptConditionEvaluator.java index f1413733f7..be79ce2fbe 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/conditionevaluator/RangerScriptConditionEvaluator.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/conditionevaluator/RangerScriptConditionEvaluator.java @@ -152,12 +152,14 @@ public boolean isMatched(RangerAccessRequest request) { RangerScriptExecutionContext context = new RangerScriptExecutionContext(readOnlyRequest); RangerTagForEval currentTag = context.getCurrentTag(); Map tagAttribs = currentTag != null ? currentTag.getAttributes() : Collections.emptyMap(); + Map attributes = (Map) readOnlyRequest.getContext().get("entityAttributes"); Bindings bindings = scriptEngine.createBindings(); bindings.put("ctx", context); bindings.put("tag", currentTag); bindings.put("tagAttr", tagAttribs); + bindings.put("attributes", attributes); if (enableJsonCtx) { bindings.put(SCRIPT_VAR_CONTEXT_JSON, context.toJson()); diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerCustomConditionEvaluator.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerCustomConditionEvaluator.java index 5be694246f..5b77a06a0b 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerCustomConditionEvaluator.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerCustomConditionEvaluator.java @@ -51,7 +51,7 @@ public List getRangerPolicyConditionEvaluator(RangerPo RangerPerfTracer perf = null; - long policyId = policy.getId(); + String policyId = policy.getGuid(); if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerCustomConditionEvaluator.init(policyId=" + policyId + ")"); diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 8ad61867df..fa9b3bf3b3 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -1389,7 +1389,7 @@ private boolean matchPolicyCustomConditions(RangerAccessRequest request) { conditionType = ((RangerAbstractConditionEvaluator)conditionEvaluator).getPolicyItemCondition().getType(); } - perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchPolicyCustomConditions(policyId=" + getId() + ",policyConditionType=" + conditionType + ")"); + perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchPolicyCustomConditions(policyId=" + getGuid() + ",policyConditionType=" + conditionType + ")"); } boolean conditionEvalResult = conditionEvaluator.isMatched(request); diff --git a/auth-agents-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java b/auth-agents-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java index 41129bf085..126327f498 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java @@ -25,6 +25,7 @@ import org.apache.atlas.model.discovery.AtlasSearchResult; import org.apache.atlas.model.discovery.IndexSearchParams; import org.apache.atlas.model.instance.AtlasEntityHeader; +import org.apache.atlas.model.instance.AtlasStruct; import org.apache.atlas.plugin.util.ServicePolicies; import org.apache.atlas.plugin.model.RangerPolicy; import org.apache.atlas.plugin.model.RangerPolicy.RangerDataMaskPolicyItem; @@ -384,11 +385,12 @@ private List getPolicyConditions(AtlasEntityHeader at List> conditions = (List>) atlasPolicy.getAttribute("policyConditions"); - for (HashMap condition : conditions) { + for (Object condition : conditions) { + AtlasStruct toStruct = (AtlasStruct) condition; RangerPolicyItemCondition rangerCondition = new RangerPolicyItemCondition(); - rangerCondition.setType((String) condition.get("policyConditionType")); - rangerCondition.setValues((List) condition.get("policyConditionValues")); + rangerCondition.setType((String) toStruct.getAttribute("policyConditionType")); + rangerCondition.setValues((List) toStruct.getAttribute("policyConditionValues")); ret.add(rangerCondition); } diff --git a/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json b/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json index 0539a562b9..1ce05fbb66 100644 --- a/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json +++ b/auth-agents-common/src/main/resources/service-defs/atlas-servicedef-atlas.json @@ -498,5 +498,17 @@ ], "options": { "enableDenyAndExceptionsInPolicies": "true" - } + }, + + "policyConditions": + [ + { + "itemId":2, + "name":"expression", + "evaluator": "org.apache.atlas.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"}, + "label":"Enter boolean expression", + "description": "Boolean expression" + } + ] } diff --git a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java index dd645b473b..b97777bc38 100644 --- a/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java +++ b/auth-plugin-atlas/src/main/java/org/apache/atlas/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -686,9 +686,12 @@ private boolean isAccessAllowed(AtlasEntityAccessRequest request, RangerAtlasAud rangerResource.setValue(RESOURCE_CLASSIFICATION, request.getClassificationTypeAndAllSuperTypes(classification)); } + Map contextOjb = rangerRequest.getContext(); + contextOjb.put("entityAttributes", request.getEntity().getAttributes()); + if (CollectionUtils.isNotEmpty(request.getEntityClassifications())) { Set entityClassifications = request.getEntityClassifications(); - Map contextOjb = rangerRequest.getContext(); + Set rangerTagForEval = getRangerServiceTag(entityClassifications); diff --git a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java index 6e3487f8d3..b047c95a3f 100644 --- a/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java +++ b/repository/src/main/java/org/apache/atlas/repository/store/graph/v2/AtlasEntityStoreV2.java @@ -1499,7 +1499,7 @@ private EntityMutationResponse createOrUpdate(EntityStream entityStream, boolean if (skipAuthBaseConditions && (skipAuthMeaningsUpdate || skipAuthStarredDetailsUpdate)) { //do nothing, only diff is relationshipAttributes.meanings or starred, allow update } else { - AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, entityHeader,"update entity: type=" + entity.getTypeName()); + AtlasAuthorizationUtils.verifyUpdateEntityAccess(typeRegistry, new AtlasEntityHeader(entityRetriever.toAtlasEntity(entityHeader.getGuid())), "update entity: type=" + entity.getTypeName()); } } }