diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/model/RangerPolicyDelta.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/model/RangerPolicyDelta.java index b5f9b58233..d1976c9193 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/model/RangerPolicyDelta.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/model/RangerPolicyDelta.java @@ -76,6 +76,9 @@ public RangerPolicyDelta(final Long id, final Integer changeType, final Long pol @JsonIgnore public String getPolicyGuid() { return policy != null ? policy.getGuid() : null; } + @JsonIgnore + public String getPolicyAtlasGuid() { return policy != null ? policy.getAtlasGuid() : null; } + @JsonIgnore public String getZoneName() { return policy != null ? policy.getZoneName() : null; } diff --git a/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/ServicePolicies.java b/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/ServicePolicies.java index 3431cfc1f9..64146db782 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/ServicePolicies.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/plugin/util/ServicePolicies.java @@ -397,14 +397,25 @@ static public TagPolicies copyHeader(TagPolicies source, String componentService return ret; } + private static Map fetchDeletedDeltaMap(List deltas) { + Map ret = new HashMap<>(); + for (RangerPolicyDelta delta : deltas) { + if (delta.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE || delta.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) { + ret.put(delta.getPolicyAtlasGuid(), delta); + } + } + return ret; + } + public static ServicePolicies applyDelta(final ServicePolicies servicePolicies, RangerPolicyEngineImpl policyEngine) { ServicePolicies ret = copyHeader(servicePolicies); List oldResourcePolicies = policyEngine.getResourcePolicies(); List oldTagPolicies = policyEngine.getTagPolicies(); + Map deletedDeltaMap = fetchDeletedDeltaMap(servicePolicies.getPolicyDeltas()); List resourcePoliciesAfterDelete = - RangerPolicyDeltaUtil.deletePoliciesByDelta(oldResourcePolicies, servicePolicies.getDeleteDeltas()); + RangerPolicyDeltaUtil.deletePoliciesByDelta(oldResourcePolicies, deletedDeltaMap); List newResourcePolicies = RangerPolicyDeltaUtil.applyDeltas(resourcePoliciesAfterDelete, servicePolicies.getPolicyDeltas(), servicePolicies.getServiceDef().getName()); @@ -416,7 +427,7 @@ public static ServicePolicies applyDelta(final ServicePolicies servicePolicies, LOG.debug("applyingDeltas for tag policies"); } List tagPoliciesAfterDelete = - RangerPolicyDeltaUtil.deletePoliciesByDelta(oldTagPolicies, servicePolicies.getDeleteDeltas()); + RangerPolicyDeltaUtil.deletePoliciesByDelta(oldTagPolicies, deletedDeltaMap); newTagPolicies = RangerPolicyDeltaUtil.applyDeltas(tagPoliciesAfterDelete, servicePolicies.getPolicyDeltas(), servicePolicies.getTagPolicies().getServiceDef().getName()); } else { if (LOG.isDebugEnabled()) { @@ -433,6 +444,38 @@ public static ServicePolicies applyDelta(final ServicePolicies servicePolicies, ret.getTagPolicies().setPolicies(newTagPolicies); } + if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) { + Map newSecurityZones = new HashMap<>(); + + for (Map.Entry entry : servicePolicies.getSecurityZones().entrySet()) { + String zoneName = entry.getKey(); + SecurityZoneInfo zoneInfo = entry.getValue(); + + List zoneResourcePolicies = policyEngine.getResourcePolicies(zoneName); + // There are no separate tag-policy-repositories for each zone + + if (LOG.isDebugEnabled()) { + LOG.debug("Applying deltas for security-zone:[" + zoneName + "]"); + } + + final List newZonePolicies = RangerPolicyDeltaUtil.applyDeltas(zoneResourcePolicies, zoneInfo.getPolicyDeltas(), servicePolicies.getServiceDef().getName()); + + if (LOG.isDebugEnabled()) { + LOG.debug("New resource policies for security-zone:[" + zoneName + "], zoneResourcePolicies:[" + Arrays.toString(newZonePolicies.toArray())+ "]"); + } + + SecurityZoneInfo newZoneInfo = new SecurityZoneInfo(); + + newZoneInfo.setZoneName(zoneName); + newZoneInfo.setResources(zoneInfo.getResources()); + newZoneInfo.setPolicies(newZonePolicies); + + newSecurityZones.put(zoneName, newZoneInfo); + } + + ret.setSecurityZones(newSecurityZones); + } + return ret; } } diff --git a/auth-agents-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java b/auth-agents-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java index 86a956704c..b85569a780 100644 --- a/auth-agents-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java +++ b/auth-agents-common/src/main/java/org/apache/atlas/policytransformer/CachePolicyTransformerImpl.java @@ -143,7 +143,7 @@ public CachePolicyTransformerImpl(AtlasTypeRegistry typeRegistry) throws AtlasBa this.auditEventToDeltaChangeType = new HashMap<>(); this.auditEventToDeltaChangeType.put(EntityAuditActionV2.ENTITY_CREATE, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE); - this.auditEventToDeltaChangeType.put(EntityAuditActionV2.ENTITY_UPDATE, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE); + this.auditEventToDeltaChangeType.put(EntityAuditActionV2.ENTITY_UPDATE, RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE); this.auditEventToDeltaChangeType.put(EntityAuditActionV2.ENTITY_DELETE, RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE); this.auditEventToDeltaChangeType.put(EntityAuditActionV2.ENTITY_PURGE, RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE); } @@ -177,8 +177,6 @@ public ServicePolicies getPoliciesDelta(String serviceName, Map atlasServicePolicies = allAtlasPolicies.stream().filter(x -> serviceName.equals(x.getAttribute(ATTR_POLICY_SERVICE_NAME))).collect(Collectors.toList()); List policiesDelta = getRangerPolicyDelta(service, policyChanges, atlasServicePolicies); - Map deletedPolicyDeltas = getRangerPolicyDeleteDelta(service, policyChanges); - servicePolicies.setDeleteDeltas(deletedPolicyDeltas); // Process tag based policies String tagServiceName = (String) service.getAttribute(ATTR_SERVICE_TAG_SERVICE); @@ -296,42 +294,6 @@ private List getServicePolicies(AtlasEntityHeader service, int bat return servicePolicies; } - private Map getRangerPolicyDeleteDelta(AtlasEntityHeader service, Map policyChanges) { - String serviceName = (String) service.getAttribute("name"); - String serviceType = (String) service.getAttribute("authServiceType"); - Map policyDeltas = new HashMap<>(); - if (policyChanges.isEmpty()) { - return policyDeltas; - } - - Iterator> iterator = policyChanges.entrySet().iterator(); - while (iterator.hasNext()) { - Map.Entry entry = iterator.next(); - String policyGuid = entry.getKey(); - EntityAuditActionV2 policyChange = entry.getValue(); - - if (policyChange == EntityAuditActionV2.ENTITY_UPDATE || policyChange == EntityAuditActionV2.ENTITY_DELETE - || policyChange == EntityAuditActionV2.ENTITY_PURGE) { - RangerPolicy atlasDeletedPolicy = new RangerPolicy(); - atlasDeletedPolicy.setGuid(policyGuid); - atlasDeletedPolicy.setService(serviceName); - atlasDeletedPolicy.setServiceType(serviceType); - - policyDeltas.put(policyGuid, new RangerPolicyDelta(atlasDeletedPolicy.getId(), - RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE, - atlasDeletedPolicy.getVersion(), - atlasDeletedPolicy)); - } - - if (policyChange == EntityAuditActionV2.ENTITY_DELETE || policyChange == EntityAuditActionV2.ENTITY_PURGE) { - iterator.remove(); // Remove for ENTITY_DELETE and ENTITY_PURGE - } - } - - return policyDeltas; - } - - private List getRangerPolicyDelta(AtlasEntityHeader service, Map policyChanges, List atlasPolicies) throws AtlasBaseException, IOException { String serviceName = (String) service.getAttribute("name"); String serviceType = (String) service.getAttribute("authServiceType"); @@ -342,6 +304,8 @@ private List getRangerPolicyDelta(AtlasEntityHeader service, return policyDeltas; } + ArrayList policyGuids = new ArrayList<>(policyChanges.keySet()); + List rangerPolicies = new ArrayList<>(); if (CollectionUtils.isNotEmpty(atlasPolicies)) { rangerPolicies = transformAtlasPoliciesToRangerPolicies(atlasPolicies, serviceType, serviceName); @@ -353,6 +317,29 @@ private List getRangerPolicyDelta(AtlasEntityHeader service, policyDeltas.add(delta); } + // handle delete changes separately as they won't be present in atlas policies + List deletedPolicyDeltas = new ArrayList<>(); + for (String policyGuid : policyGuids) { + int deltaChangeType = auditEventToDeltaChangeType.get(policyChanges.get(policyGuid)); + if (deltaChangeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE) { + RangerPolicy deletedPolicy = new RangerPolicy(); + deletedPolicy.setGuid(policyGuid); + deletedPolicy.setService(serviceName); + deletedPolicy.setServiceType(serviceType); + RangerPolicyDelta deletedPolicyDelta = new RangerPolicyDelta( + deletedPolicy.getId(), + deltaChangeType, + deletedPolicy.getVersion(), + deletedPolicy + ); + deletedPolicyDeltas.add(deletedPolicyDelta); + } + } + + policyDeltas.addAll(deletedPolicyDeltas); + + LOG.info("PolicyDelta: {}: atlas policies found={}, delta created={}, including deleted policies={}", + serviceName, atlasPolicies.size(), policyDeltas.size(), deletedPolicyDeltas.size()); RequestContext.get().endMetricRecord(recorder); return policyDeltas;