[ADH-4643] Define mapping of roles and resources for SSM Ranger plugin

conf/ranger-ssm-security.xml

@@ -20,7 +20,7 @@
 
     <property>
         <name>ranger.plugin.ssm.service.name</name>
-        <value>dev_tag</value>
+        <value>ssm</value>
         <description>
             Name of the Ranger service containing policies for this ssm instance
         </description>

conf/ssm-ranger.json

@@ -0,0 +1,145 @@
+{
+  "name": "ssm",
+  "label": "SSM Service",
+  "description": "SSM Ranger Security Plugin",
+  "guid": "b8290b7f-6f69-44a9-89cc-06b6975ea676",
+  "implClass": "io.arenadata.ranger.service.ssm.SsmRangerService",
+  "version": 1,
+  "isEnabled": 1,
+  "resources": [
+    {
+      "itemId": 1,
+      "name": "cluster",
+      "type": "string",
+      "level": 10,
+      "parent": "",
+      "mandatory": false,
+      "lookupSupported": true,
+      "recursiveSupported": true,
+      "excludesSupported": true,
+      "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+      "matcherOptions": {
+        "wildCard": true,
+        "ignoreCase": true
+      },
+      "validationRegEx": "",
+      "validationMessage": "",
+      "uiHint": "",
+      "label": "Cluster",
+      "description": "List of SSM cluster nodes",
+      "accessTypeRestrictions": [
+        "VIEW"
+      ]
+    },
+    {
+      "itemId": 2,
+      "name": "Rule",
+      "type": "string",
+      "level": 10,
+      "parent": "",
+      "mandatory": false,
+      "lookupSupported": true,
+      "recursiveSupported": true,
+      "excludesSupported": true,
+      "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+      "matcherOptions": {
+        "wildCard": true,
+        "ignoreCase": true
+      },
+      "validationRegEx": "",
+      "validationMessage": "",
+      "uiHint": "",
+      "label": "Rule",
+      "description": "Rule",
+      "accessTypeRestrictions": [
+        "VIEW",
+        "CREATE",
+        "DELETE",
+        "EDIT"
+      ]
+    },
+    {
+      "itemId": 3,
+      "name": "Action",
+      "type": "string",
+      "level": 10,
+      "parent": "",
+      "mandatory": false,
+      "lookupSupported": true,
+      "recursiveSupported": true,
+      "excludesSupported": true,
+      "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+      "matcherOptions": {
+        "wildCard": true,
+        "ignoreCase": true
+      },
+      "validationRegEx": "",
+      "validationMessage": "",
+      "uiHint": "",
+      "label": "Action",
+      "description": "Action",
+      "accessTypeRestrictions": [
+        "VIEW", "SUBMIT"
+      ]
+    },
+    {
+      "itemId": 4,
+      "name": "Audit",
+      "type": "string",
+      "level": 10,
+      "parent": "",
+      "mandatory": false,
+      "lookupSupported": true,
+      "recursiveSupported": true,
+      "excludesSupported": true,
+      "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+      "matcherOptions": {
+        "wildCard": true,
+        "ignoreCase": true
+      },
+      "validationRegEx": "",
+      "validationMessage": "",
+      "uiHint": "",
+      "label": "Audit",
+      "description": "Audit",
+      "accessTypeRestrictions": [
+        "VIEW"
+      ]
+    }
+  ],
+  "accessTypes": [
+    {
+      "itemId": 1,
+      "name": "VIEW",
+      "label": "View"
+    },
+    {
+      "itemId": 2,
+      "name": "CREATE",
+      "label": "Create"
+    },
+    {
+      "itemId": 3,
+      "name": "DELETE",
+      "label": "Delete"
+    },
+    {
+      "itemId": 4,
+      "name": "EDIT",
+      "label": "Edit"
+    },
+    {
+      "itemId": 5,
+      "name": "SUBMIT",
+      "label": "Submit action"
+    }
+  ],
+  "configs": [
+  ],
+  "enums": [
+  ],
+  "contextEnrichers": [
+  ],
+  "policyConditions": [
+  ]
+}

smart-integration/src/test/resources/ranger-ssm-security.xml

@@ -17,17 +17,10 @@
 -->
 <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
 <configuration>
-    <property>
-        <name>ranger.plugin.ssm.policy.rest.url</name>
-        <value>http://10.92.6.199:6080</value>
-        <description>
-            URL to Ranger Admin
-        </description>
-    </property>
 
     <property>
         <name>ranger.plugin.ssm.service.name</name>
-        <value>dev_tag</value>
+        <value>ssm</value>
         <description>
             Name of the Ranger service containing policies for this ssm instance
         </description>

smart-ranger-plugin/src/main/java/org/smartdata/ranger/SsmRangerResource.java

@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.smartdata.ranger;
+
+import com.google.common.collect.Sets;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+import org.smartdata.ranger.authorizer.request.RangerOperationDto;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+@Getter
+@RequiredArgsConstructor
+public enum SsmRangerResource {
+  CLUSTER(Collections.singleton(SsmResourceAccessType.VIEW)),
+  RULE(Sets.newHashSet(SsmResourceAccessType.CREATE, SsmResourceAccessType.VIEW,
+      SsmResourceAccessType.EDIT, SsmResourceAccessType.DELETE)),
+  ACTION(Sets.newHashSet(SsmResourceAccessType.SUBMIT, SsmResourceAccessType.VIEW)),
+  AUDIT(Collections.singleton(SsmResourceAccessType.VIEW));
+
+  private final Set<SsmResourceAccessType> accessTypes;
+
+  public RangerOperationDto getRangerOperationDto(SsmResourceAccessType accessType,
+                                                  String entityId) {
+    if (!accessTypes.contains(accessType)) {
+      throw new IllegalArgumentException("Unknown action: " + accessType);
+    }
+    Map<String, Object> resources = new HashMap<>();
+    Optional.ofNullable(entityId)
+        .ifPresent(value -> resources.put(this.name().toLowerCase(), value));
+    return new RangerOperationDto(accessType.name(), resources);
+  }
+}

smart-ranger-plugin/src/main/java/org/smartdata/ranger/SsmResourceAccessType.java

@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.smartdata.ranger;
+
+public enum SsmResourceAccessType {
+  VIEW,
+  CREATE,
+  EDIT,
+  DELETE,
+  SUBMIT
+}

smart-ranger-plugin/src/main/java/org/smartdata/ranger/authorizer/impl/RangerSsmAuthorizerImpl.java

@@ -18,12 +18,15 @@
 package org.smartdata.ranger.authorizer.impl;
 
 import lombok.extern.slf4j.Slf4j;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.smartdata.ranger.authorizer.RangerSsmAuthorizer;
 import org.smartdata.ranger.authorizer.request.RangerAuthorizeRequest;
-import org.smartdata.ranger.authorizer.request.RangerSsmAccessRequest;
 import org.smartdata.ranger.plugin.impl.RangerSsmPlugin;
 
+import java.util.Date;
+
 @Slf4j
 public class RangerSsmAuthorizerImpl implements RangerSsmAuthorizer {
 
@@ -37,10 +40,16 @@ public RangerSsmAuthorizerImpl() {
 
   @Override
   public boolean authorize(RangerAuthorizeRequest request) {
-    log.debug("Perform authorization checking [user={}],[groups={}],[url={}],[accessMethod={}]",
-        request.getUserName(), request.getUserGroups(), request.getUrlPath(),
-        request.getAccessMethod());
-    RangerSsmAccessRequest rangerRequest = new RangerSsmAccessRequest(request);
+    log.debug("Perform authorization checking [user={}],[resources={}],[accessType={}]",
+        request.getUser(), request.getOperationDto().getResources(),
+        request.getOperationDto().getAccessType());
+    RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
+    rangerRequest.setUser(request.getUser());
+    rangerRequest.setAccessType(request.getOperationDto().getAccessType());
+    rangerRequest.setAccessTime(new Date());
+    RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+    request.getOperationDto().getResources().forEach(resource::setValue);
+    rangerRequest.setResource(resource);
     RangerAccessResult result = ssmPlugin.isAccessAllowed(rangerRequest);
     boolean checkResult = result != null && result.getIsAllowed();
     log.debug("Authorization check [result={}]", checkResult);

smart-ranger-plugin/src/main/java/org/smartdata/ranger/authorizer/request/RangerAuthorizeRequest.java

@@ -21,14 +21,10 @@
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 
-import java.util.List;
-
 @EqualsAndHashCode
 @Getter
 @RequiredArgsConstructor
 public class RangerAuthorizeRequest {
-  private final String userName;
-  private final List<String> userGroups;
-  private final String urlPath;
-  private final String accessMethod;
+  private final String user;
+  private final RangerOperationDto operationDto;
 }

smart-ranger-plugin/src/main/java/org/smartdata/ranger/authorizer/request/RangerSsmAccessRequest.java → smart-ranger-plugin/src/main/java/org/smartdata/ranger/authorizer/request/RangerOperationDto.java

@@ -17,24 +17,16 @@
  */
 package org.smartdata.ranger.authorizer.request;
 
-import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
 
-import java.util.Date;
-import java.util.HashSet;
+import java.util.Map;
 
-public class RangerSsmAccessRequest extends RangerAccessRequestImpl {
-
-    public RangerSsmAccessRequest(RangerAuthorizeRequest request) {
-        setUser(request.getUserName());
-        if (!request.getUserGroups().isEmpty()) {
-            super.setUserGroups(new HashSet<>(request.getUserGroups()));
-        }
-        RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
-        resource.setValue("path", request.getUrlPath());
-        setResource(resource);
-        setAccessType(request.getAccessMethod());
-        setAction(request.getAccessMethod());
-        setAccessTime(new Date());
-    }
+@EqualsAndHashCode
+@Getter
+@RequiredArgsConstructor
+public class RangerOperationDto {
+  private final String accessType;
+  private final Map<String, Object> resources;
 }

smart-web-server/pom.xml

@@ -141,6 +141,12 @@
       <artifactId>junit</artifactId>
       <scope>test</scope>
     </dependency>
+
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <!-- TODO move checkstyle plugin configurations from this and other submodules to the base package -->