0
# Policy Engine
1
2
The policy evaluation engine that processes access requests against configured policies. Supports multiple policy types including access control, data masking, and row filtering policies with comprehensive context evaluation and audit integration.
3
4
## Capabilities
5
6
### RangerPolicyEngine
7
8
Core policy evaluation engine interface providing policy evaluation services.
9
10
```java { .api }
11
/**
12
* Core policy evaluation engine interface
13
*/
14
public interface RangerPolicyEngine {
15
/**
16
* Group for public access policies
17
*/
18
String GROUP_PUBLIC = "public";
19
20
/**
21
* Special access type for any access
22
*/
23
String ANY_ACCESS = "_any";
24
25
/**
26
* Admin access type
27
*/
28
String ADMIN_ACCESS = "_admin";
29
30
/**
31
* Super user access type
32
*/
33
String SUPER_USER_ACCESS = "_super_user";
34
35
/**
36
* Audit all access
37
*/
38
String AUDIT_ALL = "audit-all";
39
40
/**
41
* Audit no access
42
*/
43
String AUDIT_NONE = "audit-none";
44
45
/**
46
* Default audit setting
47
*/
48
String AUDIT_DEFAULT = "audit-default";
49
50
/**
51
* Current user placeholder
52
*/
53
String USER_CURRENT = "{USER}";
54
55
/**
56
* Resource owner placeholder
57
*/
58
String RESOURCE_OWNER = "{OWNER}";
59
60
/**
61
* Get the service definition
62
* @return Service definition
63
*/
64
RangerServiceDef getServiceDef();
65
66
/**
67
* Get current policy version
68
* @return Policy version
69
*/
70
long getPolicyVersion();
71
72
/**
73
* Get current role version
74
* @return Role version
75
*/
76
long getRoleVersion();
77
78
/**
79
* Set roles for this engine
80
* @param roles - Ranger roles to set
81
*/
82
void setRoles(RangerRoles roles);
83
84
/**
85
* Evaluate policies for an access request
86
* @param request - Access request to evaluate
87
* @param policyType - Type of policies to evaluate (access, datamask, rowfilter)
88
* @param resultProcessor - Optional result processor
89
* @return Access result
90
*/
91
RangerAccessResult evaluatePolicies(RangerAccessRequest request, int policyType, RangerAccessResultProcessor resultProcessor);
92
93
/**
94
* Evaluate policies for multiple access requests
95
* @param requests - Collection of access requests
96
* @param policyType - Type of policies to evaluate
97
* @param resultProcessor - Optional result processor
98
* @return Collection of access results
99
*/
100
Collection<RangerAccessResult> evaluatePolicies(Collection<RangerAccessRequest> requests, int policyType, RangerAccessResultProcessor resultProcessor);
101
102
/**
103
* Evaluate audit policies for a result
104
* @param result - Access result to evaluate for auditing
105
*/
106
void evaluateAuditPolicies(RangerAccessResult result);
107
108
/**
109
* Get resource ACLs for an access request
110
* @param request - Access request
111
* @return Resource ACLs
112
*/
113
RangerResourceACLs getResourceACLs(RangerAccessRequest request);
114
115
/**
116
* Get roles from user and groups
117
* @param user - Username
118
* @param groups - User groups
119
* @return Set of roles
120
*/
121
Set<String> getRolesFromUserAndGroups(String user, Set<String> groups);
122
123
/**
124
* Get ranger roles
125
* @return Ranger roles
126
*/
127
RangerRoles getRangerRoles();
128
129
/**
130
* Get resource policies for a security zone
131
* @param zoneName - Security zone name
132
* @return List of policies
133
*/
134
List<RangerPolicy> getResourcePolicies(String zoneName);
135
136
/**
137
* Get all resource policies
138
* @return List of policies
139
*/
140
List<RangerPolicy> getResourcePolicies();
141
142
/**
143
* Get tag policies
144
* @return List of tag policies
145
*/
146
List<RangerPolicy> getTagPolicies();
147
}
148
```
149
150
### RangerPolicyEngineImpl
151
152
Concrete implementation of the policy evaluation engine.
153
154
```java { .api }
155
/**
156
* Implementation of the Ranger policy evaluation engine
157
*/
158
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
159
/**
160
* Constructor for policy engine
161
* @param servicePolicies - Service policies to use
162
* @param pluginContext - Plugin context
163
* @param roles - Ranger roles
164
*/
165
public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles);
166
}
167
```
168
169
### RangerAccessRequest
170
171
Interface representing an access request for policy evaluation.
172
173
```java { .api }
174
/**
175
* Represents an access request for policy evaluation
176
*/
177
public interface RangerAccessRequest {
178
/**
179
* Get the resource being accessed
180
* @return Access resource
181
*/
182
RangerAccessResource getResource();
183
184
/**
185
* Get the type of access being requested
186
* @return Access type (e.g., "read", "write", "execute")
187
*/
188
String getAccessType();
189
190
/**
191
* Check if this is an "any" access type request
192
* @return True if any access type
193
*/
194
boolean isAccessTypeAny();
195
196
/**
197
* Check if this is a delegated admin access request
198
* @return True if delegated admin access
199
*/
200
boolean isAccessTypeDelegatedAdmin();
201
202
/**
203
* Get the requesting user
204
* @return Username
205
*/
206
String getUser();
207
208
/**
209
* Get the user's groups
210
* @return Set of group names
211
*/
212
Set<String> getUserGroups();
213
214
/**
215
* Get the user's roles
216
* @return Set of role names
217
*/
218
Set<String> getUserRoles();
219
220
/**
221
* Get the access time
222
* @return Access timestamp
223
*/
224
Date getAccessTime();
225
226
/**
227
* Get client IP address
228
* @return IP address
229
*/
230
String getClientIPAddress();
231
232
/**
233
* Get remote IP address
234
* @return Remote IP address
235
*/
236
String getRemoteIPAddress();
237
238
/**
239
* Get forwarded addresses
240
* @return Forwarded addresses string
241
*/
242
String getForwardedAddresses();
243
244
/**
245
* Get the action being performed
246
* @return Action string
247
*/
248
String getAction();
249
250
/**
251
* Get request data
252
* @return Request data string
253
*/
254
String getRequestData();
255
256
/**
257
* Get session ID
258
* @return Session ID
259
*/
260
String getSessionId();
261
262
/**
263
* Get additional context
264
* @return Context map
265
*/
266
Map<String, Object> getContext();
267
}
268
```
269
270
### RangerAccessRequestImpl
271
272
Concrete implementation of access request.
273
274
```java { .api }
275
/**
276
* Implementation of RangerAccessRequest
277
*/
278
public class RangerAccessRequestImpl implements RangerAccessRequest {
279
/**
280
* Default constructor
281
*/
282
public RangerAccessRequestImpl();
283
284
/**
285
* Constructor with basic request information
286
* @param resource - Resource being accessed
287
* @param accessType - Type of access
288
* @param user - Requesting user
289
* @param userGroups - User's groups
290
* @param userRoles - User's roles
291
*/
292
public RangerAccessRequestImpl(RangerAccessResource resource, String accessType, String user, Set<String> userGroups, Set<String> userRoles);
293
}
294
```
295
296
### RangerAccessResource
297
298
Interface representing a resource being accessed.
299
300
```java { .api }
301
/**
302
* Represents a resource being accessed
303
*/
304
public interface RangerAccessResource {
305
/**
306
* Get the owner of this resource
307
* @return Owner username
308
*/
309
String getOwnerUser();
310
311
/**
312
* Check if a resource attribute exists
313
* @param name - Attribute name
314
* @return True if attribute exists
315
*/
316
boolean exists(String name);
317
318
/**
319
* Get a resource attribute value
320
* @param name - Attribute name
321
* @return Attribute value
322
*/
323
String getValue(String name);
324
325
/**
326
* Get multiple values for a resource attribute
327
* @param name - Attribute name
328
* @return Array of attribute values
329
*/
330
String[] getValues(String name);
331
332
/**
333
* Get all resource attribute keys
334
* @return Set of attribute keys
335
*/
336
Set<String> getKeys();
337
338
/**
339
* Get resource as a map
340
* @return Map representation of resource
341
*/
342
Map<String, Object> getAsMap();
343
344
/**
345
* Get resource as a string
346
* @return String representation of resource
347
*/
348
String getAsString();
349
350
/**
351
* Get a read-only copy of this resource
352
* @return Read-only copy
353
*/
354
RangerAccessResource getReadOnlyCopy();
355
}
356
```
357
358
### RangerAccessResourceImpl
359
360
Concrete implementation of access resource.
361
362
```java { .api }
363
/**
364
* Implementation of RangerAccessResource
365
*/
366
public class RangerAccessResourceImpl implements RangerAccessResource {
367
/**
368
* Default constructor
369
*/
370
public RangerAccessResourceImpl();
371
372
/**
373
* Set a resource attribute value
374
* @param name - Attribute name
375
* @param value - Attribute value
376
*/
377
public void setValue(String name, String value);
378
379
/**
380
* Set multiple values for a resource attribute
381
* @param name - Attribute name
382
* @param values - Attribute values
383
*/
384
public void setValues(String name, String[] values);
385
}
386
```
387
388
### RangerAccessResult
389
390
Result of policy evaluation containing access decision and audit information.
391
392
```java { .api }
393
/**
394
* Result of policy evaluation
395
*/
396
public class RangerAccessResult {
397
/**
398
* Key for mask type in result context
399
*/
400
String KEY_MASK_TYPE = "maskType";
401
402
/**
403
* Key for mask condition in result context
404
*/
405
String KEY_MASK_CONDITION = "maskCondition";
406
407
/**
408
* Key for masked value in result context
409
*/
410
String KEY_MASKED_VALUE = "maskedValue";
411
412
/**
413
* Get the service name
414
* @return Service name
415
*/
416
public String getServiceName();
417
418
/**
419
* Get the service definition
420
* @return Service definition
421
*/
422
public RangerServiceDef getServiceDef();
423
424
/**
425
* Get the original access request
426
* @return Access request
427
*/
428
public RangerAccessRequest getAccessRequest();
429
430
/**
431
* Check if access was determined (not undetermined)
432
* @return True if access was determined
433
*/
434
public boolean getIsAccessDetermined();
435
436
/**
437
* Check if access was allowed
438
* @return True if access allowed
439
*/
440
public boolean getIsAllowed();
441
442
/**
443
* Check if access should be audited
444
* @return True if should be audited
445
*/
446
public boolean getIsAudited();
447
448
/**
449
* Get the policy ID that made the decision
450
* @return Policy ID
451
*/
452
public long getPolicyId();
453
454
/**
455
* Get the policy priority
456
* @return Policy priority
457
*/
458
public int getPolicyPriority();
459
460
/**
461
* Get the policy version
462
* @return Policy version
463
*/
464
public String getPolicyVersion();
465
466
/**
467
* Get the reason for the access decision
468
* @return Reason string
469
*/
470
public String getReason();
471
472
/**
473
* Set whether access was determined
474
* @param isAccessDetermined - True if determined
475
*/
476
public void setIsAccessDetermined(boolean isAccessDetermined);
477
478
/**
479
* Set whether access is allowed
480
* @param isAllowed - True if allowed
481
*/
482
public void setIsAllowed(boolean isAllowed);
483
484
/**
485
* Set whether access should be audited
486
* @param isAudited - True if should be audited
487
*/
488
public void setIsAudited(boolean isAudited);
489
490
/**
491
* Set the policy ID
492
* @param policyId - Policy ID
493
*/
494
public void setPolicyId(long policyId);
495
496
/**
497
* Set the reason for the decision
498
* @param reason - Reason string
499
*/
500
public void setReason(String reason);
501
}
502
```
503
504
**Usage Examples:**
505
506
```java
507
import org.apache.ranger.plugin.policyengine.*;
508
import org.apache.ranger.plugin.model.RangerPolicy;
509
510
// Create policy engine
511
ServicePolicies servicePolicies = getServicePolicies(); // From admin client
512
RangerPluginContext pluginContext = new RangerPluginContext();
513
RangerRoles roles = getRangerRoles(); // From admin client
514
515
RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
516
517
// Create access request
518
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
519
resource.setValue("database", "sales");
520
resource.setValue("table", "customers");
521
resource.setValue("column", "email");
522
523
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
524
request.setResource(resource);
525
request.setAccessType("select");
526
request.setUser("analyst");
527
request.setUserGroups(Set.of("analysts", "employees"));
528
529
// Evaluate access policy
530
RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null);
531
532
if (result.getIsAllowed()) {
533
System.out.println("Access granted by policy " + result.getPolicyId());
534
} else {
535
System.out.println("Access denied: " + result.getReason());
536
}
537
538
// Evaluate data masking policy
539
RangerAccessResult maskResult = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, null);
540
if (maskResult.getIsAccessDetermined()) {
541
String maskType = (String) maskResult.getContext().get(RangerAccessResult.KEY_MASK_TYPE);
542
System.out.println("Data masking applied: " + maskType);
543
}
544
545
// Get resource ACLs
546
RangerResourceACLs acls = policyEngine.getResourceACLs(request);
547
System.out.println("Resource ACLs: " + acls);
548
```
549
550
## Policy Types
551
552
The policy engine supports three types of policies:
553
554
1. **Access Policies** (`POLICY_TYPE_ACCESS = 0`): Standard allow/deny access control
555
2. **Data Masking Policies** (`POLICY_TYPE_DATAMASK = 1`): Data masking and transformation
556
3. **Row Filtering Policies** (`POLICY_TYPE_ROWFILTER = 2`): Row-level filtering
557
4. **Audit Policies** (`POLICY_TYPE_AUDIT = 3`): Audit configuration
558
559
## Performance Considerations
560
561
- Policy engines are expensive to create - cache and reuse instances
562
- Batch evaluation methods are more efficient for multiple requests
563
- Context enrichment can impact performance - use judiciously
564
- Policy engines are thread-safe for concurrent evaluation