tessl/maven-org-apache-ranger--ranger-plugins-common
Common library for Apache Ranger plugins providing shared functionality, models, and utilities for security policy enforcement across various big data components.
—
Pending
policy-engine.mddocs/
Policy Engine
The policy evaluation engine that processes access requests against configured policies. Supports multiple policy types including access control, data masking, and row filtering policies with comprehensive context evaluation and audit integration.
Capabilities
RangerPolicyEngine
Core policy evaluation engine interface providing policy evaluation services.
/**
* Core policy evaluation engine interface
*/
public interface RangerPolicyEngine {
/**
* Group for public access policies
*/
String GROUP_PUBLIC = "public";
/**
* Special access type for any access
*/
String ANY_ACCESS = "_any";
/**
* Admin access type
*/
String ADMIN_ACCESS = "_admin";
/**
* Super user access type
*/
String SUPER_USER_ACCESS = "_super_user";
/**
* Audit all access
*/
String AUDIT_ALL = "audit-all";
/**
* Audit no access
*/
String AUDIT_NONE = "audit-none";
/**
* Default audit setting
*/
String AUDIT_DEFAULT = "audit-default";
/**
* Current user placeholder
*/
String USER_CURRENT = "{USER}";
/**
* Resource owner placeholder
*/
String RESOURCE_OWNER = "{OWNER}";
/**
* Get the service definition
* @return Service definition
*/
RangerServiceDef getServiceDef();
/**
* Get current policy version
* @return Policy version
*/
long getPolicyVersion();
/**
* Get current role version
* @return Role version
*/
long getRoleVersion();
/**
* Set roles for this engine
* @param roles - Ranger roles to set
*/
void setRoles(RangerRoles roles);
/**
* Evaluate policies for an access request
* @param request - Access request to evaluate
* @param policyType - Type of policies to evaluate (access, datamask, rowfilter)
* @param resultProcessor - Optional result processor
* @return Access result
*/
RangerAccessResult evaluatePolicies(RangerAccessRequest request, int policyType, RangerAccessResultProcessor resultProcessor);
/**
* Evaluate policies for multiple access requests
* @param requests - Collection of access requests
* @param policyType - Type of policies to evaluate
* @param resultProcessor - Optional result processor
* @return Collection of access results
*/
Collection<RangerAccessResult> evaluatePolicies(Collection<RangerAccessRequest> requests, int policyType, RangerAccessResultProcessor resultProcessor);
/**
* Evaluate audit policies for a result
* @param result - Access result to evaluate for auditing
*/
void evaluateAuditPolicies(RangerAccessResult result);
/**
* Get resource ACLs for an access request
* @param request - Access request
* @return Resource ACLs
*/
RangerResourceACLs getResourceACLs(RangerAccessRequest request);
/**
* Get roles from user and groups
* @param user - Username
* @param groups - User groups
* @return Set of roles
*/
Set<String> getRolesFromUserAndGroups(String user, Set<String> groups);
/**
* Get ranger roles
* @return Ranger roles
*/
RangerRoles getRangerRoles();
/**
* Get resource policies for a security zone
* @param zoneName - Security zone name
* @return List of policies
*/
List<RangerPolicy> getResourcePolicies(String zoneName);
/**
* Get all resource policies
* @return List of policies
*/
List<RangerPolicy> getResourcePolicies();
/**
* Get tag policies
* @return List of tag policies
*/
List<RangerPolicy> getTagPolicies();
}RangerPolicyEngineImpl
Concrete implementation of the policy evaluation engine.
/**
* Implementation of the Ranger policy evaluation engine
*/
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
/**
* Constructor for policy engine
* @param servicePolicies - Service policies to use
* @param pluginContext - Plugin context
* @param roles - Ranger roles
*/
public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles);
}RangerAccessRequest
Interface representing an access request for policy evaluation.
/**
* Represents an access request for policy evaluation
*/
public interface RangerAccessRequest {
/**
* Get the resource being accessed
* @return Access resource
*/
RangerAccessResource getResource();
/**
* Get the type of access being requested
* @return Access type (e.g., "read", "write", "execute")
*/
String getAccessType();
/**
* Check if this is an "any" access type request
* @return True if any access type
*/
boolean isAccessTypeAny();
/**
* Check if this is a delegated admin access request
* @return True if delegated admin access
*/
boolean isAccessTypeDelegatedAdmin();
/**
* Get the requesting user
* @return Username
*/
String getUser();
/**
* Get the user's groups
* @return Set of group names
*/
Set<String> getUserGroups();
/**
* Get the user's roles
* @return Set of role names
*/
Set<String> getUserRoles();
/**
* Get the access time
* @return Access timestamp
*/
Date getAccessTime();
/**
* Get client IP address
* @return IP address
*/
String getClientIPAddress();
/**
* Get remote IP address
* @return Remote IP address
*/
String getRemoteIPAddress();
/**
* Get forwarded addresses
* @return Forwarded addresses string
*/
String getForwardedAddresses();
/**
* Get the action being performed
* @return Action string
*/
String getAction();
/**
* Get request data
* @return Request data string
*/
String getRequestData();
/**
* Get session ID
* @return Session ID
*/
String getSessionId();
/**
* Get additional context
* @return Context map
*/
Map<String, Object> getContext();
}RangerAccessRequestImpl
Concrete implementation of access request.
/**
* Implementation of RangerAccessRequest
*/
public class RangerAccessRequestImpl implements RangerAccessRequest {
/**
* Default constructor
*/
public RangerAccessRequestImpl();
/**
* Constructor with basic request information
* @param resource - Resource being accessed
* @param accessType - Type of access
* @param user - Requesting user
* @param userGroups - User's groups
* @param userRoles - User's roles
*/
public RangerAccessRequestImpl(RangerAccessResource resource, String accessType, String user, Set<String> userGroups, Set<String> userRoles);
}RangerAccessResource
Interface representing a resource being accessed.
/**
* Represents a resource being accessed
*/
public interface RangerAccessResource {
/**
* Get the owner of this resource
* @return Owner username
*/
String getOwnerUser();
/**
* Check if a resource attribute exists
* @param name - Attribute name
* @return True if attribute exists
*/
boolean exists(String name);
/**
* Get a resource attribute value
* @param name - Attribute name
* @return Attribute value
*/
String getValue(String name);
/**
* Get multiple values for a resource attribute
* @param name - Attribute name
* @return Array of attribute values
*/
String[] getValues(String name);
/**
* Get all resource attribute keys
* @return Set of attribute keys
*/
Set<String> getKeys();
/**
* Get resource as a map
* @return Map representation of resource
*/
Map<String, Object> getAsMap();
/**
* Get resource as a string
* @return String representation of resource
*/
String getAsString();
/**
* Get a read-only copy of this resource
* @return Read-only copy
*/
RangerAccessResource getReadOnlyCopy();
}RangerAccessResourceImpl
Concrete implementation of access resource.
/**
* Implementation of RangerAccessResource
*/
public class RangerAccessResourceImpl implements RangerAccessResource {
/**
* Default constructor
*/
public RangerAccessResourceImpl();
/**
* Set a resource attribute value
* @param name - Attribute name
* @param value - Attribute value
*/
public void setValue(String name, String value);
/**
* Set multiple values for a resource attribute
* @param name - Attribute name
* @param values - Attribute values
*/
public void setValues(String name, String[] values);
}RangerAccessResult
Result of policy evaluation containing access decision and audit information.
/**
* Result of policy evaluation
*/
public class RangerAccessResult {
/**
* Key for mask type in result context
*/
String KEY_MASK_TYPE = "maskType";
/**
* Key for mask condition in result context
*/
String KEY_MASK_CONDITION = "maskCondition";
/**
* Key for masked value in result context
*/
String KEY_MASKED_VALUE = "maskedValue";
/**
* Get the service name
* @return Service name
*/
public String getServiceName();
/**
* Get the service definition
* @return Service definition
*/
public RangerServiceDef getServiceDef();
/**
* Get the original access request
* @return Access request
*/
public RangerAccessRequest getAccessRequest();
/**
* Check if access was determined (not undetermined)
* @return True if access was determined
*/
public boolean getIsAccessDetermined();
/**
* Check if access was allowed
* @return True if access allowed
*/
public boolean getIsAllowed();
/**
* Check if access should be audited
* @return True if should be audited
*/
public boolean getIsAudited();
/**
* Get the policy ID that made the decision
* @return Policy ID
*/
public long getPolicyId();
/**
* Get the policy priority
* @return Policy priority
*/
public int getPolicyPriority();
/**
* Get the policy version
* @return Policy version
*/
public String getPolicyVersion();
/**
* Get the reason for the access decision
* @return Reason string
*/
public String getReason();
/**
* Set whether access was determined
* @param isAccessDetermined - True if determined
*/
public void setIsAccessDetermined(boolean isAccessDetermined);
/**
* Set whether access is allowed
* @param isAllowed - True if allowed
*/
public void setIsAllowed(boolean isAllowed);
/**
* Set whether access should be audited
* @param isAudited - True if should be audited
*/
public void setIsAudited(boolean isAudited);
/**
* Set the policy ID
* @param policyId - Policy ID
*/
public void setPolicyId(long policyId);
/**
* Set the reason for the decision
* @param reason - Reason string
*/
public void setReason(String reason);
}Usage Examples:
import org.apache.ranger.plugin.policyengine.*;
import org.apache.ranger.plugin.model.RangerPolicy;
// Create policy engine
ServicePolicies servicePolicies = getServicePolicies(); // From admin client
RangerPluginContext pluginContext = new RangerPluginContext();
RangerRoles roles = getRangerRoles(); // From admin client
RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
// Create access request
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue("database", "sales");
resource.setValue("table", "customers");
resource.setValue("column", "email");
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
request.setResource(resource);
request.setAccessType("select");
request.setUser("analyst");
request.setUserGroups(Set.of("analysts", "employees"));
// Evaluate access policy
RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null);
if (result.getIsAllowed()) {
System.out.println("Access granted by policy " + result.getPolicyId());
} else {
System.out.println("Access denied: " + result.getReason());
}
// Evaluate data masking policy
RangerAccessResult maskResult = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, null);
if (maskResult.getIsAccessDetermined()) {
String maskType = (String) maskResult.getContext().get(RangerAccessResult.KEY_MASK_TYPE);
System.out.println("Data masking applied: " + maskType);
}
// Get resource ACLs
RangerResourceACLs acls = policyEngine.getResourceACLs(request);
System.out.println("Resource ACLs: " + acls);Policy Types
The policy engine supports three types of policies:
- Access Policies (
POLICY_TYPE_ACCESS = 0): Standard allow/deny access control - Data Masking Policies (
POLICY_TYPE_DATAMASK = 1): Data masking and transformation - Row Filtering Policies (
POLICY_TYPE_ROWFILTER = 2): Row-level filtering - Audit Policies (
POLICY_TYPE_AUDIT = 3): Audit configuration
Performance Considerations
- Policy engines are expensive to create - cache and reuse instances
- Batch evaluation methods are more efficient for multiple requests
- Context enrichment can impact performance - use judiciously
- Policy engines are thread-safe for concurrent evaluation
Install with Tessl CLI
npx tessl i tessl/maven-org-apache-ranger--ranger-plugins-common