tessl/maven-org-apache-ranger--ranger-plugins-common
Common library for Apache Ranger plugins providing shared functionality, models, and utilities for security policy enforcement across various big data components.
—
Pending
policy-models.mddocs/
Policy Models
Rich domain models representing policies, service definitions, roles, and other security constructs with full serialization support. These model classes form the core data structures for defining and managing security policies in Apache Ranger.
Capabilities
RangerBaseModelObject
Abstract base class providing common functionality for all Ranger model objects, including identity management, auditing fields, and serialization support.
/**
* Abstract base class for all Ranger model objects
*/
public abstract class RangerBaseModelObject implements java.io.Serializable {
/**
* Get the unique identifier for this object
* @return Unique ID
*/
public Long getId();
/**
* Set the unique identifier for this object
* @param id - Unique ID
*/
public void setId(Long id);
/**
* Get the globally unique identifier (GUID) for this object
* @return GUID string
*/
public String getGuid();
/**
* Set the globally unique identifier (GUID) for this object
* @param guid - GUID string
*/
public void setGuid(String guid);
/**
* Get the creation timestamp
* @return Creation date and time
*/
public Date getCreateTime();
/**
* Set the creation timestamp
* @param createTime - Creation date and time
*/
public void setCreateTime(Date createTime);
/**
* Get the last update timestamp
* @return Update date and time
*/
public Date getUpdateTime();
/**
* Set the last update timestamp
* @param updateTime - Update date and time
*/
public void setUpdateTime(Date updateTime);
/**
* Get the user who created this object
* @return Creator username
*/
public String getCreatedBy();
/**
* Set the user who created this object
* @param createdBy - Creator username
*/
public void setCreatedBy(String createdBy);
/**
* Get the user who last updated this object
* @return Updater username
*/
public String getUpdatedBy();
/**
* Set the user who last updated this object
* @param updatedBy - Updater username
*/
public void setUpdatedBy(String updatedBy);
/**
* Get the version number for optimistic locking
* @return Version number
*/
public Long getVersion();
/**
* Set the version number for optimistic locking
* @param version - Version number
*/
public void setVersion(Long version);
}RangerPolicy
Represents a security policy defining access control, data masking, or row filtering rules for specific resources.
/**
* Represents a Ranger security policy
*/
public class RangerPolicy extends RangerBaseModelObject {
/**
* Access control policy type
*/
public static final int POLICY_TYPE_ACCESS = 0;
/**
* Data masking policy type
*/
public static final int POLICY_TYPE_DATAMASK = 1;
/**
* Row filtering policy type
*/
public static final int POLICY_TYPE_ROWFILTER = 2;
/**
* Audit policy type
*/
public static final int POLICY_TYPE_AUDIT = 3;
/**
* Normal policy priority
*/
public static final int POLICY_PRIORITY_NORMAL = 0;
/**
* Override policy priority (higher precedence)
*/
public static final int POLICY_PRIORITY_OVERRIDE = 1;
/**
* Null masking type - replaces value with NULL
*/
public static final String MASK_TYPE_NULL = "MASK_NULL";
/**
* No masking type - returns original value
*/
public static final String MASK_TYPE_NONE = "MASK_NONE";
/**
* Custom masking type - uses custom expression
*/
public static final String MASK_TYPE_CUSTOM = "CUSTOM";
/**
* Get the service name this policy belongs to
* @return Service name
*/
public String getService();
/**
* Set the service name this policy belongs to
* @param service - Service name
*/
public void setService(String service);
/**
* Get the policy name
* @return Policy name
*/
public String getName();
/**
* Set the policy name
* @param name - Policy name
*/
public void setName(String name);
/**
* Get the policy type (access, datamask, rowfilter, audit)
* @return Policy type constant
*/
public Integer getPolicyType();
/**
* Set the policy type (access, datamask, rowfilter, audit)
* @param policyType - Policy type constant
*/
public void setPolicyType(Integer policyType);
/**
* Get the policy priority (normal or override)
* @return Policy priority constant
*/
public Integer getPolicyPriority();
/**
* Set the policy priority (normal or override)
* @param policyPriority - Policy priority constant
*/
public void setPolicyPriority(Integer policyPriority);
/**
* Get the policy description
* @return Description text
*/
public String getDescription();
/**
* Set the policy description
* @param description - Description text
*/
public void setDescription(String description);
/**
* Check if auditing is enabled for this policy
* @return True if auditing enabled
*/
public Boolean getIsAuditEnabled();
/**
* Enable or disable auditing for this policy
* @param isAuditEnabled - True to enable auditing
*/
public void setIsAuditEnabled(Boolean isAuditEnabled);
/**
* Check if this policy is enabled
* @return True if policy is enabled
*/
public Boolean getIsEnabled();
/**
* Enable or disable this policy
* @param isEnabled - True to enable policy
*/
public void setIsEnabled(Boolean isEnabled);
/**
* Get the resources this policy applies to
* @return Map of resource name to resource definition
*/
public Map<String, RangerPolicyResource> getResources();
/**
* Set the resources this policy applies to
* @param resources - Map of resource name to resource definition
*/
public void setResources(Map<String, RangerPolicyResource> resources);
/**
* Get the policy items (allow rules)
* @return List of policy items
*/
public List<RangerPolicyItem> getPolicyItems();
/**
* Set the policy items (allow rules)
* @param policyItems - List of policy items
*/
public void setPolicyItems(List<RangerPolicyItem> policyItems);
/**
* Get the deny policy items (explicit deny rules)
* @return List of deny policy items
*/
public List<RangerPolicyItem> getDenyPolicyItems();
/**
* Set the deny policy items (explicit deny rules)
* @param denyPolicyItems - List of deny policy items
*/
public void setDenyPolicyItems(List<RangerPolicyItem> denyPolicyItems);
/**
* Get the allow exceptions (exceptions to deny rules)
* @return List of allow exception items
*/
public List<RangerPolicyItem> getAllowExceptions();
/**
* Set the allow exceptions (exceptions to deny rules)
* @param allowExceptions - List of allow exception items
*/
public void setAllowExceptions(List<RangerPolicyItem> allowExceptions);
/**
* Get the deny exceptions (exceptions to allow rules)
* @return List of deny exception items
*/
public List<RangerPolicyItem> getDenyExceptions();
/**
* Set the deny exceptions (exceptions to allow rules)
* @param denyExceptions - List of deny exception items
*/
public void setDenyExceptions(List<RangerPolicyItem> denyExceptions);
/**
* Get data masking policy items
* @return List of data masking items
*/
public List<RangerDataMaskPolicyItem> getDataMaskPolicyItems();
/**
* Set data masking policy items
* @param dataMaskPolicyItems - List of data masking items
*/
public void setDataMaskPolicyItems(List<RangerDataMaskPolicyItem> dataMaskPolicyItems);
/**
* Get row filtering policy items
* @return List of row filtering items
*/
public List<RangerRowFilterPolicyItem> getRowFilterPolicyItems();
/**
* Set row filtering policy items
* @param rowFilterPolicyItems - List of row filtering items
*/
public void setRowFilterPolicyItems(List<RangerRowFilterPolicyItem> rowFilterPolicyItems);
}RangerServiceDef
Defines the structure, capabilities, and configuration schema for a service type (e.g., HDFS, Hive, HBase).
/**
* Defines the structure and capabilities of a service type
*/
public class RangerServiceDef extends RangerBaseModelObject {
/**
* Get the service type name
* @return Service type name (e.g., "hdfs", "hive")
*/
public String getName();
/**
* Set the service type name
* @param name - Service type name
*/
public void setName(String name);
/**
* Get the display name for UI
* @return Display name
*/
public String getDisplayName();
/**
* Set the display name for UI
* @param displayName - Display name
*/
public void setDisplayName(String displayName);
/**
* Get the implementation class name
* @return Fully qualified class name
*/
public String getImplClass();
/**
* Set the implementation class name
* @param implClass - Fully qualified class name
*/
public void setImplClass(String implClass);
/**
* Get the service label
* @return Service label
*/
public String getLabel();
/**
* Set the service label
* @param label - Service label
*/
public void setLabel(String label);
/**
* Get the service description
* @return Description text
*/
public String getDescription();
/**
* Set the service description
* @param description - Description text
*/
public void setDescription(String description);
/**
* Get service-wide options
* @return Map of option names to values
*/
public Map<String, String> getOptions();
/**
* Set service-wide options
* @param options - Map of option names to values
*/
public void setOptions(Map<String, String> options);
/**
* Get configuration definitions for this service type
* @return List of configuration definitions
*/
public List<RangerServiceConfigDef> getConfigs();
/**
* Set configuration definitions for this service type
* @param configs - List of configuration definitions
*/
public void setConfigs(List<RangerServiceConfigDef> configs);
/**
* Get resource definitions for this service type
* @return List of resource definitions
*/
public List<RangerResourceDef> getResources();
/**
* Set resource definitions for this service type
* @param resources - List of resource definitions
*/
public void setResources(List<RangerResourceDef> resources);
/**
* Get access type definitions for this service type
* @return List of access type definitions
*/
public List<RangerAccessTypeDef> getAccessTypes();
/**
* Set access type definitions for this service type
* @param accessTypes - List of access type definitions
*/
public void setAccessTypes(List<RangerAccessTypeDef> accessTypes);
/**
* Get policy condition definitions
* @return List of policy condition definitions
*/
public List<RangerPolicyConditionDef> getPolicyConditions();
/**
* Set policy condition definitions
* @param policyConditions - List of policy condition definitions
*/
public void setPolicyConditions(List<RangerPolicyConditionDef> policyConditions);
/**
* Get context enricher definitions
* @return List of context enricher definitions
*/
public List<RangerContextEnricherDef> getContextEnrichers();
/**
* Set context enricher definitions
* @param contextEnrichers - List of context enricher definitions
*/
public void setContextEnrichers(List<RangerContextEnricherDef> contextEnrichers);
}RangerRole
Represents a role that can be assigned to users and groups to provide organized permission management.
/**
* Represents a role for organizing permissions
*/
public class RangerRole extends RangerBaseModelObject {
/**
* Get the role name
* @return Role name
*/
public String getName();
/**
* Set the role name
* @param name - Role name
*/
public void setName(String name);
/**
* Get the role description
* @return Description text
*/
public String getDescription();
/**
* Set the role description
* @param description - Description text
*/
public void setDescription(String description);
/**
* Get users assigned to this role
* @return List of role members (users)
*/
public List<RangerRoleMember> getUsers();
/**
* Set users assigned to this role
* @param users - List of role members (users)
*/
public void setUsers(List<RangerRoleMember> users);
/**
* Get groups assigned to this role
* @return List of role members (groups)
*/
public List<RangerRoleMember> getGroups();
/**
* Set groups assigned to this role
* @param groups - List of role members (groups)
*/
public void setGroups(List<RangerRoleMember> groups);
/**
* Get roles assigned to this role (role hierarchy)
* @return List of role members (roles)
*/
public List<RangerRoleMember> getRoles();
/**
* Set roles assigned to this role (role hierarchy)
* @param roles - List of role members (roles)
*/
public void setRoles(List<RangerRoleMember> roles);
/**
* Check if this role is enabled
* @return True if role is enabled
*/
public Boolean getIsEnabled();
/**
* Enable or disable this role
* @param isEnabled - True to enable role
*/
public void setIsEnabled(Boolean isEnabled);
}RangerTag
Represents a tag that can be associated with resources for attribute-based access control.
/**
* Represents a tag for attribute-based access control
*/
public class RangerTag extends RangerBaseModelObject {
/**
* Get the tag name/value
* @return Tag name
*/
public String getType();
/**
* Set the tag name/value
* @param type - Tag name
*/
public void setType(String type);
/**
* Get tag attributes
* @return Map of attribute names to values
*/
public Map<String, String> getAttributes();
/**
* Set tag attributes
* @param attributes - Map of attribute names to values
*/
public void setAttributes(Map<String, String> attributes);
/**
* Get the resource associated with this tag
* @return Resource GUID
*/
public String getResourceGuid();
/**
* Set the resource associated with this tag
* @param resourceGuid - Resource GUID
*/
public void setResourceGuid(String resourceGuid);
/**
* Get tag options
* @return Map of option names to values
*/
public Map<String, String> getOptions();
/**
* Set tag options
* @param options - Map of option names to values
*/
public void setOptions(Map<String, String> options);
}RangerSecurityZone
Represents a security zone that groups related resources for administrative purposes.
/**
* Represents a security zone for grouping resources
*/
public class RangerSecurityZone extends RangerBaseModelObject {
/**
* Get the security zone name
* @return Zone name
*/
public String getName();
/**
* Set the security zone name
* @param name - Zone name
*/
public void setName(String name);
/**
* Get the zone description
* @return Description text
*/
public String getDescription();
/**
* Set the zone description
* @param description - Description text
*/
public void setDescription(String description);
/**
* Get services and their resources in this zone
* @return Map of service names to service resources
*/
public Map<String, RangerSecurityZoneService> getServices();
/**
* Set services and their resources in this zone
* @param services - Map of service names to service resources
*/
public void setServices(Map<String, RangerSecurityZoneService> services);
/**
* Get zone administrators (users)
* @return List of admin users
*/
public List<String> getAdminUsers();
/**
* Set zone administrators (users)
* @param adminUsers - List of admin users
*/
public void setAdminUsers(List<String> adminUsers);
/**
* Get zone administrators (groups)
* @return List of admin groups
*/
public List<String> getAdminUserGroups();
/**
* Set zone administrators (groups)
* @param adminUserGroups - List of admin groups
*/
public void setAdminUserGroups(List<String> adminUserGroups);
/**
* Get zone auditors (users)
* @return List of auditor users
*/
public List<String> getAuditUsers();
/**
* Set zone auditors (users)
* @param auditUsers - List of auditor users
*/
public void setAuditUsers(List<String> auditUsers);
/**
* Get zone auditors (groups)
* @return List of auditor groups
*/
public List<String> getAuditUserGroups();
/**
* Set zone auditors (groups)
* @param auditUserGroups - List of auditor groups
*/
public void setAuditUserGroups(List<String> auditUserGroups);
}RangerService
Represents an instance of a service (e.g., a specific HDFS cluster, Hive instance).
/**
* Represents an instance of a service
*/
public class RangerService extends RangerBaseModelObject {
/**
* Get the service name
* @return Service name
*/
public String getName();
/**
* Set the service name
* @param name - Service name
*/
public void setName(String name);
/**
* Get the service display name
* @return Display name
*/
public String getDisplayName();
/**
* Set the service display name
* @param displayName - Display name
*/
public void setDisplayName(String displayName);
/**
* Get the service type
* @return Service type (matches RangerServiceDef name)
*/
public String getType();
/**
* Set the service type
* @param type - Service type (matches RangerServiceDef name)
*/
public void setType(String type);
/**
* Get the service description
* @return Description text
*/
public String getDescription();
/**
* Set the service description
* @param description - Description text
*/
public void setDescription(String description);
/**
* Get service configuration
* @return Map of configuration names to values
*/
public Map<String, String> getConfigs();
/**
* Set service configuration
* @param configs - Map of configuration names to values
*/
public void setConfigs(Map<String, String> configs);
/**
* Check if this service is enabled
* @return True if service is enabled
*/
public Boolean getIsEnabled();
/**
* Enable or disable this service
* @param isEnabled - True to enable service
*/
public void setIsEnabled(Boolean isEnabled);
/**
* Get tag service name (for tag-based policies)
* @return Tag service name
*/
public String getTagService();
/**
* Set tag service name (for tag-based policies)
* @param tagService - Tag service name
*/
public void setTagService(String tagService);
}Usage Examples:
import org.apache.ranger.plugin.model.*;
import java.util.*;
// Create a new policy
RangerPolicy policy = new RangerPolicy();
policy.setName("hdfs-read-policy");
policy.setService("hadoop-cluster1");
policy.setPolicyType(RangerPolicy.POLICY_TYPE_ACCESS);
policy.setPolicyPriority(RangerPolicy.POLICY_PRIORITY_NORMAL);
policy.setDescription("Allow users to read files in /user directory");
policy.setIsEnabled(true);
policy.setIsAuditEnabled(true);
// Define resources
Map<String, RangerPolicyResource> resources = new HashMap<>();
RangerPolicyResource pathResource = new RangerPolicyResource();
pathResource.setValues(Arrays.asList("/user/*"));
pathResource.setIsExcludes(false);
pathResource.setIsRecursive(true);
resources.put("path", pathResource);
policy.setResources(resources);
// Define policy items (allow rules)
List<RangerPolicyItem> policyItems = new ArrayList<>();
RangerPolicyItem item = new RangerPolicyItem();
item.setUsers(Arrays.asList("alice", "bob"));
item.setGroups(Arrays.asList("users"));
item.setRoles(Arrays.asList("data-reader"));
item.setAccessTypes(Arrays.asList("read"));
item.setDelegateAdmin(false);
policyItems.add(item);
policy.setPolicyItems(policyItems);
// Create a service definition
RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("hdfs");
serviceDef.setDisplayName("Hadoop Distributed File System");
serviceDef.setImplClass("org.apache.ranger.services.hdfs.RangerServiceHdfs");
serviceDef.setDescription("HDFS Repository");
// Define resources for the service type
List<RangerResourceDef> resourceDefs = new ArrayList<>();
RangerResourceDef pathDef = new RangerResourceDef();
pathDef.setName("path");
pathDef.setType("path");
pathDef.setLevel(1);
pathDef.setMandatory(true);
pathDef.setLookupSupported(true);
pathDef.setRecursiveSupported(true);
pathDef.setExcludesSupported(true);
pathDef.setMatcher("org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher");
pathDef.setMatcherOptions(new HashMap<>());
resourceDefs.add(pathDef);
serviceDef.setResources(resourceDefs);
// Define access types for the service
List<RangerAccessTypeDef> accessTypes = new ArrayList<>();
RangerAccessTypeDef readAccess = new RangerAccessTypeDef();
readAccess.setName("read");
readAccess.setLabel("Read");
readAccess.setImpliedGrants(Arrays.asList());
accessTypes.add(readAccess);
RangerAccessTypeDef writeAccess = new RangerAccessTypeDef();
writeAccess.setName("write");
writeAccess.setLabel("Write");
writeAccess.setImpliedGrants(Arrays.asList("read"));
accessTypes.add(writeAccess);
serviceDef.setAccessTypes(accessTypes);
// Create a role
RangerRole role = new RangerRole();
role.setName("data-analyst");
role.setDescription("Role for data analysts");
role.setIsEnabled(true);
List<RangerRoleMember> users = new ArrayList<>();
RangerRoleMember userMember = new RangerRoleMember();
userMember.setName("alice");
userMember.setIsAdmin(false);
users.add(userMember);
role.setUsers(users);
List<RangerRoleMember> groups = new ArrayList<>();
RangerRoleMember groupMember = new RangerRoleMember();
groupMember.setName("analysts");
groupMember.setIsAdmin(false);
groups.add(groupMember);
role.setGroups(groups);
// Create a tag
RangerTag tag = new RangerTag();
tag.setType("PII");
Map<String, String> attributes = new HashMap<>();
attributes.put("level", "high");
attributes.put("category", "personal");
tag.setAttributes(attributes);
// Create a service instance
RangerService service = new RangerService();
service.setName("hadoop-cluster1");
service.setDisplayName("Production Hadoop Cluster");
service.setType("hdfs");
service.setDescription("Production HDFS service");
service.setIsEnabled(true);
Map<String, String> serviceConfigs = new HashMap<>();
serviceConfigs.put("username", "ranger");
serviceConfigs.put("password", "ranger123");
serviceConfigs.put("fs.default.name", "hdfs://namenode:8020");
service.setConfigs(serviceConfigs);
System.out.println("Created policy: " + policy.getName() + " for service: " + policy.getService());
System.out.println("Service definition: " + serviceDef.getName() + " supports " +
serviceDef.getAccessTypes().size() + " access types");
System.out.println("Role " + role.getName() + " has " + role.getUsers().size() + " users");Model Hierarchies and Relationships
Policy Item Hierarchy
Policy items define the actual permissions within policies:
- RangerPolicyItem: Base policy item for allow rules
- RangerDataMaskPolicyItem: Extended item for data masking policies with mask information
- RangerRowFilterPolicyItem: Extended item for row filtering policies with filter expressions
Service Definition Components
Service definitions are composed of several definition classes:
- RangerResourceDef: Defines a resource type (e.g., "path", "database", "table")
- RangerAccessTypeDef: Defines an access type (e.g., "read", "write", "admin")
- RangerPolicyConditionDef: Defines a policy condition evaluator
- RangerContextEnricherDef: Defines a context enricher
- RangerServiceConfigDef: Defines a configuration parameter
Model Validation
All model objects support validation through:
- Required field validation: Ensures mandatory fields are set
- Cross-reference validation: Validates relationships between objects
- Business rule validation: Enforces domain-specific rules
- Format validation: Validates field formats (e.g., names, patterns)
Serialization Support
All model classes provide comprehensive serialization support:
- JSON serialization: Via Jackson annotations for REST APIs
- Java serialization: Via
Serializableinterface for caching and persistence - XML serialization: For configuration export/import
- Version compatibility: Backward-compatible serialization handling
Thread Safety
Model objects have specific thread safety characteristics:
- Immutable after creation: Models should be treated as immutable once populated
- Builder pattern support: Use builders or setters only during construction
- Copy constructors: Available for creating defensive copies
- Thread-safe collections: Use concurrent collections for multi-threaded access
Install with Tessl CLI
npx tessl i tessl/maven-org-apache-ranger--ranger-plugins-common