RANGER-5610:getResourceACLs for a principal should consider validitySchedule of principal for ACL creation

hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java

@@ -58,6 +58,7 @@
 import org.apache.hadoop.thirdparty.com.google.common.collect.Sets;
 import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
 import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.plugin.conditionevaluator.RangerValidityScheduleConditionEvaluator;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
 import org.apache.ranger.plugin.model.RangerRole;
@@ -69,6 +70,7 @@
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
+import org.apache.ranger.plugin.policyengine.gds.GdsPolicyEngine;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
@@ -77,6 +79,7 @@
 import org.apache.ranger.plugin.util.RangerPerfTracer;
 import org.apache.ranger.plugin.util.RangerRequestedResources;
 import org.apache.ranger.plugin.util.RangerRoles;
+import org.apache.ranger.plugin.util.ServiceDefUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -2843,11 +2846,187 @@ private RangerResourceACLs getRangerResourceACLs(HivePrivilegeObject hiveObject,
 
         ret = hivePlugin.getResourceACLs(request);
 
+        if (ret != null && principal != null && request != null) {
+            filterAclsByValiditySchedule(ret, principal, request);
+        }
+
         LOG.debug("<== RangerHivePolicyProvider.getRangerResourceACLs:[{}], principal=[{}], Computed ACLS:[{}]", hiveObject, principal, ret);
 
         return ret;
     }
 
+    private void filterAclsByValiditySchedule(RangerResourceACLs acls, HivePrincipal principal, RangerAccessRequest request) {
+        if (acls == null || principal == null || request == null) {
+            return;
+        }
+
+        Map<String, Map<String, RangerResourceACLs.AccessResult>> principalACLs = null;
+        switch (principal.getType()) {
+            case USER:
+                principalACLs = acls.getUserACLs();
+                break;
+            case GROUP:
+                principalACLs = acls.getGroupACLs();
+                break;
+            case ROLE:
+                principalACLs = acls.getRoleACLs();
+                break;
+            default:
+                break;
+        }
+
+        if (principalACLs != null) {
+            Map<String, RangerResourceACLs.AccessResult> accessMap = principalACLs.get(principal.getName());
+            if (accessMap != null) {
+                Map<String, Collection<String>> impliedGrants    = null;
+                Map<String, Collection<String>> gdsImpliedGrants = null;
+
+                if (hivePlugin != null) {
+                    RangerServiceDef serviceDef = hivePlugin.getServiceDef();
+                    if (serviceDef != null) {
+                        impliedGrants = ServiceDefUtil.getExpandedImpliedGrants(serviceDef);
+                    }
+
+                    GdsPolicyEngine gdsPolicyEngine = hivePlugin.getGdsPolicyEngine();
+                    if (gdsPolicyEngine != null && gdsPolicyEngine.getGdsInfo() != null) {
+                        RangerServiceDef gdsServiceDef = gdsPolicyEngine.getGdsInfo().getGdsServiceDef();
+                        if (gdsServiceDef != null) {
+                            gdsImpliedGrants = ServiceDefUtil.getExpandedImpliedGrants(gdsServiceDef);
+                        }
+                    }
+                }
+
+                Map<RangerPolicy.RangerPolicyItem, Boolean> policyItemActiveCache = new HashMap<>();
+                List<String> keysToRemove = new ArrayList<>();
+                for (Map.Entry<String, RangerResourceACLs.AccessResult> entry : accessMap.entrySet()) {
+                    RangerResourceACLs.AccessResult accessResult = entry.getValue();
+                    if (accessResult != null && accessResult.getResult() == RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
+                        RangerPolicy policy = accessResult.getPolicy();
+                        if (policy != null) {
+                            boolean hasActiveItem = false;
+
+                            List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<>();
+                            if (CollectionUtils.isNotEmpty(policy.getPolicyItems())) {
+                                policyItems.addAll(policy.getPolicyItems());
+                            }
+                            if (CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())) {
+                                policyItems.addAll(policy.getDenyPolicyItems());
+                            }
+                            if (CollectionUtils.isNotEmpty(policy.getAllowExceptions())) {
+                                policyItems.addAll(policy.getAllowExceptions());
+                            }
+                            if (CollectionUtils.isNotEmpty(policy.getDenyExceptions())) {
+                                policyItems.addAll(policy.getDenyExceptions());
+                            }
+
+                            for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
+                                if (isPolicyItemApplicable(policyItem, principal, entry.getKey(), impliedGrants, gdsImpliedGrants)) {
+                                    Boolean isActive = policyItemActiveCache.get(policyItem);
+                                    if (isActive == null) {
+                                        isActive = isPolicyItemValidityActive(policyItem, request);
+                                        policyItemActiveCache.put(policyItem, isActive);
+                                    }
+                                    if (isActive) {
+                                        hasActiveItem = true;
+                                        break;
+                                    }
+                                }
+                            }
+                            if (!hasActiveItem) {
+                                keysToRemove.add(entry.getKey());
+                            }
+                        }
+                    }
+                }
+                for (String key : keysToRemove) {
+                    accessMap.remove(key);
+                }
+                if (accessMap.isEmpty()) {
+                    principalACLs.remove(principal.getName());
+                }
+            }
+        }
+    }
+
+    private boolean isPolicyItemApplicable(RangerPolicy.RangerPolicyItem policyItem, HivePrincipal principal, String accessType, Map<String, Collection<String>> impliedGrants, Map<String, Collection<String>> gdsImpliedGrants) {
+        if (policyItem == null || principal == null || StringUtils.isBlank(accessType)) {
+            return false;
+        }
+
+        if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
+            return false;
+        }
+
+        boolean hasAccessType = false;
+
+        for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) {
+            if (StringUtils.equalsIgnoreCase(accessType, access.getType()) || StringUtils.equalsIgnoreCase(access.getType(), RangerPolicyEngine.ANY_ACCESS)) {
+                hasAccessType = true;
+                break;
+            }
+            if (impliedGrants != null) {
+                Collection<String> impliedAccessTypes = impliedGrants.get(access.getType());
+                if (impliedAccessTypes != null) {
+                    for (String impliedAccessType : impliedAccessTypes) {
+                        if (StringUtils.equalsIgnoreCase(accessType, impliedAccessType)) {
+                            hasAccessType = true;
+                            break;
+                        }
+                    }
+                }
+            }
+            if (hasAccessType) {
+                break;
+            }
+            if (gdsImpliedGrants != null) {
+                Collection<String> impliedAccessTypes = gdsImpliedGrants.get(access.getType());
+                if (impliedAccessTypes != null) {
+                    for (String impliedAccessType : impliedAccessTypes) {
+                        if (StringUtils.equalsIgnoreCase(accessType, impliedAccessType)) {
+                            hasAccessType = true;
+                            break;
+                        }
+                    }
+                }
+            }
+            if (hasAccessType) {
+                break;
+            }
+        }
+
+        if (!hasAccessType) {
+            return false;
+        }
+
+        switch (principal.getType()) {
+            case USER:
+                return CollectionUtils.isNotEmpty(policyItem.getUsers()) && (policyItem.getUsers().contains(principal.getName()) || policyItem.getUsers().contains(RangerPolicyEngine.USER_CURRENT));
+            case GROUP:
+                return CollectionUtils.isNotEmpty(policyItem.getGroups()) && (policyItem.getGroups().contains(principal.getName()) || policyItem.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC));
+            case ROLE:
+                return CollectionUtils.isNotEmpty(policyItem.getRoles()) && policyItem.getRoles().contains(principal.getName());
+        }
+        return false;
+    }
+
+    private boolean isPolicyItemValidityActive(RangerPolicy.RangerPolicyItem policyItem, RangerAccessRequest request) {
+        if (policyItem == null || request == null || CollectionUtils.isEmpty(policyItem.getConditions())) {
+            return true;
+        }
+        for (RangerPolicy.RangerPolicyItemCondition condition : policyItem.getConditions()) {
+            if (!StringUtils.equalsIgnoreCase(condition.getType(), "validitySchedule")) {
+                continue;
+            }
+            RangerValidityScheduleConditionEvaluator evaluator = new RangerValidityScheduleConditionEvaluator();
+            evaluator.setPolicyItemCondition(condition);
+            evaluator.init();
+            if (!evaluator.isMatched(request)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
     private Map<String, Map<Privilege, AccessResult>> convertRangerACLsToHiveACLs(Map<String, Map<String, RangerResourceACLs.AccessResult>> rangerACLs) {
         Map<String, Map<Privilege, AccessResult>> ret = new HashMap<>();