ranger 数据库
mysql> show tables;
+------------------------------+
| Tables_in_ranger |
+------------------------------+
| vx_trx_log |
| x_access_type_def |
| x_access_type_def_grants |
| x_asset |
| x_audit_map |
| x_auth_sess |
| x_context_enricher_def |
| x_cred_store |
| x_data_hist |
| x_datamask_type_def |
| x_db_base |
| x_db_version_h |
| x_enum_def |
| x_enum_element_def |
| x_group |
| x_group_groups |
| x_group_module_perm |
| x_group_users |
| x_modules_master |
| x_perm_map |
| x_plugin_info |
| x_policy |
| x_policy_change_log |
| x_policy_condition_def |
| x_policy_export_audit |
| x_policy_item |
| x_policy_item_access |
| x_policy_item_condition |
| x_policy_item_datamask |
| x_policy_item_group_perm |
| x_policy_item_rowfilter |
| x_policy_item_user_perm |
| x_policy_label |
| x_policy_label_map |
| x_policy_ref_access_type |
| x_policy_ref_condition |
| x_policy_ref_datamask_type |
| x_policy_ref_group |
| x_policy_ref_resource |
| x_policy_ref_role |
| x_policy_ref_user |
| x_policy_resource |
| x_policy_resource_map |
| x_portal_user |
| x_portal_user_role |
| x_ranger_global_state |
| x_resource |
| x_resource_def |
| x_role |
| x_role_ref_group |
| x_role_ref_role |
| x_role_ref_user |
| x_security_zone |
| x_security_zone_ref_group |
| x_security_zone_ref_resource |
| x_security_zone_ref_service |
| x_security_zone_ref_tag_srvc |
| x_security_zone_ref_user |
| x_service |
| x_service_config_def |
| x_service_config_map |
| x_service_def |
| x_service_resource |
| x_service_version_info |
| x_tag |
| x_tag_change_log |
| x_tag_def |
| x_tag_resource_map |
| x_trx_log |
| x_ugsync_audit_info |
| x_user |
| x_user_module_perm |
| xa_access_audit |
+------------------------------+
看起来策略都保存在x_policy表中,所有信息都通过json序列化为text。
查看其他的policy相关的表为空,x_policy_item,x_policy_item_access。 估计以前是想要单独处理的,后来都放弃,统一序列化了。
hive
id: 61
guid: b9607de7-a14a-4cc0-a87a-31bcdbdb78f1
create_time: 2024-01-15 03:51:52
update_time: 2024-01-15 03:51:52
added_by_id: 1
upd_by_id: 1
version: 1
service: 7
name: a4ede009-c812-4b62-a4d2-9cc112354483
policy_type: 0
description: NULL
resource_signature: dd1bec4aee40bafedb70f06c551cf7dac3190b95611c4424d080198885d54ed8
is_enabled: 1
is_audit_enabled: 1
policy_options: NULL
policy_priority: 0
policy_text: {"service":"dw_hive","name":"a4ede009-c812-4b62-a4d2-9cc112354483","policyType":0,"policyPriority":0,"resourceSignature":"dd1bec4aee40bafedb70f06c551cf7dac3190b95611c4424d080198885d54ed8","isAuditEnabled":true,"resources":{"database":{"values":["default","6b9a082a-f2b6-40ce-acda-b96c44547823"],"isExcludes":false,"isRecursive":false},"column":{"values":["*"],"isExcludes":false,"isRecursive":false},"table":{"values":["*"],"isExcludes":false,"isRecursive":false}},"policyItems":[{"accesses":[{"type":"select","isAllowed":true},{"type":"update","isAllowed":true},{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true},{"type":"alter","isAllowed":true},{"type":"index","isAllowed":true},{"type":"lock","isAllowed":true}],"users":["myazhang"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":false}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"options":{},"validitySchedules":[],"policyLabels":[],"isDenyAllElse":false,"isEnabled":true,"version":1}
zone_id: 1
yarn
id: 39
guid: 80e04b15-2d20-4ee2-bfd1-4ee53a809b72
create_time: 2023-12-29 07:45:31
update_time: 2023-12-29 07:45:31
added_by_id: 1
upd_by_id: 1
version: 1
service: 6
name: d5d1ef34-38b0-46ff-9de7-42446a465fe1
policy_type: 0
description: NULL
resource_signature: c213f63073e9d9a418ab2ec01d55eb0713a0ca6f8c4976e7ea2fb7805e3a7195
is_enabled: 1
is_audit_enabled: 1
policy_options: NULL
policy_priority: 0
policy_text: {"service":"dw_yarn","name":"d5d1ef34-38b0-46ff-9de7-42446a465fe1","policyType":0,"policyPriority":0,"resourceSignature":"c213f63073e9d9a418ab2ec01d55eb0713a0ca6f8c4976e7ea2fb7805e3a7195","isAuditEnabled":true,"resources":{"queue":{"values":["root.tenant1255000002.tiyan1.*","323fef1b-646e-4b38-ad1d-1da0c785f28c"],"isExcludes":false,"isRecursive":false}},"policyItems":[{"accesses":[{"type":"submit-app","isAllowed":true},{"type":"admin-queue","isAllowed":true}],"users":[],"groups":["ProjectManagerGroup_2034672433655599104"],"roles":[],"conditions":[],"delegateAdmin":false}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"options":{},"validitySchedules":[],"policyLabels":[],"isDenyAllElse":false,"isEnabled":true,"version":1}
zone_id: 1
hdfs
id: 32
guid: f790f3a5-235f-4caf-889e-b742703616f3
create_time: 2023-12-29 07:13:04
update_time: 2023-12-29 07:44:23
added_by_id: 1
upd_by_id: 1
version: 3
service: 4
name: 603aff1a-a809-4db0-8e67-a93e0e1baf76
policy_type: 0
description: NULL
resource_signature: c2024dc512a4298f75ce0313a7340f8c8fb5434711a355789aa19a89a8d61e5a
is_enabled: 1
is_audit_enabled: 1
policy_options: NULL
policy_priority: 0
policy_text: {"service":"dw_hdfs","name":"603aff1a-a809-4db0-8e67-a93e0e1baf76","policyType":0,"policyPriority":0,"resourceSignature":"c2024dc512a4298f75ce0313a7340f8c8fb5434711a355789aa19a89a8d61e5a","isAuditEnabled":true,"resources":{"path":{"values":["/","486457ba-8be5-46dd-9b18-4332336ba7c0"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["SystemManagerGroup"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"options":{},"validitySchedules":[],"policyLabels":[],"isDenyAllElse":false,"id":32,"guid":"f790f3a5-235f-4caf-889e-b742703616f3","isEnabled":true,"createdBy":"Admin","updatedBy":"Admin","createTime":"20231229-07:13:04.000-+0000","updateTime":"20231229-07:14:22.000-+0000","version":2}
zone_id: 1
序列化的信息来自 ranger policy
@JsonAutoDetect(fieldVisibility=Visibility.ANY)
@JsonSerialize(include=JsonSerialize.Inclusion.NON_EMPTY)
@JsonIgnoreProperties(ignoreUnknown=true)
public class RangerPolicy extends RangerBaseModelObject implements java.io.Serializable {
public static final int POLICY_TYPE_ACCESS = 0;
public static final int POLICY_TYPE_DATAMASK = 1;
public static final int POLICY_TYPE_ROWFILTER = 2;
public static final int POLICY_TYPE_AUDIT = 3;
public static final int[] POLICY_TYPES = new int[] {
POLICY_TYPE_ACCESS,
POLICY_TYPE_DATAMASK,
POLICY_TYPE_ROWFILTER
};
public static final String MASK_TYPE_NULL = "MASK_NULL";
public static final String MASK_TYPE_NONE = "MASK_NONE";
public static final String MASK_TYPE_CUSTOM = "CUSTOM";
public static final int POLICY_PRIORITY_NORMAL = 0;
public static final int POLICY_PRIORITY_OVERRIDE = 1;
public static final String POLICY_PRIORITY_NAME_NORMAL = "NORMAL";
public static final String POLICY_PRIORITY_NAME_OVERRIDE = "OVERRIDE";
public static final Comparator<RangerPolicy> POLICY_ID_COMPARATOR = new PolicyIdComparator();
// For future use
private static final long serialVersionUID = 1L;
private String service;
private String name;
private Integer policyType;
private Integer policyPriority;
private String description;
private String resourceSignature;
private Boolean isAuditEnabled;
private Map<String, RangerPolicyResource> resources;
private List<Map<String, RangerPolicyResource>> additionalResources;
private List<RangerPolicyItemCondition> conditions;
private List<RangerPolicyItem> policyItems;
private List<RangerPolicyItem> denyPolicyItems;
private List<RangerPolicyItem> allowExceptions;
private List<RangerPolicyItem> denyExceptions;
private List<RangerDataMaskPolicyItem> dataMaskPolicyItems;
private List<RangerRowFilterPolicyItem> rowFilterPolicyItems;
private String serviceType;
private Map<String, Object> options;
private List<RangerValiditySchedule> validitySchedules;
private List<String> policyLabels;
private String zoneName;
private Boolean isDenyAllElse;
public RangerPolicy() {
this(null, null, null, null, null, null, null, null, null, null, null);
}
public RangerPolicy(String service, String name, Integer policyType, Integer policyPriority, String description, Map<String, RangerPolicyResource> resources, List<RangerPolicyItem> policyItems, String resourceSignature, Map<String, Object> options, List<RangerValiditySchedule> validitySchedules, List<String> policyLables) {
this(service, name, policyType, policyPriority, description, resources, policyItems, resourceSignature, options, validitySchedules, policyLables, null);
}
public RangerPolicy(String service, String name, Integer policyType, Integer policyPriority, String description, Map<String, RangerPolicyResource> resources, List<RangerPolicyItem> policyItems, String resourceSignature, Map<String, Object> options, List<RangerValiditySchedule> validitySchedules, List<String> policyLables, String zoneName) {
this(service, name, policyType, policyPriority, description, resources, policyItems, resourceSignature, options, validitySchedules, policyLables, zoneName, null);
}
public RangerPolicy(String service, String name, Integer policyType, Integer policyPriority, String description, Map<String, RangerPolicyResource> resources, List<RangerPolicyItem> policyItems, String resourceSignature, Map<String, Object> options, List<RangerValiditySchedule> validitySchedules, List<String> policyLables, String zoneName, List<RangerPolicyItemCondition> conditions) {
this(service, name, policyType, policyPriority, description, resources, policyItems, resourceSignature, options, validitySchedules, policyLables, zoneName, conditions, null);
}
/**
* @param service
* @param name
* @param policyType
* @param description
* @param resources
* @param policyItems
* @param resourceSignature TODO
*/
public RangerPolicy(String service, String name, Integer policyType, Integer policyPriority, String description, Map<String, RangerPolicyResource> resources, List<RangerPolicyItem> policyItems, String resourceSignature, Map<String, Object> options, List<RangerValiditySchedule> validitySchedules, List<String> policyLables, String zoneName, List<RangerPolicyItemCondition> conditions, Boolean isDenyAllElse) {
super();
setService(service);
setName(name);
setPolicyType(policyType);
setPolicyPriority(policyPriority);
setDescription(description);
setResourceSignature(resourceSignature);
setIsAuditEnabled(null);
setResources(resources);
setPolicyItems(policyItems);
setDenyPolicyItems(null);
setAllowExceptions(null);
setDenyExceptions(null);
setDataMaskPolicyItems(null);
setRowFilterPolicyItems(null);
setOptions(options);
setValiditySchedules(validitySchedules);
setPolicyLabels(policyLables);
setZoneName(zoneName);
setConditions(conditions);
setIsDenyAllElse(isDenyAllElse);
}
反序列化获取policy的处理方法
RangerPolicy getNextPolicy() {
RangerPolicy ret = null;
if (service != null && iterPolicy != null && iterPolicy.hasNext()) {
XXPolicy xPolicy = iterPolicy.next();
iterPolicy.remove();
if (xPolicy != null) {
String policyText = xPolicy.getPolicyText();
ret = JsonUtils.jsonToObject(policyText, RangerPolicy.class);
if (ret != null) {
ret.setId(xPolicy.getId());
ret.setGuid(xPolicy.getGuid());
ret.setCreatedBy(lookupCache.getUserScreenName(xPolicy.getAddedByUserId()));
ret.setUpdatedBy(lookupCache.getUserScreenName(xPolicy.getUpdatedByUserId()));
ret.setCreateTime(xPolicy.getCreateTime());
ret.setUpdateTime(xPolicy.getUpdateTime());
ret.setVersion(xPolicy.getVersion());
ret.setPolicyType(xPolicy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : xPolicy.getPolicyType());
ret.setService(service.getName());
ret.setServiceType(serviceDef.getName());
ret.setZoneName(lookupCache.getSecurityZoneName(xPolicy.getZoneId()));
updatePolicyReferenceFields(ret);
getPolicyLabels(ret);
}
}
}
return ret;
}