This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/RANGER-3923 by this push:
new a370f46d2 RANGER-4324: updated dataset retrieval API to enforce acl
a370f46d2 is described below
commit a370f46d2845ccb0f486a8fd9d3f5e2ebac45e6b
Author: Subhrat Chaudhary <[email protected]>
AuthorDate: Wed Sep 13 00:25:09 2023 -0700
RANGER-4324: updated dataset retrieval API to enforce acl
Signed-off-by: Madhan Neethiraj <[email protected]>
---
.../apache/ranger/plugin/util/SearchFilter.java | 1 +
.../java/org/apache/ranger/biz/GdsDBStore.java | 27 +++++++++++++++++++++-
.../org/apache/ranger/common/RangerSearchUtil.java | 1 +
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
index 440bb4c24..1a1a78064 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
@@ -111,6 +111,7 @@ public class SearchFilter {
public static final String OWNER_TYPE = "ownerType";
// search: valid-values(user, group, role)
public static final String DATA_SHARE_IN_DATASET_ID =
"dataShareInDatasetId"; // search, sort
public static final String DATASET_IN_PROJECT_ID =
"datasetInProjectId"; // search, sort
+ public static final String GDS_PERMISSION = "gdsPermission";
// search, sort
private Map<String, String> params;
private int startIndex;
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
index d2bd0789d..55c8495e4 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
@@ -244,11 +244,30 @@ public class GdsDBStore extends AbstractGdsStore {
public PList<RangerDataset> searchDatasets(SearchFilter filter) throws
Exception {
LOG.debug("==> searchDatasets({})", filter);
+ String gdsPermissionStr =
filter.getParam(SearchFilter.GDS_PERMISSION);
+ GdsPermission gdsPermission = null;
+
+ if (StringUtils.isNotEmpty(gdsPermissionStr)) {
+ try {
+ gdsPermission = GdsPermission.valueOf(gdsPermissionStr);
+ } catch (IllegalArgumentException ex) {
+ LOG.info("Ignoring invalid GdsPermission: {}",
gdsPermissionStr);
+ }
+ }
+
+ if (gdsPermission == null) {
+ gdsPermission = GdsPermission.VIEW;
+ }
+
RangerDatasetList result = datasetService.searchDatasets(filter);
List<RangerDataset> datasets = new ArrayList<>();
for (RangerDataset dataset : result.getList()) {
- if (dataset != null && validator.hasPermission(dataset.getAcl(),
GdsPermission.VIEW)) {
+ if (dataset != null && validator.hasPermission(dataset.getAcl(),
gdsPermission)) {
+ if (gdsPermission.equals(GdsPermission.LIST)) {
+ scrubForListing(dataset);
+ }
+
datasets.add(dataset);
}
}
@@ -260,6 +279,12 @@ public class GdsDBStore extends AbstractGdsStore {
return ret;
}
+ private void scrubForListing(RangerDataset dataset) {
+ dataset.setAcl(null);
+ dataset.setOptions(null);
+ dataset.setAdditionalInfo(null);
+ }
+
@Override
public RangerProject createProject(RangerProject project) throws Exception
{
LOG.debug("==> createProject({})", project);
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
index 059954b46..51da7d15d 100644
---
a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
+++
b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
@@ -109,6 +109,7 @@ public class RangerSearchUtil extends SearchUtil {
ret.setParam(SearchFilter.PROFILE_NAME,
request.getParameter(SearchFilter.PROFILE_NAME));
ret.setParam(SearchFilter.OWNER_NAME,
request.getParameter(SearchFilter.OWNER_NAME));
ret.setParam(SearchFilter.OWNER_TYPE,
request.getParameter(SearchFilter.OWNER_TYPE));
+ ret.setParam(SearchFilter.GDS_PERMISSION,
request.getParameter(SearchFilter.GDS_PERMISSION));
extractCommonCriteriasForFilter(request, ret, sortFields);
