This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 74351d624 RANGER-4585:Support multiple columns policy creation in
ranger for Grant / Revoke request
74351d624 is described below
commit 74351d624fed1581e9db6ab7fe51ef2a3cbd4978
Author: Ramesh Mani <[email protected]>
AuthorDate: Thu Dec 7 13:19:25 2023 -0800
RANGER-4585:Support multiple columns policy creation in ranger for Grant /
Revoke request
---
.../java/org/apache/ranger/rest/ServiceREST.java | 49 ++++++++++----
.../org/apache/ranger/rest/TestServiceREST.java | 79 +++++++++++++++++++---
2 files changed, 108 insertions(+), 20 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index cffd177be..cc9df27d6 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1255,7 +1255,7 @@ public class ServiceREST {
String userName =
grantRequest.getGrantor();
Set<String> userGroups =
CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ?
grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
String
ownerUser = grantRequest.getOwnerUser();
- RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()),
ownerUser);
+ RangerAccessResource resource = new
RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()),
ownerUser);
Set<String>
accessTypes = grantRequest.getAccessTypes();
VXUser vxUser =
xUserService.getXUserByUserName(userName);
@@ -1300,10 +1300,7 @@ public class ServiceREST {
if(!
CollectionUtils.isEmpty(resourceNames)) {
for(String resourceName
: resourceNames) {
-
RangerPolicyResource policyResource = new RangerPolicyResource((String)
resource.getValue(resourceName));
-
policyResource.setIsRecursive(grantRequest.getIsRecursive());
-
-
policyResources.put(resourceName, policyResource);
+
policyResources.put(resourceName,
getPolicyResource(resource.getValue(resourceName), grantRequest));
}
}
policy.setResources(policyResources);
@@ -1376,7 +1373,7 @@ public class ServiceREST {
Set<String> userGroups =
grantRequest.getGrantorGroups();
String
ownerUser = grantRequest.getOwnerUser();
- RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()),
ownerUser);
+ RangerAccessResource resource = new
RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()),
ownerUser);
Set<String>
accessTypes = grantRequest.getAccessTypes();
String zoneName =
getRangerAdminZoneName(serviceName, grantRequest);
@@ -1417,10 +1414,7 @@ public class ServiceREST {
if(!
CollectionUtils.isEmpty(resourceNames)) {
for(String
resourceName : resourceNames) {
-
RangerPolicyResource policyResource = new RangerPolicyResource((String)
resource.getValue(resourceName));
-
policyResource.setIsRecursive(grantRequest.getIsRecursive());
-
-
policyResources.put(resourceName, policyResource);
+
policyResources.put(resourceName,
getPolicyResource(resource.getValue(resourceName), grantRequest));
}
}
policy.setResources(policyResources);
@@ -1493,7 +1487,7 @@ public class ServiceREST {
String userName =
revokeRequest.getGrantor();
Set<String> userGroups =
CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ?
revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
String
ownerUser = revokeRequest.getOwnerUser();
- RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()),
ownerUser);
+ RangerAccessResource resource = new
RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()),
ownerUser);
Set<String>
accessTypes = revokeRequest.getAccessTypes();
VXUser vxUser =
xUserService.getXUserByUserName(userName);
@@ -1578,7 +1572,7 @@ public class ServiceREST {
Set<String> userGroups =
revokeRequest.getGrantorGroups();
String ownerUser =
revokeRequest.getOwnerUser();
- RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()),
ownerUser);
+ RangerAccessResource resource = new
RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()),
ownerUser);
Set<String>
accessTypes = revokeRequest.getAccessTypes();
String zoneName =
getRangerAdminZoneName(serviceName, revokeRequest);
@@ -4013,6 +4007,37 @@ public class ServiceREST {
return ret;
}
+ public RangerPolicyResource getPolicyResource(Object resourceName,
GrantRevokeRequest grantRequest) {
+ RangerPolicyResource ret;
+ if (resourceName instanceof List) {
+ List<String> resourceValues = (List<String>)
resourceName;
+ ret = new RangerPolicyResource(resourceValues, false,
grantRequest.getIsRecursive());
+ } else {
+ ret = new RangerPolicyResource((String) resourceName);
+ ret.setIsRecursive(grantRequest.getIsRecursive());
+ }
+ return ret;
+ }
+
+ public static Map<String, Object>
getAccessResourceObjectMap(Map<String, String> map) {
+ Map<String, Object> ret = null;
+
+ if (map != null) {
+ ret = new HashMap<>(map.size());
+
+ for (Map.Entry<String, String> e : map.entrySet()) {
+ if (e.getValue().contains(",")) {
+ List<String> values =
Arrays.asList(e.getValue().split(","));
+ ret.put(e.getKey(),values);
+ } else {
+ ret.put(e.getKey(), e.getValue());
+ }
+ }
+ }
+
+ return ret;
+ }
+
private HashMap<String, Object> getCSRFPropertiesMap(HttpServletRequest
request) {
HashMap<String, Object> map = new HashMap<String, Object>();
map.put(isCSRF_ENABLED,
PropertiesUtil.getBooleanProperty(isCSRF_ENABLED, true));
diff --git
a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index d049f9949..a630e575b 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -21,19 +21,13 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.WebApplicationException;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.admin.client.datatype.RESTResponse;
@@ -78,6 +72,8 @@ import
org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
import org.apache.ranger.plugin.model.validation.RangerPolicyValidator;
import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
import org.apache.ranger.plugin.model.validation.RangerServiceValidator;
+import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
@@ -820,6 +816,73 @@ public class TestServiceREST {
request);
}
+ @Test
+ public void test14_1_grantAccessWithMultiColumns() throws Exception {
+ HttpServletRequest request =
Mockito.mock(HttpServletRequest.class);
+
+ String serviceName = "HIVE";
+ Set<String> userList = new HashSet<String>();
+ userList.add("user1");
+ userList.add("user2");
+ userList.add("user3");
+
+ Map<String, String> grantResource = new HashMap<>();
+ grantResource.put("database", "demo");
+ grantResource.put("table", "testtbl");
+ grantResource.put("column", "column1,column2,colum3");
+ GrantRevokeRequest grantRequestObj = new GrantRevokeRequest();
+
+ grantRequestObj.setResource(grantResource);
+ grantRequestObj.setUsers(userList);
+ grantRequestObj.setAccessTypes(new
HashSet<>(Arrays.asList("select")));
+ grantRequestObj.setDelegateAdmin(true);
+ grantRequestObj.setEnableAudit(true);
+ grantRequestObj.setGrantor("systest");
+ grantRequestObj.setIsRecursive(true);
+
+ RangerAccessResource resource = new
RangerAccessResourceImpl(serviceREST.getAccessResourceObjectMap(grantRequestObj.getResource()),
"systest");
+
+ RangerPolicy createPolicy = new RangerPolicy();
+ createPolicy.setService(serviceName);
+ createPolicy.setName("grant-" + System.currentTimeMillis());
+ createPolicy.setDescription("created by grant");
+
createPolicy.setIsAuditEnabled(grantRequestObj.getEnableAudit());
+
+ Map<String, RangerPolicyResource> policyResources = new
HashMap<>();
+ Set<String> resourceNames = resource.getKeys();
+
+ if (!CollectionUtils.isEmpty(resourceNames)) {
+ for (String resourceName : resourceNames) {
+ policyResources.put(resourceName,
serviceREST.getPolicyResource(resource.getValue(resourceName),
grantRequestObj));
+ }
+ }
+ createPolicy.setResources(policyResources);
+
+ RangerPolicyItem policyItem = new RangerPolicyItem();
+ policyItem.setDelegateAdmin(grantRequestObj.getDelegateAdmin());
+ policyItem.getUsers().addAll(grantRequestObj.getUsers());
+ for (String accessType : grantRequestObj.getAccessTypes()) {
+ policyItem.getAccesses().add(new
RangerPolicyItemAccess(accessType, Boolean.TRUE));
+ }
+ createPolicy.getPolicyItems().add(policyItem);
+ createPolicy.setZoneName(null);
+
+ List<String> grantColumns = (List<String>)
resource.getValue("column");
+ Map<String, RangerPolicyResource> policyResourceMap =
createPolicy.getResources();
+ List<String> createdPolicyColumns =
policyResourceMap.get("column").getValues();
+
+
Assert.assertTrue(createdPolicyColumns.containsAll(grantColumns));
+
+ Mockito.when(
+
serviceUtil.isValidateHttpsAuthentication(serviceName, request))
+ .thenReturn(false);
+ RESTResponse restResponse = serviceREST.grantAccess(serviceName,
+ grantRequestObj, request);
+ Assert.assertNotNull(restResponse);
+
Mockito.verify(serviceUtil).isValidateHttpsAuthentication(serviceName,
+ request);
+ }
+
@Test
public void test15revokeAccess() throws Exception {
HttpServletRequest request =
Mockito.mock(HttpServletRequest.class);
