This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/RANGER-3923 by this push:
new fb0d1d53d RANGER-4448: updated GDS CRUD APIs to return appropriate
status code on failure
fb0d1d53d is described below
commit fb0d1d53dec11ea54e8e780e10e60ad78b081d68
Author: prashant <[email protected]>
AuthorDate: Fri Jan 5 14:49:52 2024 +0530
RANGER-4448: updated GDS CRUD APIs to return appropriate status code on
failure
Signed-off-by: Madhan Neethiraj <[email protected]>
---
.../ranger/plugin/errors/ValidationErrorCode.java | 2 +-
.../org/apache/ranger/common/RESTErrorUtil.java | 21 ++++++-
.../apache/ranger/db/XXGdsSharedResourceDao.java | 17 +++++
.../main/java/org/apache/ranger/rest/GdsREST.java | 4 ++
.../validation/RangerGdsValidationDBProvider.java | 6 ++
.../RangerGdsValidationDataProvider.java | 3 +
.../ranger/validation/RangerGdsValidator.java | 72 +++++++++++++++++++++-
.../main/resources/META-INF/jpa_named_queries.xml | 7 +++
8 files changed, 128 insertions(+), 4 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
index 03de8e023..38b302ee9 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -163,7 +163,7 @@ public enum ValidationErrorCode {
GDS_VALIDATION_ERR_INVALID_STATUS_CHANGE(4125, "invalid status change from
[{0}] to [{1}]"),
GDS_VALIDATION_ERR_UPDATE_IMMUTABLE_FIELD(4126, "[{0}] can't be updated"),
GDS_VALIDATION_ERR_DATASET_IN_PROJECT_ID_NOT_FOUND(4127,
"Dataset-in-project with ID [{0}] does not exist"),
-
+ GDS_VALIDATION_ERR_SHARED_RESOURCE_CONFLICT(4128, "Shared resource with
resources [{0}] already exists for data share [{1}]"),
;
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
index 4aaf36442..ed3ed5eca 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
@@ -22,6 +22,7 @@
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.Date;
import java.util.List;
@@ -130,7 +131,25 @@ public class RESTErrorUtil {
return restException;
}
-
+ public WebApplicationException create403RESTException(VXResponse
gjResponse) {
+ gjResponse.setStatusCode(VXResponse.STATUS_ERROR);
+
gjResponse.setMessageList(Collections.singletonList(MessageEnums.OPER_NO_PERMISSION.getMessage()));
+
+ Response errorResponse =
Response.status(javax.servlet.http.HttpServletResponse.SC_FORBIDDEN).entity(gjResponse).build();
+ WebApplicationException restException = new
WebApplicationException(errorResponse);
+
+ restException.fillInStackTrace();
+
+ if (logger.isInfoEnabled()) {
+ UserSessionBase userSession =
ContextUtil.getCurrentUserSession();
+ String loginId = (userSession != null) ?
userSession.getLoginId() : null;
+
+ logger.info("Request failed. loginId=" + loginId + ",
logMessage=" + gjResponse.getMsgDesc(), restException);
+ }
+
+ return restException;
+ }
+
public WebApplicationException createGrantRevokeRESTException(String
logMessage) {
RESTResponse resp = new RESTResponse();
resp.setMsgDesc(logMessage);
diff --git
a/security-admin/src/main/java/org/apache/ranger/db/XXGdsSharedResourceDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXGdsSharedResourceDao.java
index d3bd4d65b..c7acd81a2 100644
---
a/security-admin/src/main/java/org/apache/ranger/db/XXGdsSharedResourceDao.java
+++
b/security-admin/src/main/java/org/apache/ranger/db/XXGdsSharedResourceDao.java
@@ -130,4 +130,21 @@ public class XXGdsSharedResourceDao extends
BaseDao<XXGdsSharedResource> {
return ret;
}
+
+ public Long getIdByDataShareIdAndResourceSignature(Long dataShareId,
String resourceSignature) {
+ Long ret = null;
+
+ if (dataShareId != null && resourceSignature != null) {
+ try {
+ ret = getEntityManager()
+
.createNamedQuery("XXGdsSharedResource.getIdByDataShareIdAndResourceSignature",
Long.class)
+ .setParameter("dataShareId",
dataShareId).setParameter("resourceSignature", resourceSignature)
+ .getSingleResult();
+ } catch (NoResultException e) {
+ LOG.debug("getIdByDataShareIdAndName({}, {}):
", dataShareId, resourceSignature, e);
+ }
+ }
+
+ return ret;
+ }
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java
index eadcf0707..b1a00533e 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java
@@ -222,6 +222,7 @@ public class GdsREST {
@DELETE
@Path("/dataset/{id}")
+ @Produces({ "application/json" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" +
RangerAPIList.DELETE_DATASET + "\")")
public void deleteDataset(@PathParam("id") Long datasetId, @Context
HttpServletRequest request) {
LOG.debug("==> deleteDataset({})", datasetId);
@@ -580,6 +581,7 @@ public class GdsREST {
@DELETE
@Path("/project/{id}")
+ @Produces({ "application/json" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" +
RangerAPIList.DELETE_PROJECT + "\")")
public void deleteProject(@PathParam("id") Long projectId, @Context
HttpServletRequest request) {
LOG.debug("==> deleteProject({})", projectId);
@@ -904,6 +906,7 @@ public class GdsREST {
@DELETE
@Path("/datashare/{id}")
+ @Produces({ "application/json" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" +
RangerAPIList.DELETE_DATA_SHARE + "\")")
public void deleteDataShare(@PathParam("id") Long dataShareId, @Context
HttpServletRequest request) {
LOG.debug("==> GdsREST.deleteDataShare({})", dataShareId);
@@ -1094,6 +1097,7 @@ public class GdsREST {
@DELETE
@Path("/resource/{id}")
+ @Produces({ "application/json" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" +
RangerAPIList.REMOVE_SHARED_RESOURCE + "\")")
public void removeSharedResource(@PathParam("id") Long resourceId) {
LOG.debug("==> GdsREST.removeSharedResource({})", resourceId);
diff --git
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
index da41daaaa..30d231797 100644
---
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
+++
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
@@ -27,6 +27,7 @@ import org.apache.ranger.entity.*;
import org.apache.ranger.plugin.model.RangerGds.RangerDataShare;
import org.apache.ranger.plugin.model.RangerGds.RangerDataset;
import org.apache.ranger.plugin.model.RangerGds.RangerProject;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.RangerRolesUtil;
@@ -231,6 +232,11 @@ public class RangerGdsValidationDBProvider extends
RangerGdsValidationDataProvid
return ret;
}
+ public Long getSharedResourceId(Long dataShareId,
RangerPolicyResourceSignature signature) {
+ Long ret =
daoMgr.getXXGdsSharedResource().getIdByDataShareIdAndResourceSignature(dataShareId,
signature.getSignature());
+
+ return ret;
+ }
private RangerRolesUtil initGetRolesUtil() {
RangerRolesUtil ret = this.rolesUtil;
diff --git
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
index ab74e90e4..2c8721e1e 100644
---
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
+++
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
@@ -18,6 +18,7 @@
package org.apache.ranger.validation;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerGds.RangerDataShare;
import org.apache.ranger.plugin.model.RangerGds.RangerDataset;
import org.apache.ranger.plugin.model.RangerGds.RangerProject;
@@ -67,4 +68,6 @@ public abstract class RangerGdsValidationDataProvider {
public abstract RangerDataShare getDataShare(Long id);
public abstract Long getSharedResourceId(Long dataShareId, String name);
+
+ public abstract Long getSharedResourceId(Long dataShareId,
RangerPolicyResourceSignature signature);
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
index c5a3f38ff..27e7cc143 100755
---
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
+++
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
@@ -36,7 +36,9 @@ import org.apache.ranger.plugin.model.RangerGds.RangerProject;
import org.apache.ranger.plugin.model.RangerGds.RangerSharedResource;
import org.apache.ranger.plugin.model.RangerGds.RangerTagDataMaskInfo;
import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.validation.ValidationFailureDetails;
+import org.apache.ranger.view.VXResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -87,6 +89,16 @@ public class RangerGdsValidator {
} else {
validateDatasetAdmin(existing, result);
validateAcl(dataset.getAcl(), "acl", result);
+
+ boolean renamed = !StringUtils.equalsIgnoreCase(dataset.getName(),
existing.getName());
+
+ if (renamed) {
+ Long existingDatasetNameId =
dataProvider.getDatasetId(dataset.getName());
+
+ if (existingDatasetNameId != null) {
+ result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATASET_NAME_CONFLICT,
"name", dataset.getName(), existingDatasetNameId));
+ }
+ }
}
if (!result.isSuccess()) {
@@ -143,6 +155,16 @@ public class RangerGdsValidator {
} else {
validateProjectAdmin(existing, result);
validateAcl(project.getAcl(), "acl", result);
+
+ boolean renamed = !StringUtils.equalsIgnoreCase(project.getName(),
existing.getName());
+
+ if (renamed) {
+ Long existingProjectNameId =
dataProvider.getProjectId(project.getName());
+
+ if (existingProjectNameId != null) {
+ result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_PROJECT_NAME_CONFLICT,
"name", project.getName(), existingProjectNameId));
+ }
+ }
}
if (!result.isSuccess()) {
@@ -205,6 +227,16 @@ public class RangerGdsValidator {
validateAcl(dataShare.getAcl(), "acl", result);
validateAccessTypes(dataShare.getService(), "defaultAccessTypes",
dataShare.getDefaultAccessTypes(), result);
validateMaskTypes(dataShare.getService(), "defaultTagMasks",
dataShare.getDefaultTagMasks(), result);
+
+ boolean renamed =
!StringUtils.equalsIgnoreCase(dataShare.getName(), existing.getName());
+
+ if (renamed) {
+ Long existingDataShareNameId =
dataProvider.getDataShareId(dataShare.getName());
+
+ if (existingDataShareNameId != null) {
+ result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_NAME_CONFLICT,
"name", dataShare.getName(), existingDataShareNameId));
+ }
+ }
}
if (!result.isSuccess()) {
@@ -246,7 +278,15 @@ public class RangerGdsValidator {
if (existing != null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_SHARED_RESOURCE_NAME_CONFLICT,
"name", resource.getName(), dataShare.getName(), existing));
} else {
-
validateSharedResourceCreateAndUpdate(dataShare, result);
+ validateSharedResourceCreateAndUpdate(dataShare, result);
+
+ if (result.isSuccess()) {
+ existing =
dataProvider.getSharedResourceId(resource.getDataShareId(), new
RangerPolicyResourceSignature(resource));
+
+ if (existing != null) {
+ result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_SHARED_RESOURCE_CONFLICT,
"resource", resource.getResource(), dataShare.getName()));
+ }
+ }
}
}
@@ -270,7 +310,27 @@ public class RangerGdsValidator {
if (dataShare == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND,
"dataShareId", resource.getDataShareId()));
} else {
-
validateSharedResourceCreateAndUpdate(dataShare, result);
+ validateSharedResourceCreateAndUpdate(dataShare, result);
+
+ if (result.isSuccess()) {
+ boolean renamed =
!StringUtils.equalsIgnoreCase(resource.getName(), existing.getName());
+
+ if (renamed) {
+ Long existingSharedResourceNameId =
dataProvider.getSharedResourceId(resource.getDataShareId(), resource.getName());
+
+ if (existingSharedResourceNameId != null) {
+ result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_SHARED_RESOURCE_NAME_CONFLICT,
"name", resource.getName(), dataShare.getName(), existing));
+ }
+ }
+
+ if (result.isSuccess()) {
+ Long existingSharedResourceNameId =
dataProvider.getSharedResourceId(resource.getDataShareId(),new
RangerPolicyResourceSignature(resource));
+
+ if (existingSharedResourceNameId != null &&
!existingSharedResourceNameId.equals(existing.getId())) {
+ result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_SHARED_RESOURCE_CONFLICT,
"resource", resource.getResource(), dataShare.getName()));
+ }
+ }
+ }
}
}
@@ -1031,5 +1091,13 @@ public class RangerGdsValidator {
public void throwRESTException() {
throw
restErrorUtil.createRESTException(validationFailures.toString(),
MessageEnums.INVALID_INPUT_DATA);
}
+
+ public void throwREST403Exception() {
+ VXResponse gjResponse = new VXResponse();
+
+ gjResponse.setMsgDesc(validationFailures.toString());
+
+ throw restErrorUtil.create403RESTException(gjResponse);
+ }
}
}
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 0502512eb..ae6788bac 100755
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -2260,6 +2260,13 @@
</query>
</named-query>
+ <named-query
name="XXGdsSharedResource.getIdByDataShareIdAndResourceSignature">
+ <query>select obj.id from XXGdsSharedResource obj
+ where obj.dataShareId = :dataShareId
+ and obj.resourceSignature = :resourceSignature
+ </query>
+ </named-query>
+
<named-query name="XXGdsDataShareInDataset.findByGuid">
<query>select obj from XXGdsDataShareInDataset obj where
obj.guid = :guid</query>
</named-query>
