This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 6e9485801 RANGER-4669: updated GDS APIs for retreiving datasets shared
with the caller to consider roles assigned to user
6e9485801 is described below
commit 6e9485801bcbd3069a45a41cb267692b2e9ba231
Author: Subhrat Chaudhary <[email protected]>
AuthorDate: Tue Jan 23 22:00:05 2024 -0800
RANGER-4669: updated GDS APIs for retreiving datasets shared with the
caller to consider roles assigned to user
Signed-off-by: Madhan Neethiraj <[email protected]>
---
.../java/org/apache/ranger/biz/GdsDBStore.java | 4 +--
.../org/apache/ranger/biz/GdsPolicyAdminCache.java | 9 +++--
.../validation/RangerGdsValidationDBProvider.java | 38 ++++++++++++++++++++++
.../RangerGdsValidationDataProvider.java | 3 ++
4 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
index 69b43f2dc..4fa9c48df 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
@@ -1602,7 +1602,7 @@ public class GdsDBStore extends AbstractGdsStore {
if (isSharedWithMe) {
groups = validationDBProvider.getGroupsForUser(userName);
- roles = validationDBProvider.getRolesForUser(userName);
+ roles = validationDBProvider.getRolesForUserAndGroups(userName,
groups);
}
for (RangerProject project : result.getList()) {
@@ -1635,7 +1635,7 @@ public class GdsDBStore extends AbstractGdsStore {
if (isSharedWithMe) {
groups = validationDBProvider.getGroupsForUser(userName);
- roles = validationDBProvider.getRolesForUser(userName);
+ roles = validationDBProvider.getRolesForUserAndGroups(userName,
groups);
}
for (RangerDataset dataset : result.getList()) {
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java
index 97d4b2579..41056c9c2 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java
@@ -22,6 +22,7 @@ package org.apache.ranger.biz;
import org.apache.commons.collections.CollectionUtils;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.gds.GdsPolicyEngine;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.slf4j.Logger;
@@ -89,8 +90,12 @@ public class GdsPolicyAdminCache {
ret = policyItem.getUsers() != null &&
policyItem.getUsers().contains(user);
- if (!ret && groups != null && policyItem.getGroups() != null) {
- ret = CollectionUtils.containsAny(groups,
policyItem.getGroups());
+ if (!ret && policyItem.getGroups() != null) {
+ ret =
policyItem.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC);
+
+ if (!ret && groups != null) {
+ ret = CollectionUtils.containsAny(groups,
policyItem.getGroups());
+ }
}
if (!ret && roles != null && policyItem.getRoles() != null) {
diff --git
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
index 30d231797..43e73f919 100644
---
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
+++
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
@@ -17,6 +17,8 @@
package org.apache.ranger.validation;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.RoleDBStore;
import org.apache.ranger.biz.ServiceMgr;
@@ -29,6 +31,7 @@ import org.apache.ranger.plugin.model.RangerGds.RangerDataset;
import org.apache.ranger.plugin.model.RangerGds.RangerProject;
import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.RangerRolesUtil;
import org.apache.ranger.plugin.util.ServiceDefUtil;
@@ -41,9 +44,11 @@ import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
+import java.util.Map;
import static
org.apache.ranger.db.XXGlobalStateDao.RANGER_GLOBAL_STATE_NAME_ROLE;
@@ -164,6 +169,27 @@ public class RangerGdsValidationDBProvider extends
RangerGdsValidationDataProvid
return rolesUtil != null && rolesUtil.getUserRoleMapping() != null ?
rolesUtil.getUserRoleMapping().get(userName) : null;
}
+ public Set<String> getRolesForUserAndGroups(String userName,
Collection<String> groups) {
+ RangerRolesUtil rolesUtil = initGetRolesUtil();
+ Set<String> ret = getRolesForUser(userName);
+
+ if (rolesUtil != null) {
+ final Map<String, Set<String>> groupRoleMapping =
rolesUtil.getGroupRoleMapping();
+
+ if (MapUtils.isNotEmpty(groupRoleMapping)) {
+ if (CollectionUtils.isNotEmpty(groups)) {
+ for (String group : groups) {
+ ret = addRoles(ret, groupRoleMapping.get(group));
+ }
+ }
+
+ ret = addRoles(ret,
groupRoleMapping.get(RangerPolicyEngine.GROUP_PUBLIC));
+ }
+ }
+
+ return ret;
+ }
+
public Set<String> getAccessTypes(String serviceName) {
List<String> accessTypes =
daoMgr.getXXAccessTypeDef().getNamesByServiceName(serviceName);
Set<String> ret = new HashSet<>(accessTypes);
@@ -266,4 +292,16 @@ public class RangerGdsValidationDBProvider extends
RangerGdsValidationDataProvid
return ret;
}
+
+ private Set<String> addRoles(Set<String> allRoles, Set<String> rolesToAdd)
{
+ if (CollectionUtils.isNotEmpty(rolesToAdd)) {
+ if (allRoles == null) {
+ allRoles = new HashSet<>();
+ }
+
+ allRoles.addAll(rolesToAdd);
+ }
+
+ return allRoles;
+ }
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
index 2c8721e1e..f8efaa677 100644
---
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
+++
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
@@ -23,6 +23,7 @@ import
org.apache.ranger.plugin.model.RangerGds.RangerDataShare;
import org.apache.ranger.plugin.model.RangerGds.RangerDataset;
import org.apache.ranger.plugin.model.RangerGds.RangerProject;
+import java.util.Collection;
import java.util.Set;
public abstract class RangerGdsValidationDataProvider {
@@ -57,6 +58,8 @@ public abstract class RangerGdsValidationDataProvider {
public abstract Set<String> getRolesForUser(String userName);
+ public abstract Set<String> getRolesForUserAndGroups(String userName,
Collection<String> groups);
+
public abstract Set<String> getAccessTypes(String serviceName);
public abstract Set<String> getMaskTypes(String serviceName);
