This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch RANGER-5130
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/RANGER-5130 by this push:
new 7a94c08199 RANGER-5130:DatSet policies fail to authorize when
condition expression is present --fix review comments
7a94c08199 is described below
commit 7a94c081999f25d1abbca1c3b9c47c9812d880db
Author: Ramesh Mani <[email protected]>
AuthorDate: Thu Feb 6 20:54:45 2025 -0800
RANGER-5130:DatSet policies fail to authorize when condition expression is
present --fix review comments
---
.../apache/ranger/plugin/model/RangerGrant.java | 26 ++++++++++++-----
.../main/java/org/apache/ranger/rest/GdsREST.java | 33 ++++++++++++++++------
.../java/org/apache/ranger/rest/TestGdsREST.java | 8 +++---
3 files changed, 47 insertions(+), 20 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGrant.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGrant.java
index d6c358fd7f..0a3e3dc215 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGrant.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGrant.java
@@ -35,15 +35,17 @@ public class RangerGrant implements java.io.Serializable {
private RangerPrincipal principal;
private List<String> accessTypes;
private List<String> conditions;
+ private List<String> validitySchedules;
public RangerGrant() {
- this(null, null, null);
+ this(null, null, null, null);
}
- public RangerGrant(RangerPrincipal principal, List<String> accessTypes,
List<String> conditions) {
- this.principal = principal;
- this.accessTypes = accessTypes;
- this.conditions = conditions;
+ public RangerGrant(RangerPrincipal principal, List<String> accessTypes,
List<String> conditions, List<String> validitySchedules) {
+ this.principal = principal;
+ this.accessTypes = accessTypes;
+ this.conditions = conditions;
+ this.validitySchedules = validitySchedules;
}
public RangerPrincipal getPrincipal() {
@@ -70,9 +72,17 @@ public void setConditions(List<String> conditions) {
this.conditions = conditions;
}
+ public List<String> getValiditySchedules() {
+ return validitySchedules;
+ }
+
+ public void setValiditySchedules(List<String> validitySchedules) {
+ this.validitySchedules = validitySchedules;
+ }
+
@Override
public int hashCode() {
- return Objects.hash(principal, accessTypes, conditions);
+ return Objects.hash(principal, accessTypes, conditions,
validitySchedules);
}
@Override
@@ -89,7 +99,8 @@ public boolean equals(Object obj) {
return Objects.equals(principal, other.principal) &&
Objects.equals(accessTypes, other.accessTypes) &&
- Objects.equals(conditions, other.conditions);
+ Objects.equals(conditions, other.conditions) &&
+ Objects.equals(validitySchedules, other.validitySchedules);
}
@Override
@@ -98,6 +109,7 @@ public String toString() {
"principal='" + principal.toString() +
", accessTypes=" + accessTypes +
", conditions=" + conditions +
+ ", validitySchedules=" + validitySchedules +
'}';
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java
index 0d7f90dba2..30d9d20c53 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java
@@ -115,7 +115,8 @@ public class GdsREST {
private static final RangerAdminConfig config =
RangerAdminConfig.getInstance();
private static final int SHARED_RESOURCES_MAX_BATCH_SIZE =
config.getInt("ranger.admin.rest.gds.shared.resources.max.batch.size", 100);
- public static final String GDS_POLICY_VALIDITY_SCHEDULE_CONDITION =
"validitySchedule";
+ public static final String GDS_POLICY_EXPR_CONDITION =
"expression";
+ public static final String GDS_POLICY_VALIDITY_SCHEDULE_CONDITION =
"validitySchedule";
@Autowired
GdsDBStore gdsStore;
@@ -1911,18 +1912,23 @@ List<RangerGrant>
transformPolicyItemsToGrants(List<RangerPolicyItem> policyItem
List<RangerPolicyItemCondition> policyItemConditions =
policyItem.getConditions();
List<String> policyItemAccessTypes =
policyItemAccesses.stream().map(RangerPolicyItemAccess::getType).collect(Collectors.toList());
- List<String> policyItemConditionValues =
policyItemConditions.stream().flatMap(x ->
x.getValues().stream()).collect(Collectors.toList());
+
+ List<RangerPolicy.RangerPolicyItemCondition>
policyItemConditionExpressions = policyItemConditions.stream().filter(c ->
c.getType().equals(GDS_POLICY_EXPR_CONDITION)).collect(Collectors.toList());
+ List<String> expressions =
policyItemConditionExpressions.stream().flatMap(x ->
x.getValues().stream()).collect(Collectors.toList());
+
+ List<RangerPolicy.RangerPolicyItemCondition>
policyItemConditionValiditySchedules = policyItemConditions.stream().filter(c
->
c.getType().equals(GDS_POLICY_VALIDITY_SCHEDULE_CONDITION)).collect(Collectors.toList());
+ List<String> validitySchedules =
policyItemConditionValiditySchedules.stream().flatMap(x ->
x.getValues().stream()).collect(Collectors.toList());
if (CollectionUtils.isNotEmpty(policyItemUsers)) {
- policyItemUsers.forEach(x -> ret.add(new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.USER, x), policyItemAccessTypes,
policyItemConditionValues)));
+ policyItemUsers.forEach(x -> ret.add(new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.USER, x), policyItemAccessTypes,
expressions, validitySchedules)));
}
if (CollectionUtils.isNotEmpty(policyItemGroups)) {
- policyItemGroups.forEach(x -> ret.add(new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, x), policyItemAccessTypes,
policyItemConditionValues)));
+ policyItemGroups.forEach(x -> ret.add(new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, x), policyItemAccessTypes,
expressions, validitySchedules)));
}
if (CollectionUtils.isNotEmpty(policyItemRoles)) {
- policyItemRoles.forEach(x -> ret.add(new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.ROLE, x), policyItemAccessTypes,
policyItemConditionValues)));
+ policyItemRoles.forEach(x -> ret.add(new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.ROLE, x), policyItemAccessTypes,
expressions, validitySchedules)));
}
}
@@ -2125,18 +2131,27 @@ private RangerPolicyItem
transformGrantToPolicyItem(RangerGrant grant) {
return null;
}
- RangerPolicyItem policyItem = new RangerPolicyItem();
- List<String> permissions = grant.getAccessTypes();
- List<String> conditions = grant.getConditions();
+ RangerPolicyItem policyItem = new RangerPolicyItem();
+ List<String> permissions = grant.getAccessTypes();
+ List<String> conditions = grant.getConditions();
+ List<String> validitySchedules = grant.getValiditySchedules();
if (CollectionUtils.isNotEmpty(permissions)) {
policyItem.setAccesses(permissions.stream().map(accessType -> new
RangerPolicyItemAccess(accessType, true)).collect(Collectors.toList()));
}
+ List<RangerPolicyItemCondition> policyItemConditions = new
ArrayList<>();
if (CollectionUtils.isNotEmpty(conditions)) {
- policyItem.setConditions(conditions.stream().map(condition -> new
RangerPolicyItemCondition(GDS_POLICY_VALIDITY_SCHEDULE_CONDITION,
Collections.singletonList(condition))).collect(Collectors.toList()));
+ conditions.stream().map(expr -> new
RangerPolicyItemCondition(GDS_POLICY_EXPR_CONDITION,
Collections.singletonList(expr))).forEach(policyItemConditions::add);
+ }
+
+ if (CollectionUtils.isNotEmpty(validitySchedules)) {
+ validitySchedules.stream().map(valditySchedule -> new
RangerPolicyItemCondition(GDS_POLICY_VALIDITY_SCHEDULE_CONDITION,
Collections.singletonList(valditySchedule))).forEach(policyItemConditions::add);
}
+ policyItem.setConditions(policyItemConditions);
+
+
switch (grant.getPrincipal().getType()) {
case USER:
policyItem.setUsers(Collections.singletonList(grant.getPrincipal().getName()));
diff --git
a/security-admin/src/test/java/org/apache/ranger/rest/TestGdsREST.java
b/security-admin/src/test/java/org/apache/ranger/rest/TestGdsREST.java
index 68d62fc31a..0303c38af7 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestGdsREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestGdsREST.java
@@ -87,7 +87,7 @@ public void testUpdateDataSetGrants() {
List<RangerPolicy.RangerPolicyItem> hdfsPolicyItems = new
ArrayList<>(gdsREST.filterPolicyItemsByRequest(policy, request));
- RangerGrant grant3 = new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, "hdfs"),
Collections.singletonList("_READ"), Collections.emptyList());
+ RangerGrant grant3 = new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, "hdfs"),
Collections.singletonList("_READ"), Collections.emptyList(),
Collections.emptyList());
policy = gdsREST.updatePolicyWithModifiedGrants(policy,
Collections.singletonList(grant3));
List<RangerPolicy.RangerPolicyItem> updatedHdfsPolicyItems = new
ArrayList<>(gdsREST.filterPolicyItemsByRequest(policy, request));
@@ -111,7 +111,7 @@ public void testRemoveDataSetGrants() {
List<RangerPolicy.RangerPolicyItem> existingHdfsPolicyItems = new
ArrayList<>(gdsREST.filterPolicyItemsByRequest(policy, request));
- RangerGrant grant4 = new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, "hdfs"),
Collections.emptyList(), Collections.emptyList());
+ RangerGrant grant4 = new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, "hdfs"),
Collections.emptyList(), Collections.emptyList(), Collections.emptyList());
policy = gdsREST.updatePolicyWithModifiedGrants(policy,
Collections.singletonList(grant4));
List<RangerPolicy.RangerPolicyItem> updatedHdfsPolicyItems =
gdsREST.filterPolicyItemsByRequest(policy, request);
@@ -238,8 +238,8 @@ private RangerPolicy
createPolicyForDataSet(RangerGds.RangerDataset dataset) {
}
private List<RangerGrant> createAndGetSampleGrantData() {
- RangerGrant grant1 = new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.USER, "hive"),
Collections.singletonList("_READ"),
Collections.singletonList("IS_ACCESSED_BEFORE('2024/12/12')"));
- RangerGrant grant2 = new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, "hdfs"),
Collections.singletonList("_MANAGE"), Collections.emptyList());
+ RangerGrant grant1 = new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.USER, "hive"),
Collections.singletonList("_READ"),
Collections.singletonList("IS_ACCESSED_BEFORE('2024/12/12')"),
Collections.singletonList("{\"startTime\":\"1970/01/01
00:00:00\",\"endTime\":\"2025/03/08 00:35:28\",\"timeZone\":\"UTC\"}"));
+ RangerGrant grant2 = new RangerGrant(new
RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, "hdfs"),
Collections.singletonList("_MANAGE"), Collections.emptyList(),
Collections.emptyList());
return Arrays.asList(grant1, grant2);
}
