This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.8
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.8 by this push:
new 748a20de6 RANGER-5407: fix incorrect permissions in default policies
of Atlas service (#758)
748a20de6 is described below
commit 748a20de62ab9ab536768d3816c63ad569e12cb8
Author: Rakesh Gupta <[email protected]>
AuthorDate: Fri Jan 2 07:42:21 2026 +0530
RANGER-5407: fix incorrect permissions in default policies of Atlas service
(#758)
---
.../ranger/services/atlas/RangerServiceAtlas.java | 7 +-
.../optimized/current/ranger_core_db_mysql.sql | 1 +
.../optimized/current/ranger_core_db_oracle.sql | 1 +
.../optimized/current/ranger_core_db_postgres.sql | 1 +
.../current/ranger_core_db_sqlanywhere.sql | 2 +
.../optimized/current/ranger_core_db_sqlserver.sql | 1 +
...chForAtlasPolicyUpdateForEntityRead_J10064.java | 155 +++++++++++++++++++++
7 files changed, 166 insertions(+), 2 deletions(-)
diff --git
a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index 2b94e23c0..a1b72f248 100644
---
a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++
b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -175,7 +175,10 @@ public List<RangerPolicy> getDefaultRangerPolicies()
throws Exception {
}
// 2. add a policy-item for rangertagsync user with 'entity-read'
permission in the policy for 'entity-type'
- if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) &&
!policyResources.containsKey(RESOURCE_CLASSIFICATION)) {
+ final boolean isNonEntityResourceType =
policyResources.containsKey(RESOURCE_CLASSIFICATION)
+ || policyResources.containsKey(RESOURCE_ENTITY_LABEL) ||
policyResources.containsKey(RESOURCE_ENTITY_BUSINESS_METADATA);
+
+ if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) &&
!isNonEntityResourceType) {
RangerPolicyItem policyItemForTagSyncUser = new
RangerPolicyItem();
policyItemForTagSyncUser.setUsers(Collections.singletonList(tagSyncUser));
@@ -196,7 +199,7 @@ public List<RangerPolicy> getDefaultRangerPolicies() throws
Exception {
if (defaultPolicy.getName().contains("all")
&&
policyResources.containsKey(RangerServiceAtlas.RESOURCE_ENTITY_TYPE)
- && StringUtils.isNotBlank(lookUpUser)
&& !policyResources.containsKey(RESOURCE_CLASSIFICATION)) {
+ && StringUtils.isNotBlank(lookUpUser)
&& !isNonEntityResourceType) {
RangerPolicyItem policyItemForLookupUser = new
RangerPolicyItem();
policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
policyItemForLookupUser.setAccesses(Collections.singletonList(new
RangerPolicyItemAccess(ACCESS_TYPE_ENTITY_READ)));
diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
index 73ad54611..2648e2275 100644
--- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
+++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
@@ -1886,4 +1886,5 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',UTC_TIMESTAMP(),'Ranger 2.5.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',UTC_TIMESTAMP(),'Ranger 2.5.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10063',UTC_TIMESTAMP(),'Ranger 2.5.0',UTC_TIMESTAMP(),'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10064',UTC_TIMESTAMP(),'Ranger 2.5.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
diff --git
a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
index 40f71e28b..57bb66fa6 100644
--- a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
+++ b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
@@ -2077,5 +2077,6 @@ INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,act
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10061',sys_extract_utc(systimestamp),'Ranger
2.5.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10062',sys_extract_utc(systimestamp),'Ranger
2.5.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10063',sys_extract_utc(systimestamp),'Ranger
2.5.0',sys_extract_utc(systimestamp),'localhost','Y');
+INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10064',sys_extract_utc(systimestamp),'Ranger
2.5.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'JAVA_PATCHES',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
commit;
diff --git
a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
index 980f22f14..230c6e9f3 100644
--- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
+++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
@@ -2025,4 +2025,5 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',current_timestamp,'Ranger 2.5.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',current_timestamp,'Ranger 2.5.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10063',current_timestamp,'Ranger 2.5.0',current_timestamp,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10064',current_timestamp,'Ranger 2.5.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',current_timestamp,'Ranger
1.0.0',current_timestamp,'localhost','Y');
diff --git
a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
index 9c0551317..f6ceca876 100644
---
a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
+++
b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
@@ -2452,6 +2452,8 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10063',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10064',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y');
+GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger
1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
exit
diff --git
a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
index 8aea57bea..941f980eb 100644
--- a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
+++ b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
@@ -4236,5 +4236,6 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10063',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10064',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger
1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
diff --git
a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java
b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java
new file mode 100644
index 000000000..fe20dbbb4
--- /dev/null
+++
b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java
@@ -0,0 +1,155 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXPolicy;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.util.CLIUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class PatchForAtlasPolicyUpdateForEntityRead_J10064 extends
org.apache.ranger.patch.BaseLoader {
+ private static final Logger logger =
LoggerFactory.getLogger(PatchForAtlasPolicyUpdateForEntityRead_J10064.class);
+
+ private static final String RESOURCE_ENTITY_TYPE =
"entity-type";
+ private static final String ENTITY_READ =
"entity-read";
+ private static final String RESOURCE_ENTITY_LABEL =
"entity-label";
+ private static final String RESOURCE_ENTITY_BUSINESS_METADATA =
"entity-business-metadata";
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+
+ try {
+ PatchForAtlasPolicyUpdateForEntityRead_J10064 loader =
(PatchForAtlasPolicyUpdateForEntityRead_J10064)
CLIUtil.getBean(PatchForAtlasPolicyUpdateForEntityRead_J10064.class);
+
+ loader.init();
+
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+
+ logger.info("Load complete. Exiting!!!");
+
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("PatchForAtlasPolicyUpdateForEntityRead_J10064 Logs");
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==>
PatchForAtlasPolicyUpdateForEntityRead_J10064.execLoad()");
+
+ try {
+ updateAtlasPolicyForEntityReadAccessType();
+ } catch (Exception e) {
+ throw new RuntimeException("Error while updating " +
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def", e);
+ }
+
+ logger.info("<==
PatchForAtlasPolicyUpdateForEntityRead_J10064.execLoad()");
+ }
+
+ private boolean removeIfEntityReadPermissionExist(RangerPolicyItem item) {
+ return item.getAccesses().removeIf(itemAccess ->
itemAccess.getType().equals(ENTITY_READ));
+ }
+
+ private void updateAtlasPolicyForEntityReadAccessType() throws Exception {
+ logger.info("==> updateAtlasPolicyForEntityReadAccessType() ");
+
+ XXServiceDef xXServiceDefObj =
daoMgr.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+
+ if (xXServiceDefObj == null) {
+ logger.debug("ServiceDef not found with name :{}",
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+
+ return;
+ }
+
+ Long xServiceDefId = xXServiceDefObj.getId();
+ List<XXService> xxServices =
daoMgr.getXXService().findByServiceDefId(xServiceDefId);
+
+ for (XXService xxService : xxServices) {
+ List<XXPolicy> xxPolicies =
daoMgr.getXXPolicy().findByServiceId(xxService.getId());
+
+ for (XXPolicy xxPolicy : xxPolicies) {
+ RangerPolicy rPolicy = svcDBStore.getPolicy(xxPolicy.getId());
+
+ final Map<String, RangerPolicyResource> policyResources =
rPolicy.getResources();
+ final boolean isNonEntityResourceType =
policyResources.containsKey(RESOURCE_ENTITY_LABEL)
+ ||
policyResources.containsKey(RESOURCE_ENTITY_BUSINESS_METADATA);
+ boolean isUpdated = false;
+
+ if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) &&
isNonEntityResourceType) {
+ List<RangerPolicyItem> policyItems =
rPolicy.getPolicyItems();
+ if (policyItems != null) {
+ Iterator<RangerPolicyItem> itemIterator =
policyItems.iterator();
+ while (itemIterator.hasNext()) {
+ RangerPolicyItem item = itemIterator.next();
+ if (removeIfEntityReadPermissionExist(item)) {
+ if (item.getAccesses().isEmpty()) {
+ itemIterator.remove();
+ logger.debug("Removing empty policy item
from policy ID: {}", rPolicy.getId());
+ }
+ isUpdated = true;
+ }
+ }
+ }
+ }
+
+ if (isUpdated) {
+ svcDBStore.updatePolicy(rPolicy);
+
logger.info("PatchForAtlasPolicyUpdateForEntityRead_J10064: updated policy
(id={}, name={}) to remove {} permission",
+ rPolicy.getId(), rPolicy.getName(), ENTITY_READ);
+ }
+ }
+ }
+
+ logger.info("<== updateAtlasPolicyForEntityReadAccessType() ");
+ }
+}
