Repository: ranger Updated Branches: refs/heads/ranger-0.7 126ff6ee0 -> 48fd2586e
RANGER-1436: Turn Ranger deny policy & except condition blocks ON by default (cherry picked from commit faf5bf177f2f145f40f667a598929a6dbd7e81df) Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/28733f04 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/28733f04 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/28733f04 Branch: refs/heads/ranger-0.7 Commit: 28733f047dcc6b5443f472e8fa9dfdccba631121 Parents: 126ff6e Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Thu Apr 27 08:58:10 2017 +0530 Committer: Pradeep <prad...@apache.org> Committed: Wed Sep 26 20:55:04 2018 +0530 ---------------------------------------------------------------------- .../ranger/plugin/model/RangerServiceDef.java | 1 + .../ranger/plugin/util/ServiceDefUtil.java | 4 +++- .../ranger/service/RangerServiceDefService.java | 19 ++++++++++++++++++- 3 files changed, 22 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/28733f04/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java index ad5108b..3803c58 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java @@ -113,6 +113,7 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S setLabel(other.getLabel()); setDescription(other.getDescription()); setConfigs(other.getConfigs()); + setOptions(other.getOptions()); setResources(other.getResources()); setAccessTypes(other.getAccessTypes()); setPolicyConditions(other.getPolicyConditions()); http://git-wip-us.apache.org/repos/asf/ranger/blob/28733f04/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java index dbdc935..b0090d4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java @@ -22,6 +22,7 @@ package org.apache.ranger.plugin.util; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; +import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; @@ -40,7 +41,8 @@ public class ServiceDefUtil { boolean ret = false; if(serviceDef != null) { - boolean defaultValue = StringUtils.equalsIgnoreCase(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME); + boolean enableDenyAndExceptionsInPoliciesHiddenOption = RangerConfiguration.getInstance().getBoolean("ranger.servicedef.enableDenyAndExceptionsInPolicies", true); + boolean defaultValue = enableDenyAndExceptionsInPoliciesHiddenOption || StringUtils.equalsIgnoreCase(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME); ret = ServiceDefUtil.getBooleanValue(serviceDef.getOptions(), RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, defaultValue); } http://git-wip-us.apache.org/repos/asf/ranger/blob/28733f04/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java index 53b12d8..1e385a0 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java @@ -19,9 +19,13 @@ package org.apache.ranger.service; import java.util.ArrayList; import java.util.List; +import java.util.Map; +import org.apache.commons.lang.StringUtils; +import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.entity.XXServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Service; @@ -50,7 +54,20 @@ public class RangerServiceDefService extends RangerServiceDefServiceBase<XXServi @Override protected RangerServiceDef mapEntityToViewBean(RangerServiceDef vObj, XXServiceDef xObj) { - return super.mapEntityToViewBean(vObj, xObj); + RangerServiceDef ret = super.mapEntityToViewBean(vObj, xObj); + + Map<String, String> serviceDefOptions = ret.getOptions(); + + if (serviceDefOptions.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES) == null) { + boolean enableDenyAndExceptionsInPoliciesHiddenOption = RangerConfiguration.getInstance().getBoolean("ranger.servicedef.enableDenyAndExceptionsInPolicies", true); + if (enableDenyAndExceptionsInPoliciesHiddenOption || StringUtils.equalsIgnoreCase(ret.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) { + serviceDefOptions.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, "true"); + } else { + serviceDefOptions.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, "false"); + } + ret.setOptions(serviceDefOptions); + } + return ret; } public List<RangerServiceDef> getAllServiceDefs() {
